Collect OCSF logs
This document describes the supported event types for OCSF logs and how log fields map to Google SecOps Unified Data Model (UDM) fields.
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the OCSF ingestion label.
Supported OCSF log formats
The OCSF parser supports logs in JSON format.
Supported OCSF Sample Logs
- JSON: - { "activity_id": 1, "activity_name": "Logon", "certificate": { "created_time": 1602175307000, "expiration_time": 1602175307000, "issuer": "dummy", "serial_number": "1234567", "subject": "user", "version": "1" }, "auth_protocol": "NTLM", "auth_protocol_id": 1, "category_name": "Audit Activity", "category_uid": 3, "class_name": "Authentication", "class_uid": 3002, "device": { "hostname": "dummy_hostname", "hw_info": { "bios_manufacturer": "bios_manufacturer", "cpu_cores": 42, "cpu_speed": 4200, "cpu_type": "x86 Family 6 Model 37 Stepping 5", "ram_size": 2048, "serial_number": "serial123" }, "location": { "coordinates": [ -73.983, 40.719 ], "city": "city", "country": "country", "region": "region" }, "os": { "name": "Windows", "type": "Windows", "type_id": 100 }, "type": "Unknown", "type_id": 2 }, "dst_endpoint": { "hostname": "dummy_hostname", "domain": "dummy@domain.com", "uid": "123456789", "ip": "198.51.100.4", "intermediate_ips": [ "198.51.100.5", "198.51.100.6" ], "mac": "47-1E-10-E7-2B-D0", "port": 420, "location": { "coordinates": [ -73.983, 40.719 ], "city": "city", "country": "country", "region": "region" } }, "actor": { "process": { "created_time": 1538087851000, "parent_process": { "cmd_line": "actor_parent_process_cmd_line" }, "file": { "name": "-", "path": "-", "type": "Regular File", "type_id": 1, "accessed_time": 1538087851000, "created_time": 1538087851000, "modified_time": 1538087851000, "mime_type": "actor_file_type", "size": 45 }, "pid": 0, "cmd_line": "actor_process_cmd_line", "uid": "456" }, "session": { "uid": "0x0" }, "user": { "account_type": "Windows Account", "account_type_id": 2, "domain": "-", "name": "-", "uid": "NULL SID" } }, "logon_type": "Network", "logon_type_id": 3, "message": "An account failed to log on.", "metadata": { "original_time": "10/08/2020 12:41:47 PM", "product": { "feature": { "name": "Security" }, "name": "Microsoft Windows", "vendor_name": "Microsoft" }, "profiles": [ "host" ], "uid": "a738d6e6-4ebd-49bb-805e-45d0604a1bef", "version": "1.0.0-rc.2" }, "severity": "Informational", "severity_id": 1, "src_endpoint": { "hostname": "dummy_hostname", "domain": "dummy@domain.com", "ip": "198.51.100.4", "intermediate_ips": [ "198.51.100.5", "198.51.100.6" ], "mac": "00:1b:63:84:45:e6", "port": 420, "location": { "coordinates": [ -73.983, 40.719 ], "city": "city", "country": "country", "region": "region" } }, "status": "0xC000006D", "status_detail": "Unknown user name or bad password.", "status_id": 2, "time": 1602175307000, "type_name": "Authentication: Logon", "type_uid": 300201, "unmapped": { "Detailed Authentication Information": { "Key Length": "0", "Package Name (NTLM only)": "-", "Transited Services": "-" }, "EventCode": "4625", "EventType": "0", "Failure Information": { "Sub Status": "0xC000006A" }, "OpCode": "Info", "RecordNumber": "223742", "SourceName": "Microsoft Windows security auditing.", "TaskCategory": "Logon" }, "user": { "account_type": "Windows Account", "account_type_id": 2, "domain": "dummy.domain.com", "name": "Administrator", "uid": "NULL SID" } }
Field mapping reference
Field mapping reference: Event Identifier to Event Type
The following table lists theOCSF Supported Events log types and their corresponding UDM event types.
| Event Identifier | 
|---|
| Authentication | 
| Authorize Session | 
| Security Finding | 
| FTP Activity | 
| Compliance Finding | 
| Detection Finding | 
| Incident Finding | 
| Vulnerability Finding | 
| Process Activity | 
| Http Activity | 
| Network Activity | 
| Network File Activity | 
| File Hosting Activity | 
| API Activity | 
| DNS Activity | 
Field mapping reference: OCSF Authentication
The following table lists the log fields for the Authentication log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| activity_id | metadata.event_type | If the activity_idlog field value is equal to1then, themetadata.event_typeUDM field is set toUSER_LOGIN.Else, if activity_idlog field value is equal to2then, themetadata.event_typeUDM field is set toUSER_LOGOUT.Else, the metadata.event_typeUDM field is set toUSER_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| api.response.code | network.http.response_code | |
| api.service.name | target.application | If the dst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field.Else, if service.namelog field value is not empty then,%{service.name}log field is mapped to thetarget.applicationUDM field.Else, if pi.s service.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| certificate.created_time | network.tls.client.certificate.not_before | |
| certificate.expiration_time | network.tls.client.certificate.not_after | |
| certificate.issuer | network.tls.client.certificate.issuer | |
| certificate.serial_number | network.tls.client.certificate.serial | |
| certificate.subject | network.tls.client.certificate.subject | |
| certificate.version | network.tls.client.certificate.version | |
| class_name | metadata.log_type | |
| cloud.org.name | about.resource.name | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| device.created_time | principal.asset.attribute.creation_time | |
| device.domain | principal.asset.network_domain | |
| device.first_seen_time | principal.asset.first_seen_time | |
| device.hostname | principal.asset.hostname | |
| device.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| device.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| device.hw_info.cpu_speed | principal.asset.hardware.cpu_clock_speed | |
| device.hw_info.cpu_type | principal.asset.hardware.cpu_model | |
| device.hw_info.ram_size | principal.asset.hardware.ram | |
| device.hw_info.serial_number | principal.asset.hardware.serial_number | |
| device.ip | principal.asset.ip | |
| device.location.city | principal.asset.location.city | |
| device.location.coordinates.0 | principal.asset.location.region_coordinates.longitude | |
| device.location.coordinates.1 | principal.asset.location.region_coordinates.latitude | |
| device.location.country | principal.asset.location.country_or_region | |
| device.location.region | principal.asset.loction.name | If the device.regionlog field value is empty then,device.location.regionlog field is mapped to theprincipal.asset.location.nameUDM field. | 
| device.mac | principal.asset.mac | |
| device.modified_time | principal.asset.attribute.last_update_time | |
| device.os.type_id | principal.asset.platform_software.platform | If the device.os.type_idlog field value is equal to100orthe device.os.type_idlog field value is equal to101then, theprincipal.asset.platform_software.platformUDM field is set toWINDOWS.Else, if device.os.type_idlog field value is equal to200then, theprincipal.asset.platform_software.platformUDM field is set toLINUX.Else, if device.os.type_idlog field value is equal to201then, theprincipal.asset.platform_software.platformUDM field is set toANDROID.Else, if device.os.type_idlog field value is equal to300then, theprincipal.asset.platform_software.platformUDM field is set toMAC.Else, if device.os.type_idlog field value is equal to301then, theprincipal.asset.platform_software.platformUDM field is set toIOS.Else, the principal.asset.platform_software.platformUDM field is set toUNKNOWN_PLATFORM. | 
| device.os.version | principal.asset.platform_software.platform_version | |
| device.region | principal.asset.location.name | |
| device.type_id | principal.asset.type | If the device.type_idlog field value is equal to1then, theprincipal.asset.typeUDM field is set toSERVER.Else, if device.type_idlog field value is equal to2then, theprincipal.asset.typeUDM field is set toWORKSTATION.Else, if device.type_idlog field value is equal to3then, theprincipal.asset.typeUDM field is set toLAPTOP.Else, if device.type_idlog field value is equal to4orthe device.type_idlog field value is equal to5then, theprincipal.asset.typeUDM field is set toMOBILE.Else, if device.type_idlog field value is equal to7then, theprincipal.asset.typeUDM field is set toIOT.Else, the principal.asset.typeUDM field is set toROLE_UNSPECIFIED. | 
| device.uid | principal.asset.product_object_id | |
| dst_endpoint.domain | target.domain.name | |
| dst_endpoint.hostname | target.hostname | |
| dst_endpoint.intermediate_ips | intermediary.ip | |
| dst_endpoint.ip | target.ip | |
| dst_endpoint.location.city | target.location.city | |
| dst_endpoint.location.coordinates.0 | target.location.region_coordinates.longitude | |
| dst_endpoint.location.coordinates.1 | target.location.region_coordinates.latitude | |
| dst_endpoint.location.country | target.location.country_or_region | |
| dst_endpoint.location.region | target.location.name | |
| dst_endpoint.mac | target.mac | |
| dst_endpoint.port | target.port | |
| dst_endpoint.svc_name | target.application | If the dst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field.Else, if service.namelog field value is not empty then,%{service.name}log field is mapped to thetarget.applicationUDM field.Else, if pi.s service.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| dst_endpoint.uid | target.asset_id | |
| http_request.http_method | network.http.method | |
| http_request.referrer | network.http.referral_url | |
| http_request.user_agent | network.http.user_agent | |
| logon_process.cmd_line | principal.process.command_line | If the logon_process.cmd_linelog field value is empty then,actor.process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field. | 
| actor.process.cmd_line | principal.process.command_line | If the logon_process.cmd_linelog field value is empty then,actor.process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field. | 
| logon_process.file.accessed_time | principal.process.file.last_seen_time | If the logon_process.file.accessed_timelog field value is empty then,actor.process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field. | 
| actor.process.file.accessed_time | principal.process.file.last_seen_time | If the logon_process.file.accessed_timelog field value is empty then,actor.process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field. | 
| logon_process.file.created_time | principal.process.file.first_seen_time | If the logon_process.file.created_timelog field value is empty then,actor.process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field. | 
| actor.process.file.created_time | principal.process.file.first_seen_time | If the logon_process.file.created_timelog field value is empty then,actor.process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field. | 
| logon_process.file.mime_type | principal.process.file.mime_type | If the logon_process.file.mime_typelog field value is empty then,actor.process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field. | 
| actor.process.file.mime_type | principal.process.file.mime_type | If the logon_process.file.mime_typelog field value is empty then,actor.process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field. | 
| logon_process.file.modified_time | principal.process.file.last_modification_time | If the logon_process.file.modified_timelog field value is empty then,actor.process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field. | 
| actor.process.file.modified_time | principal.process.file.last_modification_time | If the logon_process.file.modified_timelog field value is empty then,actor.process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field. | 
| logon_process.file.name | principal.process.file.names | If the logon_process.file.namelog field value is empty then,actor.process.file.namelog field is mapped to theprincipal.process.file.namesUDM field. | 
| actor.process.file.name | principal.process.file.names | If the logon_process.file.namelog field value is empty then,actor.process.file.namelog field is mapped to theprincipal.process.file.namesUDM field. | 
| logon_process.file.path | principal.process.file.full_path | If the logon_process.file.pathlog field value is empty then,actor.process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| actor.process.file.path | principal.process.file.full_path | If the logon_process.file.pathlog field value is empty then,actor.process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| logon_process.file.size | principal.process.file.size | If the logon_process.file.sizelog field value is empty then,actor.process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field. | 
| actor.process.file.size | principal.process.file.size | If the logon_process.file.sizelog field value is empty then,actor.process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field. | 
| logon_process.parent_process.cmd_line | principal.process.parent_process.command_line | If the logon_process.parent_process.cmd_linelog field value is empty then,actor.process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field. | 
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | If the logon_process.parent_process.cmd_linelog field value is empty then,actor.process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field. | 
| logon_process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | If the logon_process.parent_process.file.accessed_timelog field value is empty then,actor.process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field. | 
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | If the logon_process.parent_process.file.accessed_timelog field value is empty then,actor.process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field. | 
| logon_process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | If the logon_process.parent_process.file.created_timelog field value is empty then,actor.process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field. | 
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | If the logon_process.parent_process.file.created_timelog field value is empty then,actor.process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field. | 
| logon_process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | If the logon_process.parent_process.file.mime_typelog field value is empty then,actor.process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field. | 
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | If the logon_process.parent_process.file.mime_typelog field value is empty then,actor.process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field. | 
| logon_process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | If the logon_process.parent_process.file.modified_timelog field value is empty then,actor.process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field. | 
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | If the logon_process.parent_process.file.modified_timelog field value is empty then,actor.process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field. | 
| logon_process.parent_process.file.name | principal.process.parent_process.file.names | If the logon_process.parent_process.file.namelog field value is empty then,actor.process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field. | 
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | If the logon_process.parent_process.file.namelog field value is empty then,actor.process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field. | 
| logon_process.parent_process.file.path | principal.process.parent_process.file.full_path | If the logon_process.parent_process.file.pathlog field value is empty then,actor.process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field. | 
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | If the logon_process.parent_process.file.pathlog field value is empty then,actor.process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field. | 
| logon_process.parent_process.file.size | principal.process.parent_process.file.size | If the logon_process.parent_process.file.sizelog field value is empty then,actor.process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field. | 
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | If the logon_process.parent_process.file.sizelog field value is empty then,actor.process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field. | 
| logon_process.parent_process.pid | principal.process.parent_process.pid | If the logon_process.parent_process.pidlog field value is empty then,actor.process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field. | 
| actor.process.parent_process.pid | principal.process.parent_process.pid | If the logon_process.parent_process.pidlog field value is empty then,actor.process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field. | 
| logon_process.parent_process.uid | principal.process.parent_process.product_specific_process_id | If the logon_process.parent_process.uidlog field value is empty then,actor.process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field. | 
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | If the logon_process.parent_process.uidlog field value is empty then,actor.process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field. | 
| logon_process.pid | principal.process.pid | If the logon_process.pidlog field value is empty then,actor.process.pidlog field is mapped to theprincipal.process.pidUDM field. | 
| actor.process.pid | principal.process.pid | If the logon_process.pidlog field value is empty then,actor.process.pidlog field is mapped to theprincipal.process.pidUDM field. | 
| logon_process.uid | principal.process.product_specific_process_id | If the logon_process.uidlog field value is empty then,actor.process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field. | 
| actor.process.uid | principal.process.product_specific_process_id | If the logon_process.uidlog field value is empty then,actor.process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field. | 
| logon_type_id | extensions.auth.mechanism | If the logon_typelog field value is equal to0then, theextensions.auth.mechanismUDM field is set toLOCAL.Else, if logon_typelog field value is equal to2then, theextensions.auth.mechanismUDM field is set toINTERACTIVE.Else, if logon_typelog field value is equal to3then, theextensions.auth.mechanismUDM field is set toNETWORK.Else, if logon_typelog field value is equal to4then, theextensions.auth.mechanismUDM field is set toBATCH.Else, if logon_typelog field value is equal to5then, theextensions.auth.mechanismUDM field is set toSERVICE.Else, if logon_typelog field value is equal to7then, theextensions.auth.mechanismUDM field is set toUNLOCK.Else, if logon_typelog field value is equal to8then, theextensions.auth.mechanismUDM field is set toNETWORK_CLEAR_TEXT.Else, if logon_typelog field value is equal to9then, theextensions.auth.mechanismUDM field is set toNEW_CREDENTIALS.Else, if logon_typelog field value is equal to10then, theextensions.auth.mechanismUDM field is set toREMOTE_INTERACTIVE.Else, if logon_typelog field value is equal to11then, theextensions.auth.mechanismUDM field is set toCACHED_INTERACTIVE.Else, if logon_typelog field value is equal to12then, theextensions.auth.mechanismUDM field is set toCACHED_REMOTE_INTERACTIVE.Else, if logon_typelog field value is equal to13then, theextensions.auth.mechanismUDM field is set toCACHED_UNLOCK.Else, the extensions.auth.mechanismUDM field is set toMECHANISM_UNSPECIFIED. | 
| message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.product.name | metadata.product_name | |
| metadata.uid | metadata.product_log_id | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| service.name | target.application | If the dst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field.Else, if service.namelog field value is not empty then,%{service.name}log field is mapped to thetarget.applicationUDM field.Else, if pi.s service.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| session.uid | network.session_id | If the session.uidlog field value is empty then,actor.session.uidlog field is mapped to thenetwork.session_idUDM field. | 
| actor.session.uid | network.session_id | If the session.uidlog field value is empty then,actor.session.uidlog field is mapped to thenetwork.session_idUDM field. | 
| severity | security_result.severity_details | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| src_endpoint.domain | principal.domain.name | |
| src_endpoint.hostname | principal.hostname | |
| src_endpoint.intermediate_ips | intermediary.ip | |
| src_endpoint.ip | principal.ip | |
| src_endpoint.location.city | principal.location.city | |
| src_endpoint.location.coordinates.0 | principal.location.region_coordinates.longitude | |
| src_endpoint.location.coordinates.1 | principal.location.region_coordinates.latitude | |
| src_endpoint.location.country | principal.location.country_or_region | |
| src_endpoint.location.region | principal.location.name | |
| src_endpoint.mac | principal.mac | |
| src_endpoint.port | principal.port | |
| src_endpoint.svc_name | principal.application | |
| src_endpoint.uid | principal.asset_id | |
| time | metadata.event_timestamp | |
| user.domain | target.administrative_domain | If the user.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.domainlog field is mapped to thetarget.administrative_domainUDM field.Else, if actor.user.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.domainlog field is mapped to thetarget.administrative_domainUDM field.Else, if logon_process.user.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.domainlog field is mapped to thetarget.administrative_domainUDM field. | 
| actor.user.domain | target.administrative_domain | If the user.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.domainlog field is mapped to thetarget.administrative_domainUDM field.Else, if actor.user.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.domainlog field is mapped to thetarget.administrative_domainUDM field.Else, if logon_process.user.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.domainlog field is mapped to thetarget.administrative_domainUDM field. | 
| logon_process.user.domain | target.administrative_domain | If the user.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.domainlog field is mapped to thetarget.administrative_domainUDM field.Else, if actor.user.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.domainlog field is mapped to thetarget.administrative_domainUDM field.Else, if logon_process.user.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.domainlog field is mapped to thetarget.administrative_domainUDM field. | 
| user.domain | principal.administrative_domain | If the user.domainlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.domainlog field is mapped to theprincipal.administrative_domainUDM field. Else, ifactor.user.domainlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. Else, iflogon_process.user.domainlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.user.domain | principal.administrative_domain | If the user.domainlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.domainlog field is mapped to theprincipal.administrative_domainUDM field. Else, ifactor.user.domainlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. Else, iflogon_process.user.domainlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| logon_process.user.domain | principal.administrative_domain | If the user.domainlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.domainlog field is mapped to theprincipal.administrative_domainUDM field. Else, ifactor.user.domainlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. Else, iflogon_process.user.domainlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| user.email_addr | target.user.email_addresses | If the user.email_addrlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.email_addrlog field is mapped to thetarget.user.email_addressesUDM field.Else, if actor.user.email_addrlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.email_addrlog field is mapped to thetarget.user.email_addressesUDM field.Else, if logon_process.user.email_addrlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.email_addrlog field is mapped to thetarget.user.email_addressesUDM field. | 
| actor.user.email_addr | target.user.email_addresses | If the user.email_addrlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.email_addrlog field is mapped to thetarget.user.email_addressesUDM field.Else, if actor.user.email_addrlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.email_addrlog field is mapped to thetarget.user.email_addressesUDM field.Else, if logon_process.user.email_addrlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.email_addrlog field is mapped to thetarget.user.email_addressesUDM field. | 
| logon_process.user.email_addr | target.user.email_addresses | If the user.email_addrlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.email_addrlog field is mapped to thetarget.user.email_addressesUDM field.Else, if actor.user.email_addrlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.email_addrlog field is mapped to thetarget.user.email_addressesUDM field.Else, if logon_process.user.email_addrlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.email_addrlog field is mapped to thetarget.user.email_addressesUDM field. | 
| user.email_addr | principal.user.email_addresses | If the user.email_addrlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.user.email_addrlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if logon_process.user.email_addrlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.email_addr | principal.user.email_addresses | If the user.email_addrlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.user.email_addrlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if logon_process.user.email_addrlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| logon_process.user.email_addr | principal.user.email_addresses | If the user.email_addrlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.user.email_addrlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if logon_process.user.email_addrlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| user.full_name | target.user.user_display_name | If the user.full_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.full_namelog field is mapped to thetarget.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.full_namelog field is mapped to thetarget.user.user_display_nameUDM field.Else, if logon_process.user.full_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.full_namelog field is mapped to thetarget.user.user_display_nameUDM field. | 
| actor.user.full_name | target.user.user_display_name | If the user.full_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.full_namelog field is mapped to thetarget.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.full_namelog field is mapped to thetarget.user.user_display_nameUDM field.Else, if logon_process.user.full_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.full_namelog field is mapped to thetarget.user.user_display_nameUDM field. | 
| logon_process.user.full_name | target.user.user_display_name | If the user.full_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.full_namelog field is mapped to thetarget.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.full_namelog field is mapped to thetarget.user.user_display_nameUDM field.Else, if logon_process.user.full_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.full_namelog field is mapped to thetarget.user.user_display_nameUDM field. | 
| user.full_name | principal.user.user_display_name | If the user.full_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if logon_process.user.full_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.user.full_name | principal.user.user_display_name | If the user.full_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if logon_process.user.full_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| logon_process.user.full_name | principal.user.user_display_name | If the user.full_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if logon_process.user.full_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| user.groups.name | principal.group.group_display_name | |
| actor.user.groups.name | principal.group.group_display_name | |
| logon_process.user.groups.name | principal.group.group_display_name | |
| user.groups.privileges | principal.group.attribute.permissions.name | |
| actor.user.groups.privileges | principal.group.attribute.permissions.name | |
| logon_process.user.groups.privileges | principal.group.attribute.permissions.name | |
| user.groups.uid | principal.user.group_identifiers | |
| actor.user.groups.uid | principal.user.group_identifiers | |
| logon_process.user.groups.uid | principal.user.group_identifiers | |
| user.name | target.user.userid | If the user.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.namelog field is mapped to thetarget.user.useridUDM field.Else, if actor.user.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.namelog field is mapped to thetarget.user.useridUDM field.Else, if logon_process.user.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.namelog field is mapped to thetarget.user.useridUDM field. | 
| actor.user.name | target.user.userid | If the user.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.namelog field is mapped to thetarget.user.useridUDM field.Else, if actor.user.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.namelog field is mapped to thetarget.user.useridUDM field.Else, if logon_process.user.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.namelog field is mapped to thetarget.user.useridUDM field. | 
| logon_process.user.name | target.user.userid | If the user.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.namelog field is mapped to thetarget.user.useridUDM field.Else, if actor.user.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.namelog field is mapped to thetarget.user.useridUDM field.Else, if logon_process.user.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.namelog field is mapped to thetarget.user.useridUDM field. | 
| user.name | principal.user.userid | If the user.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.user.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if logon_process.user.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| actor.user.name | principal.user.userid | If the user.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.user.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if logon_process.user.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| logon_process.user.name | principal.user.userid | If the user.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.user.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if logon_process.user.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| user.org.name | target.user.company_name | If the user.org.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.org.namelog field is mapped to thetarget.user.company_nameUDM field.Else, if actor.user.org.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.org.namelog field is mapped to thetarget.user.company_nameUDM field.Else, if logon_process.user.org.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.org.namelog field is mapped to thetarget.user.company_nameUDM field. | 
| actor.user.org.name | target.user.company_name | If the user.org.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.org.namelog field is mapped to thetarget.user.company_nameUDM field.Else, if actor.user.org.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.org.namelog field is mapped to thetarget.user.company_nameUDM field.Else, if logon_process.user.org.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.org.namelog field is mapped to thetarget.user.company_nameUDM field. | 
| logon_process.user.org.name | target.user.company_name | If the user.org.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.org.namelog field is mapped to thetarget.user.company_nameUDM field.Else, if actor.user.org.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.org.namelog field is mapped to thetarget.user.company_nameUDM field.Else, if logon_process.user.org.namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.org.namelog field is mapped to thetarget.user.company_nameUDM field. | 
| user.org.name | principal.user.company_name | If the user.org.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.user.org.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if logon_process.user.org.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.user.org.name | principal.user.company_name | If the user.org.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.user.org.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if logon_process.user.org.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| logon_process.user.org.name | principal.user.company_name | If the user.org.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.user.org.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if logon_process.user.org.namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| user.org.ou_name | target.user.department | If the user.org.ou_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.org.ou_namelog field is mapped to thetarget.user.departmentUDM field.Else, if actor.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.org.ou_namelog field is mapped to thetarget.user.departmentUDM field.Else, if logon_process.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.org.ou_namelog field is mapped to thetarget.user.departmentUDM field. | 
| actor.user.org.ou_name | target.user.department | If the user.org.ou_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.org.ou_namelog field is mapped to thetarget.user.departmentUDM field.Else, if actor.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.org.ou_namelog field is mapped to thetarget.user.departmentUDM field.Else, if logon_process.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.org.ou_namelog field is mapped to thetarget.user.departmentUDM field. | 
| logon_process.user.org.ou_name | target.user.department | If the user.org.ou_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.org.ou_namelog field is mapped to thetarget.user.departmentUDM field.Else, if actor.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.org.ou_namelog field is mapped to thetarget.user.departmentUDM field.Else, if logon_process.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.org.ou_namelog field is mapped to thetarget.user.departmentUDM field. | 
| user.org.ou_name | principal.user.department | If the user.org.ou_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if logon_process.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.user.org.ou_name | principal.user.department | If the user.org.ou_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if logon_process.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| logon_process.user.org.ou_name | principal.user.department | If the user.org.ou_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if logon_process.user.org.ou_namelog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| user.type_id | target.user.attribute.roles.name | If the user.type_idlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2and if theuser.type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown. Else, ifuser.type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser. Else, ifuser.type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin. Else, ifuser.type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem. Else, thetarget.user.attribute.roles.nameUDM field is set toOther.Else, if actor.user.type_idlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2and if theactor.user.type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.user.type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.user.type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.user.type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem. Else, thetarget.user.attribute.roles.nameUDM field is set toOther.Else, if logon_process.user.type_idlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2and if thelogon_process.user.type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown. Else, iflogon_process.user.type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser. Else, iflogon_process.user.type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin. Else, iflogon_process.user.type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem. Else, thetarget.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.type_id | target.user.attribute.roles.name | If the user.type_idlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2and if theuser.type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown. Else, ifuser.type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser. Else, ifuser.type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin. Else, ifuser.type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem. Else, thetarget.user.attribute.roles.nameUDM field is set toOther.Else, if actor.user.type_idlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2and if theactor.user.type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.user.type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.user.type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.user.type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem. Else, thetarget.user.attribute.roles.nameUDM field is set toOther.Else, if logon_process.user.type_idlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2and if thelogon_process.user.type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown. Else, iflogon_process.user.type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser. Else, iflogon_process.user.type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin. Else, iflogon_process.user.type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem. Else, thetarget.user.attribute.roles.nameUDM field is set toOther. | 
| logon_process.user.type_id | target.user.attribute.roles.name | If the user.type_idlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2and if theuser.type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown. Else, ifuser.type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser. Else, ifuser.type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin. Else, ifuser.type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem. Else, thetarget.user.attribute.roles.nameUDM field is set toOther.Else, if actor.user.type_idlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2and if theactor.user.type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.user.type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.user.type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.user.type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem. Else, thetarget.user.attribute.roles.nameUDM field is set toOther.Else, if logon_process.user.type_idlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2and if thelogon_process.user.type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown. Else, iflogon_process.user.type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser. Else, iflogon_process.user.type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin. Else, iflogon_process.user.type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem. Else, thetarget.user.attribute.roles.nameUDM field is set toOther. | 
| user.type_id | principal.user.attribute.roles.name | If the user.type_idlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2and if theuser.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifuser.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifuser.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifuser.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther.Else, if actor.user.type_idlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2and if theactor.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther.Else, if logon_process.user.type_idlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2and if thelogon_process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, iflogon_process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, iflogon_process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, iflogon_process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.type_id | principal.user.attribute.roles.name | If the user.type_idlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2and if theuser.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifuser.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifuser.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifuser.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther.Else, if actor.user.type_idlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2and if theactor.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther.Else, if logon_process.user.type_idlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2and if thelogon_process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, iflogon_process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, iflogon_process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, iflogon_process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| logon_process.user.type_id | principal.user.attribute.roles.name | If the user.type_idlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2and if theuser.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifuser.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifuser.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifuser.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther.Else, if actor.user.type_idlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2and if theactor.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther.Else, if logon_process.user.type_idlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2and if thelogon_process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, iflogon_process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, iflogon_process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, iflogon_process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| user.uid | target.user.product_object_id | If the user.uidlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.uidlog field is mapped to thetarget.user.windows_sidUDM field.Else, if actor.user.uidlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.uidlog field is mapped to thetarget.user.windows_sidUDM field.Else, if logon_process.user.uidlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.uidlog field is mapped to thetarget.user.windows_sidUDM field. | 
| actor.user.uid | target.user.product_object_id | If the user.uidlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.uidlog field is mapped to thetarget.user.windows_sidUDM field.Else, if actor.user.uidlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.uidlog field is mapped to thetarget.user.windows_sidUDM field.Else, if logon_process.user.uidlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.uidlog field is mapped to thetarget.user.windows_sidUDM field. | 
| logon_process.user.uid | target.user.product_object_id | If the user.uidlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,user.uidlog field is mapped to thetarget.user.windows_sidUDM field.Else, if actor.user.uidlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.uidlog field is mapped to thetarget.user.windows_sidUDM field.Else, if logon_process.user.uidlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,logon_process.user.uidlog field is mapped to thetarget.user.windows_sidUDM field. | 
| user.uid | principal.user.product_object_id | If the user.uidlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.uidlog field is mapped to theprincipal.user.windows_sidUDM field.Else, if actor.user.uidlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.uidlog field is mapped to theprincipal.user.windows_sidUDM field.Else, if logon_process.user.uidlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.uidlog field is mapped to theprincipal.user.windows_sidUDM field. | 
| actor.user.uid | principal.user.product_object_id | If the user.uidlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.uidlog field is mapped to theprincipal.user.windows_sidUDM field.Else, if actor.user.uidlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.uidlog field is mapped to theprincipal.user.windows_sidUDM field.Else, if logon_process.user.uidlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.uidlog field is mapped to theprincipal.user.windows_sidUDM field. | 
| logon_process.user.uid | principal.user.product_object_id | If the user.uidlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,user.uidlog field is mapped to theprincipal.user.windows_sidUDM field.Else, if actor.user.uidlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,actor.user.uidlog field is mapped to theprincipal.user.windows_sidUDM field.Else, if logon_process.user.uidlog field value is not empty and if theactivity_idlog field value is not equal to1orthe activity_idlog field value is not equal to2then,logon_process.user.uidlog field is mapped to theprincipal.user.windows_sidUDM field. | 
| actor.user.account_uid | target.user.attribute.labels[actor_user_account_id] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.account_uidlog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.account_uidlog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.user.account_uid | principal.user.attribute.labels[actor_user_account_id] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.account_uidlog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.account_uidlog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.user.type | target.user.attribute.labels[actor_user_type] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.typelog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.typelog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.user.type | principal.user.attribute.labels[actor_user_type] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.typelog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.typelog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.user.uuid | target.user.attribute.labels[actor_user_uuid] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.uuidlog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.uuidlog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.user.uuid | principal.user.attribute.labels[actor_user_uuid] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.uuidlog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.uuidlog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.user.account_type | target.user.attribute.labels[actor_user_account_type] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.account_typelog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.account_typelog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.user.account_type | principal.user.attribute.labels[actor_user_account_type] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.account_typelog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.account_typelog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.user.account_type_id | target.user.attribute.labels[actor_user_account_type_id] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.account_type_idlog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.account_type_idlog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.user.account_type_id | principal.user.attribute.labels[actor_user_account_type_id] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.account_type_idlog field is mapped to thetarget.user.attribute.labelsUDM field.Else, actor.user.account_type_idlog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.process.file.parent_folder | principal.labels[actor_process_file_parent_folder] | |
| actor.process.file.type | principal.labels[actor_process_file_type] | |
| actor.process.file.type_id | principal.labels[actor_process_file_type_id] | |
| api.operation | about.labels[api_operation] | |
| metadata.product.feature.name | about.labels[metadata_product_feature_name] | |
| metadata.profiles | about.labels[metadata_profiles] | |
| metadata.version | about.labels[metadata_version] | |
| mfa | about.labels[mfa] | |
| status | security_result.detection_fields[status] | |
| status_id | security_result.detection_fields [status_id] | |
| type_name | about.labels[type_name] | |
| type_uid | about.labels[type_uid] | |
| actor.process.file.parent_folder | additional.fields[actor_process_file_parent_folder] | |
| actor.process.file.type | additional.fields[actor_process_file_type] | |
| actor.process.file.type_id | additional.fields[actor_process_file_type_id] | |
| api.operation | additional.fields[api_operation] | |
| metadata.product.feature.name | additional.fields[metadata_product_feature_name] | |
| metadata.profiles | additional.fields[metadata_profiles] | |
| metadata.version | additional.fields[metadata_version] | |
| mfa | additional.fields[mfa] | |
| type_name | additional.fields[type_name] | |
| type_uid | additional.fields[type_uid] | |
| auth_protocol | additional.fields[auth_protocol] | |
| auth_protocol_id | additional.fields[auth_protocol_id] | |
| logon_process.name | additional.fields[logon_process_name] | |
| logon_type | additional.fields[logon_type] | |
| session.uuid | additional.fields[session_uuid] | |
| status_detail | additional.fields[status_detail] | |
| metadata.original_time | additional.fields[metadata_original_time] | |
| auth_protocol | about.labels[auth_protocol] | |
| auth_protocol_id | about.labels[auth_protocol_id] | |
| logon_process.name | principal.labels[logon_process_name] | |
| logon_type | principal.labels[logon_type] | |
| session.uuid | about.labels[session_uuid] | |
| status_detail | about.labels[status_detail] | |
| metadata.original_time | about.labels[metadata_original_time] | |
| user.uuid | target.user.attribute.labels[actor_user_uuid] | |
| user.uuid | principal.user.attribute.labels[actor_user_uuid] | |
| device.os.name | principal.asset.attribute.labels[device_os_name] | |
| device.os.type | principal.asset.attribute.labels[device_os_type] | |
| device.type | principal.asset.attribute.labels[device_type] | |
| user.account_type | target.user.attribute.labels[user_account_type] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.account_typelog field is mapped to thetarget.user.attribute.labelsUDM field.Else, user.account_typelog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| user.account_type | principal.user.attribute.labels[user_account_type] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.account_typelog field is mapped to thetarget.user.attribute.labelsUDM field.Else, user.account_typelog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| user.account_type_id | target.user.attribute.labels[user_account_type_id] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.account_type_idlog field is mapped to thetarget.user.attribute.labelsUDM field.Else, user.account_type_idlog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| user.account_type_id | principal.user.attribute.labels[user_account_type_id] | If the activity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.account_type_idlog field is mapped to thetarget.user.attribute.labelsUDM field.Else, user.account_type_idlog field is mapped to theprincipal.user.attribute.labelsUDM field. | 
| actor.session.uid_alt | additional.fields[actor_session_uid_alt] | |
| actor.session.count | additional.fields[actor_session_count] | |
| actor.session.expiration_reason | additional.fields[actor_session_expiration_reason] | |
| actor.session.is_mfa | additional.fields[actor_session_is_mfa] | |
| actor.session.terminal | additional.fields[actor_session_terminal] | |
| actor.session.is_vpn | additional.fields[actor_session_is_vpn] | |
| certificate.uid | additional.fields[certificate_uid] | |
| dst_endpoint.hw_info.bios_manufacturer | target.asset.hardware.manufacturer | |
| dst_endpoint.hw_info.bios_ver | target.asset.hardware.model | |
| dst_endpoint.hw_info.cpu_cores | target.asset.hardware.cpu_number_cores | |
| dst_endpoint.hw_info.cpu_bits | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.hw_info.bios_date | target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] | |
| dst_endpoint.hw_info.cpu_count | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] | |
| dst_endpoint.hw_info.chassis | target.asset.attribute.labels[dst_endpoint_hw_info_chassis] | |
| dst_endpoint.hw_info.desktop_display.color_depth | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.hw_info.desktop_display.physical_height | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.hw_info.desktop_display.physical_orientation | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.hw_info.desktop_display.physical_width | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.hw_info.desktop_display.scale_factor | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.hw_info.keyboard_info.function_keys | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.hw_info.keyboard_info.ime | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_layout | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_subtype | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_type | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.hw_info.cpu_speed | target.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.hw_info.cpu_type | target.asset.hardware.cpu_platform | |
| dst_endpoint.hw_info.ram_size | target.asset.hardware.ram | |
| dst_endpoint.hw_info.serial_number | target.asset.hardware.serial_number | |
| dst_endpoint.zone | target.asset.attribute.labels[dst_endpoint_zone] | |
| dst_endpoint.type | additional.fields[dst_endpoint_type] | |
| dst_endpoint.type_id | additional.fields[dst_endpoint_type_id] | |
| dst_endpoint.os.cpe_name | target.asset.attribute.labels[dst_endpoint_os_cpe_name] | |
| dst_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| dst_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| dst_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| dst_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| dst_endpoint.proxy_endpoint.ip | intermediary.ip | |
| dst_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| dst_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| dst_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| dst_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| dst_endpoint.proxy_endpoint.mac | intermediary.mac | |
| dst_endpoint.proxy_endpoint.port | intermediary.port | |
| dst_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| dst_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| dst_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| dst_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| dst_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] | |
| dst_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] | |
| dst_endpoint.proxy_endpoint.type | additional.fields[dst_endpoint_proxy_endpoint_type] | |
| dst_endpoint.proxy_endpoint.type_id | additional.fields[dst_endpoint_proxy_endpoint_type_id] | |
| http_request.length | additional.fields[http_request_length] | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_loggers_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_loggers_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_loggers_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_loggers_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_loggers_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_loggers_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_loggers_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_loggers_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_loggers_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_loggers_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_loggers_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_loggers_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_loggers_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_loggers_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
| session.uid_alt | additional.fields[session_uid_alt] | |
| session.count | additional.fields[session_count] | |
| session.expiration_reason | additional.fields[session_expiration_reason] | |
| session.is_mfa | additional.fields[session_is_mfa] | |
| session.terminal | additional.fields[session_terminal] | |
| session.is_vpn | additional.fields[session_is_vpn] | |
| src_endpoint.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| src_endpoint.hw_info.bios_ver | principal.asset.hardware.model | |
| src_endpoint.hw_info.cpu_speed | principal.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| src_endpoint.hw_info.cpu_type | principal.asset.hardware.cpu_platform | |
| src_endpoint.hw_info.ram_size | principal.asset.hardware.ram | |
| src_endpoint.hw_info.serial_number | principal.asset.hardware.serial_number | |
| src_endpoint.hw_info.cpu_bits | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] | |
| src_endpoint.hw_info.bios_date | principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] | |
| src_endpoint.hw_info.cpu_count | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] | |
| src_endpoint.hw_info.chassis | principal.asset.attribute.labels[src_endpoint_hw_info_chassis] | |
| src_endpoint.hw_info.desktop_display.color_depth | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.hw_info.desktop_display.physical_height | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.hw_info.desktop_display.physical_orientation | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.hw_info.desktop_display.physical_width | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.hw_info.desktop_display.scale_factor | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.hw_info.keyboard_info.function_keys | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.hw_info.keyboard_info.ime | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.hw_info.keyboard_info.keyboard_layout | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.hw_info.keyboard_info.keyboard_subtype | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.hw_info.keyboard_info.keyboard_type | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.zone | principal.asset.attribute.labels[src_endpoint_zone] | |
| src_endpoint.type | additional.fields[src_endpoint_type] | |
| src_endpoint.type_id | additional.fields[src_endpoint_type_id] | |
| src_endpoint.os.cpe_name | principal.asset.attribute.labels[src_endpoint_os_cpe_name] | |
| src_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| src_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| src_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| src_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| src_endpoint.proxy_endpoint.ip | intermediary.ip | |
| src_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| src_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| src_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| src_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| src_endpoint.proxy_endpoint.mac | intermediary.mac | |
| src_endpoint.proxy_endpoint.port | intermediary.port | |
| src_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| src_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] | |
| src_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| src_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| src_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| src_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| src_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| src_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| src_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| src_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] | |
| src_endpoint.proxy_endpoint.type | additional.fields[src_endpoint_proxy_endpoint_type] | |
| src_endpoint.proxy_endpoint.type_id | additional.fields[src_endpoint_proxy_endpoint_type_id] | |
| src_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] | |
| user.ldap_person.email_addrs | principal.user.email_addresses | If the user.ldap_person.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. Else,user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.user.ldap_person.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. Else,actor.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if logon_process.user.ldap_person.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. Else,logon_process.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.ldap_person.email_addrs | principal.user.email_addresses | If the user.ldap_person.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. Else,user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.user.ldap_person.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. Else,actor.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if logon_process.user.ldap_person.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. Else,logon_process.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field. | 
| logon_process.user.ldap_person.email_addrs | principal.user.email_addresses | If the user.ldap_person.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. Else,user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.user.ldap_person.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. Else,actor.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if logon_process.user.ldap_person.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. Else,logon_process.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field. | 
| user.ldap_person.employee_uid | principal.user.employee_id | If the user.ldap_person.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if actor.user.ldap_person.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if logon_process.user.ldap_person.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,. | 
| actor.user.ldap_person.employee_uid | principal.user.employee_id | If the user.ldap_person.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if actor.user.ldap_person.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if logon_process.user.ldap_person.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,. | 
| logon_process.user.ldap_person.employee_uid | principal.user.employee_id | If the user.ldap_person.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if actor.user.ldap_person.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if logon_process.user.ldap_person.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,. | 
| user.ldap_person.given_name | principal.user.first_name | If the user.ldap_person.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. Else,user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if actor.user.ldap_person.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. Else,actor.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if logon_process.user.ldap_person.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. Else,logon_process.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field. | 
| actor.user.ldap_person.given_name | principal.user.first_name | If the user.ldap_person.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. Else,user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if actor.user.ldap_person.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. Else,actor.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if logon_process.user.ldap_person.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. Else,logon_process.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field. | 
| logon_process.user.ldap_person.given_name | principal.user.first_name | If the user.ldap_person.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. Else,user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if actor.user.ldap_person.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. Else,actor.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if logon_process.user.ldap_person.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. Else,logon_process.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field. | 
| user.ldap_person.hire_time | principal.user.hire_date | If the user.ldap_person.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. Else,user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if actor.user.ldap_person.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. Else,actor.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if logon_process.user.ldap_person.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. Else,logon_process.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field. | 
| actor.user.ldap_person.hire_time | principal.user.hire_date | If the user.ldap_person.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. Else,user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if actor.user.ldap_person.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. Else,actor.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if logon_process.user.ldap_person.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. Else,logon_process.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field. | 
| logon_process.user.ldap_person.hire_time | principal.user.hire_date | If the user.ldap_person.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. Else,user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if actor.user.ldap_person.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. Else,actor.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if logon_process.user.ldap_person.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. Else,logon_process.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field. | 
| user.ldap_person.job_title | principal.user.title | If the user.ldap_person.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. Else,user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if actor.user.ldap_person.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. Else,actor.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if logon_process.user.ldap_person.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. Else,logon_process.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field. | 
| actor.user.ldap_person.job_title | principal.user.title | If the user.ldap_person.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. Else,user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if actor.user.ldap_person.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. Else,actor.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if logon_process.user.ldap_person.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. Else,logon_process.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field. | 
| logon_process.user.ldap_person.job_title | principal.user.title | If the user.ldap_person.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. Else,user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if actor.user.ldap_person.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. Else,actor.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if logon_process.user.ldap_person.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. Else,logon_process.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field. | 
| user.ldap_person.last_login_time | principal.user.last_login_time | If the user.ldap_person.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. Else,user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if actor.user.ldap_person.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. Else,actor.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if logon_process.user.ldap_person.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. Else,logon_process.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field. | 
| actor.user.ldap_person.last_login_time | principal.user.last_login_time | If the user.ldap_person.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. Else,user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if actor.user.ldap_person.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. Else,actor.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if logon_process.user.ldap_person.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. Else,logon_process.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field. | 
| logon_process.user.ldap_person.last_login_time | principal.user.last_login_time | If the user.ldap_person.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. Else,user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if actor.user.ldap_person.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. Else,actor.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if logon_process.user.ldap_person.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. Else,logon_process.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field. | 
| user.ldap_person.office_location | principal.user.office_address.name | If the user.ldap_person.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. Else,user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if actor.user.ldap_person.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. Else,actor.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if logon_process.user.ldap_person.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. Else,logon_process.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field. | 
| actor.user.ldap_person.office_location | principal.user.office_address.name | If the user.ldap_person.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. Else,user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if actor.user.ldap_person.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. Else,actor.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if logon_process.user.ldap_person.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. Else,logon_process.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field. | 
| logon_process.user.ldap_person.office_location | principal.user.office_address.name | If the user.ldap_person.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. Else,user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if actor.user.ldap_person.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. Else,actor.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if logon_process.user.ldap_person.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. Else,logon_process.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field. | 
| user.ldap_person.surname | principal.user.last_name | If the user.ldap_person.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. Else,user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if actor.user.ldap_person.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. Else,actor.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if logon_process.user.ldap_person.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. Else,logon_process.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field. | 
| actor.user.ldap_person.surname | principal.user.last_name | If the user.ldap_person.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. Else,user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if actor.user.ldap_person.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. Else,actor.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if logon_process.user.ldap_person.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. Else,logon_process.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field. | 
| logon_process.user.ldap_person.surname | principal.user.last_name | If the user.ldap_person.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. Else,user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if actor.user.ldap_person.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. Else,actor.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if logon_process.user.ldap_person.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. Else,logon_process.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field. | 
| user.ldap_person.cost_center | principal.user.attribute.labels[user_ldap_person_cost_center] | If the user.ldap_person.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if actor.user.ldap_person.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,actor.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if logon_process.user.ldap_person.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,logon_process.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. | 
| actor.user.ldap_person.cost_center | principal.user.attribute.labels[user_ldap_person_cost_center] | If the user.ldap_person.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if actor.user.ldap_person.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,actor.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if logon_process.user.ldap_person.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,logon_process.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. | 
| logon_process.user.ldap_person.cost_center | principal.user.attribute.labels[user_ldap_person_cost_center] | If the user.ldap_person.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if actor.user.ldap_person.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,actor.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if logon_process.user.ldap_person.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,logon_process.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. | 
| user.ldap_person.created_time | principal.user.attribute.labels[user_ldap_person_created_time] | If the user.ldap_person.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if actor.user.ldap_person.created_timelog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,actor.user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,actor.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if logon_process.user.ldap_person.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,logon_process.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. | 
| actor.user.ldap_person.created_time | principal.user.attribute.labels[user_ldap_person_created_time] | If the user.ldap_person.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if actor.user.ldap_person.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,actor.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if logon_process.user.ldap_person.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,logon_process.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. | 
| logon_process.user.ldap_person.created_time | principal.user.attribute.labels[user_ldap_person_created_time] | If the user.ldap_person.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if actor.user.ldap_person.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,actor.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if logon_process.user.ldap_person.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,logon_process.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. | 
| user.ldap_person.deleted_time | principal.user.attribute.labels[user_ldap_person_deleted_time] | If the user.ldap_person.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if actor.user.ldap_person.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,actor.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if logon_process.user.ldap_person.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,logon_process.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. | 
| actor.user.ldap_person.deleted_time | principal.user.attribute.labels[user_ldap_person_deleted_time] | If the user.ldap_person.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if actor.user.ldap_person.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,actor.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if logon_process.user.ldap_person.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,logon_process.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. | 
| logon_process.user.ldap_person.deleted_time | principal.user.attribute.labels[user_ldap_person_deleted_time] | If the user.ldap_person.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if actor.user.ldap_person.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,actor.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if logon_process.user.ldap_person.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,logon_process.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. | 
| user.ldap_person.location | principal.user.attribute.labels[user_ldap_person_location] | If the user.ldap_person.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if actor.user.ldap_person.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,actor.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if logon_process.user.ldap_person.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,logon_process.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. | 
| actor.user.ldap_person.location | principal.user.attribute.labels[user_ldap_person_location] | If the user.ldap_person.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if actor.user.ldap_person.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,actor.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if logon_process.user.ldap_person.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,logon_process.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. | 
| logon_process.user.ldap_person.location | principal.user.attribute.labels[user_ldap_person_location] | If the user.ldap_person.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if actor.user.ldap_person.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,actor.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if logon_process.user.ldap_person.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,logon_process.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_location]UDM field. | 
| user.ldap_person.ldap_cn | principal.user.attribute.labels[user_ldap_person_ldap_cn] | If the user.ldap_person.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if actor.user.ldap_person.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,actor.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if logon_process.user.ldap_person.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,logon_process.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. | 
| actor.user.ldap_person.ldap_cn | principal.user.attribute.labels[user_ldap_person_ldap_cn] | If the user.ldap_person.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if actor.user.ldap_person.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,actor.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if logon_process.user.ldap_person.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,logon_process.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. | 
| logon_process.user.ldap_person.ldap_cn | principal.user.attribute.labels[user_ldap_person_ldap_cn] | If the user.ldap_person.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if actor.user.ldap_person.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,actor.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if logon_process.user.ldap_person.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,logon_process.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. | 
| user.ldap_person.ldap_dn | principal.user.attribute.labels[user_ldap_person_ldap_dn] | If the user.ldap_person.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if actor.user.ldap_person.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,actor.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if logon_process.user.ldap_person.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,logon_process.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. | 
| actor.user.ldap_person.ldap_dn | principal.user.attribute.labels[user_ldap_person_ldap_dn] | If the user.ldap_person.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if actor.user.ldap_person.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,actor.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if logon_process.user.ldap_person.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,logon_process.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. | 
| logon_process.user.ldap_person.ldap_dn | principal.user.attribute.labels[user_ldap_person_ldap_dn] | If the user.ldap_person.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if actor.user.ldap_person.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,actor.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if logon_process.user.ldap_person.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,logon_process.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. | 
| user.ldap_person.labels | principal.user.attribute.labels[user_ldap_person_labels] | If the user.ldap_person.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if actor.user.ldap_person.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,actor.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if logon_process.user.ldap_person.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,logon_process.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. | 
| actor.user.ldap_person.labels | principal.user.attribute.labels[user_ldap_person_labels] | If the user.ldap_person.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if actor.user.ldap_person.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,actor.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if logon_process.user.ldap_person.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,logon_process.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. | 
| logon_process.user.ldap_person.labels | principal.user.attribute.labels[user_ldap_person_labels] | If the user.ldap_person.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if actor.user.ldap_person.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,actor.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if logon_process.user.ldap_person.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,logon_process.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_labels]UDM field. | 
| user.ldap_person.leave_time | principal.user.attribute.labels[user_ldap_person_leave_time] | If the user.ldap_person.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if actor.user.ldap_person.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,actor.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if logon_process.user.ldap_person.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,logon_process.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. | 
| actor.user.ldap_person.leave_time | principal.user.attribute.labels[user_ldap_person_leave_time] | If the user.ldap_person.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if actor.user.ldap_person.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,actor.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if logon_process.user.ldap_person.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,logon_process.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. | 
| logon_process.user.ldap_person.leave_time | principal.user.attribute.labels[user_ldap_person_leave_time] | If the user.ldap_person.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if actor.user.ldap_person.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,actor.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if logon_process.user.ldap_person.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,logon_process.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. | 
| user.ldap_person.modified_time | principal.user.attribute.labels[user_ldap_person_modified_time] | If the user.ldap_person.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if actor.user.ldap_person.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,actor.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if logon_process.user.ldap_person.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,logon_process.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. | 
| actor.user.ldap_person.modified_time | principal.user.attribute.labels[user_ldap_person_modified_time] | If the user.ldap_person.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if actor.user.ldap_person.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,actor.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if logon_process.user.ldap_person.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,logon_process.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. | 
| logon_process.user.ldap_person.modified_time | principal.user.attribute.labels[user_ldap_person_modified_time] | If the user.ldap_person.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if actor.user.ldap_person.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,actor.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if logon_process.user.ldap_person.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,logon_process.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. | 
| user.ldap_person.manager.email_addrs | principal.user.managers.email_addresses | If the user.ldap_person.manager.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. Else,user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if actor.user.ldap_person.manager.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. Else,actor.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if logon_process.user.ldap_person.manager.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. Else,logon_process.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field. | 
| actor.user.ldap_person.manager.email_addrs | principal.user.managers.email_addresses | If the user.ldap_person.manager.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. Else,user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if actor.user.ldap_person.manager.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. Else,actor.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if logon_process.user.ldap_person.manager.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. Else,logon_process.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field. | 
| logon_process.user.ldap_person.manager.email_addrs | principal.user.managers.email_addresses | If the user.ldap_person.manager.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. Else,user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if actor.user.ldap_person.manager.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. Else,actor.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if logon_process.user.ldap_person.manager.email_addrslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. Else,logon_process.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field. | 
| user.ldap_person.manager.employee_uid | principal.user.managers.employee_uid | If the user.ldap_person.manager.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if actor.user.ldap_person.manager.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if logon_process.user.ldap_person.manager.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,. | 
| actor.user.ldap_person.manager.employee_uid | principal.user.managers.employee_uid | If the user.ldap_person.manager.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if actor.user.ldap_person.manager.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if logon_process.user.ldap_person.manager.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,. | 
| logon_process.user.ldap_person.manager.employee_uid | principal.user.managers.employee_uid | If the user.ldap_person.manager.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if actor.user.ldap_person.manager.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,Else, if logon_process.user.ldap_person.manager.employee_uidlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then, Else,. | 
| user.ldap_person.manager.given_name | principal.user.managers.first_name | If the user.ldap_person.manager.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. Else,user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if actor.user.ldap_person.manager.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. Else,actor.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if logon_process.user.ldap_person.manager.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. Else,logon_process.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field. | 
| actor.user.ldap_person.manager.given_name | principal.user.managers.first_name | If the user.ldap_person.manager.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. Else,user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if actor.user.ldap_person.manager.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. Else,actor.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if logon_process.user.ldap_person.manager.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. Else,logon_process.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field. | 
| logon_process.user.ldap_person.manager.given_name | principal.user.managers.first_name | If the user.ldap_person.manager.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. Else,user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if actor.user.ldap_person.manager.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. Else,actor.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if logon_process.user.ldap_person.manager.given_namelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. Else,logon_process.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field. | 
| user.ldap_person.manager.hire_time | principal.user.managers.hire_date | If the user.ldap_person.manager.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. Else,user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if actor.user.ldap_person.manager.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. Else,actor.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if logon_process.user.ldap_person.manager.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. Else,logon_process.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field. | 
| actor.user.ldap_person.manager.hire_time | principal.user.managers.hire_date | If the user.ldap_person.manager.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. Else,user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if actor.user.ldap_person.manager.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. Else,actor.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if logon_process.user.ldap_person.manager.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. Else,logon_process.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field. | 
| logon_process.user.ldap_person.manager.hire_time | principal.user.managers.hire_date | If the user.ldap_person.manager.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. Else,user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if actor.user.ldap_person.manager.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. Else,actor.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if logon_process.user.ldap_person.manager.hire_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. Else,logon_process.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field. | 
| user.ldap_person.manager.job_title | principal.user.managers.title | If the user.ldap_person.manager.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. Else,user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if actor.user.ldap_person.manager.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. Else,actor.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if logon_process.user.ldap_person.manager.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. Else,logon_process.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field. | 
| actor.user.ldap_person.manager.job_title | principal.user.managers.title | If the user.ldap_person.manager.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. Else,user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if actor.user.ldap_person.manager.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. Else,actor.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if logon_process.user.ldap_person.manager.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. Else,logon_process.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field. | 
| logon_process.user.ldap_person.manager.job_title | principal.user.managers.title | If the user.ldap_person.manager.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. Else,user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if actor.user.ldap_person.manager.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. Else,actor.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if logon_process.user.ldap_person.manager.job_titlelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. Else,logon_process.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field. | 
| user.ldap_person.manager.last_login_time | principal.user.managers.last_login_time | If the user.ldap_person.manager.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. Else,user.ldap_person.manager.last_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if actor.user.ldap_person.manager.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. Else,actor.user.ldap_person.manager.last_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if logon_process.user.ldap_person.manager.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. Else,logon_process.user.ldap_person.manager.last_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field. | 
| actor.user.ldap_person.manager.last_login_time | principal.user.managers.last_login_time | If the user.ldap_person.manager.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. Else,user.ldap_person.manager.last_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if actor.user.ldap_person.manager.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. Else,actor.user.ldap_person.manager.last_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if logon_process.user.ldap_person.manager.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. Else,logon_process.user.ldap_person.manager.last_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field. | 
| logon_process.user.ldap_person.manager.last_login_time | principal.user.managers.last_login_time | If the user.ldap_person.manager.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. Else,user.ldap_person.manager.last_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if actor.user.ldap_person.manager.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. Else,actor.user.ldap_person.manager.last_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if logon_process.user.ldap_person.manager.last_login_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. Else,logon_process.user.ldap_person.manager.last_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field. | 
| user.ldap_person.manager.office_location | principal.user.managers.office_address.name | If the user.ldap_person.manager.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. Else,user.ldap_person.manager.office_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if actor.user.ldap_person.manager.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. Else,actor.user.ldap_person.manager.office_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if logon_process.user.ldap_person.manager.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. Else,logon_process.user.ldap_person.manager.office_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field. | 
| actor.user.ldap_person.manager.office_location | principal.user.managers.office_address.name | If the user.ldap_person.manager.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. Else,user.ldap_person.manager.office_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if actor.user.ldap_person.manager.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. Else,actor.user.ldap_person.manager.office_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if logon_process.user.ldap_person.manager.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. Else,logon_process.user.ldap_person.manager.office_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field. | 
| logon_process.user.ldap_person.manager.office_location | principal.user.managers.office_address.name | If the user.ldap_person.manager.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. Else,user.ldap_person.manager.office_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if actor.user.ldap_person.manager.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. Else,actor.user.ldap_person.manager.office_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if logon_process.user.ldap_person.manager.office_locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. Else,logon_process.user.ldap_person.manager.office_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field. | 
| user.ldap_person.manager.surname | principal.user.managers.last_name | If the user.ldap_person.manager.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. Else,user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if actor.user.ldap_person.manager.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. Else,actor.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if logon_process.user.ldap_person.manager.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. Else,logon_process.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field. | 
| actor.user.ldap_person.manager.surname | principal.user.managers.last_name | If the user.ldap_person.manager.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. Else,user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if actor.user.ldap_person.manager.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. Else,actor.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if logon_process.user.ldap_person.manager.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. Else,logon_process.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field. | 
| logon_process.user.ldap_person.manager.surname | principal.user.managers.last_name | If the user.ldap_person.manager.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. Else,user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if actor.user.ldap_person.manager.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. Else,actor.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if logon_process.user.ldap_person.manager.surnamelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. Else,logon_process.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field. | 
| user.ldap_person.manager.leave_time | principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] | If the user.ldap_person.manager.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if actor.user.ldap_person.manager.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,actor.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if logon_process.user.ldap_person.manager.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,logon_process.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. | 
| actor.user.ldap_person.manager.leave_time | principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] | If the user.ldap_person.manager.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if actor.user.ldap_person.manager.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,actor.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if logon_process.user.ldap_person.manager.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,logon_process.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. | 
| logon_process.user.ldap_person.manager.leave_time | principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] | If the user.ldap_person.manager.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if actor.user.ldap_person.manager.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,actor.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field.Else, if logon_process.user.ldap_person.manager.leave_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. Else,logon_process.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_leave_time]UDM field. | 
| user.ldap_person.manager.modified_time | principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] | If the user.ldap_person.manager.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if actor.user.ldap_person.manager.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,actor.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if logon_process.user.ldap_person.manager.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,logon_process.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. | 
| actor.user.ldap_person.manager.modified_time | principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] | If the user.ldap_person.manager.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if actor.user.ldap_person.manager.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,actor.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if logon_process.user.ldap_person.manager.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,logon_process.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. | 
| logon_process.user.ldap_person.manager.modified_time | principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] | If the user.ldap_person.manager.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if actor.user.ldap_person.manager.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,actor.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field.Else, if logon_process.user.ldap_person.manager.modified_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. Else,logon_process.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_modified_time]UDM field. | 
| user.ldap_person.manager.ldap_cn | principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] | If the user.ldap_person.manager.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if actor.user.ldap_person.manager.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,actor.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if logon_process.user.ldap_person.manager.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,logon_process.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. | 
| actor.user.ldap_person.manager.ldap_cn | principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] | If the user.ldap_person.manager.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if actor.user.ldap_person.manager.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,actor.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if logon_process.user.ldap_person.manager.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,logon_process.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. | 
| logon_process.user.ldap_person.manager.ldap_cn | principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] | If the user.ldap_person.manager.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if actor.user.ldap_person.manager.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,actor.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field.Else, if logon_process.user.ldap_person.manager.ldap_cnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. Else,logon_process.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_cn]UDM field. | 
| user.ldap_person.manager.ldap_dn | principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] | If the user.ldap_person.manager.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if actor.user.ldap_person.manager.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,actor.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if logon_process.user.ldap_person.manager.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,logon_process.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. | 
| actor.user.ldap_person.manager.ldap_dn | principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] | If the user.ldap_person.manager.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if actor.user.ldap_person.manager.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,actor.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if logon_process.user.ldap_person.manager.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,logon_process.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. | 
| logon_process.user.ldap_person.manager.ldap_dn | principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] | If the user.ldap_person.manager.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if actor.user.ldap_person.manager.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,actor.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field.Else, if logon_process.user.ldap_person.manager.ldap_dnlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. Else,logon_process.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_ldap_dn]UDM field. | 
| user.ldap_person.manager.labels | principal.user.managers.attribute.labels[user_manager_ldap_person_labels] | If the user.ldap_person.manager.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if actor.user.ldap_person.manager.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,actor.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if logon_process.user.ldap_person.manager.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,logon_process.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. | 
| actor.user.ldap_person.manager.labels | principal.user.managers.attribute.labels[user_manager_ldap_person_labels] | If the user.ldap_person.manager.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if actor.user.ldap_person.manager.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,actor.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if logon_process.user.ldap_person.manager.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,logon_process.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. | 
| logon_process.user.ldap_person.manager.labels | principal.user.managers.attribute.labels[user_manager_ldap_person_labels] | If the user.ldap_person.manager.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if actor.user.ldap_person.manager.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,actor.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field.Else, if logon_process.user.ldap_person.manager.labelslog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. Else,logon_process.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_labels]UDM field. | 
| user.ldap_person.manager.cost_center | principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] | If the user.ldap_person.manager.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if actor.user.ldap_person.manager.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,actor.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if logon_process.user.ldap_person.manager.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,logon_process.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. | 
| actor.user.ldap_person.manager.cost_center | principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] | If the user.ldap_person.manager.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if actor.user.ldap_person.manager.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,actor.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if logon_process.user.ldap_person.manager.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,logon_process.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. | 
| logon_process.user.ldap_person.manager.cost_center | principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] | If the user.ldap_person.manager.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if actor.user.ldap_person.manager.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,actor.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field.Else, if logon_process.user.ldap_person.manager.cost_centerlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. Else,logon_process.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_cost_center]UDM field. | 
| user.ldap_person.manager.created_time | principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] | If the user.ldap_person.manager.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if actor.user.ldap_person.manager.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,actor.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if logon_process.user.ldap_person.manager.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,logon_process.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. | 
| actor.user.ldap_person.manager.created_time | principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] | If the user.ldap_person.manager.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if actor.user.ldap_person.manager.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,actor.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if logon_process.user.ldap_person.manager.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,logon_process.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. | 
| logon_process.user.ldap_person.manager.created_time | principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] | If the user.ldap_person.manager.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if actor.user.ldap_person.manager.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,actor.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field.Else, if logon_process.user.ldap_person.manager.created_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. Else,logon_process.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_created_time]UDM field. | 
| user.ldap_person.manager.deleted_time | principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] | If the user.ldap_person.manager.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if actor.user.ldap_person.manager.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,actor.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if logon_process.user.ldap_person.manager.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,logon_process.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. | 
| actor.user.ldap_person.manager.deleted_time | principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] | If the user.ldap_person.manager.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if actor.user.ldap_person.manager.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,actor.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if logon_process.user.ldap_person.manager.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,logon_process.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. | 
| logon_process.user.ldap_person.manager.deleted_time | principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] | If the user.ldap_person.manager.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if actor.user.ldap_person.manager.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,actor.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field.Else, if logon_process.user.ldap_person.manager.deleted_timelog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. Else,logon_process.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_deleted_time]UDM field. | 
| user.ldap_person.manager.location | principal.user.managers.attribute.labels[user_manager_ldap_person_location] | If the user.ldap_person.manager.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if actor.user.ldap_person.manager.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,actor.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if logon_process.user.ldap_person.manager.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,logon_process.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. | 
| actor.user.ldap_person.manager.location | principal.user.managers.attribute.labels[user_manager_ldap_person_location] | If the user.ldap_person.manager.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if actor.user.ldap_person.manager.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,actor.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if logon_process.user.ldap_person.manager.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,logon_process.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. | 
| logon_process.user.ldap_person.manager.location | principal.user.managers.attribute.labels[user_manager_ldap_person_location] | If the user.ldap_person.manager.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,user.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if actor.user.ldap_person.manager.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,actor.user.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,actor.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field.Else, if logon_process.user.ldap_person.manager.locationlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,logon_process.user.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. Else,logon_process.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[logon_process_user_ldap_person_location]UDM field. | 
| user.groups.domain | principal.user.group_identifiers | If the user.ldap_person.groups.domainlog field value is not empty and if theactivity_idlog field value is equal to1orthe activity_idlog field value is equal to2then,iterate through log field user.groups, thenuser.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. Else,iterate through log field user.groups, thenuser.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.user.ldap_person.groups.domainlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,iterate through log field user.groups, thenactor.user.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. Else,iterate through log field user.groups, thenactor.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if logon_process.user.ldap_person.groups.domainlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,iterate through log field user.groups, thenlogon_process.user.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. Else,iterate through log field user.groups, thenlogon_process.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.user.groups.domain | principal.user.group_identifiers | If the user.ldap_person.groups.domainlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,iterate through log field user.groups, thenuser.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. Else,iterate through log field user.groups, thenuser.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.user.ldap_person.groups.domainlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,iterate through log field user.groups, thenactor.user.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. Else,iterate through log field user.groups, thenactor.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if logon_process.user.ldap_person.groups.domainlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,iterate through log field user.groups, thenlogon_process.user.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. Else,iterate through log field user.groups, thenlogon_process.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| logon_process.user.groups.domain | principal.user.group_identifiers | If the user.ldap_person.groups.domainlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,iterate through log field user.groups, thenuser.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. Else,iterate through log field user.groups, thenuser.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.user.ldap_person.groups.domainlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,iterate through log field user.groups, thenactor.user.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. Else,iterate through log field user.groups, thenactor.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if logon_process.user.ldap_person.groups.domainlog field value is not empty and if theactivity_idlog field value is equal to1ortheactivity_idlog field value is equal to2then,iterate through log field user.groups, thenlogon_process.user.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. Else,iterate through log field user.groups, thenlogon_process.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
Field mapping reference: OCSF Authorize Session
The following table lists the log fields for theAuthorize Session log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.org.name | about.resource.name | |
| cloud.org.uid | about.resource.product_object_id | |
| dst_endpoint.intermediate_ips | intermediary.ip | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| message | metadata.description | |
| time | metadata.event_timestamp | |
| activity_id | metadata.event_type | If the class_namelog field value is equal toAuthorize Sessionand if theactivity_idlog field value is equal to1then, themetadata.event_typeUDM field is set toUSER_CHANGE_PERMISSIONS. Else, if theactivity_idlog field value is equal to2then, themetadata.event_typeUDM field is set toGROUP_MODIFICATION. Else, themetadata.event_typeUDM field is set toUSER_UNCATEGORIZED. | 
| class_name | metadata.log_type | |
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| metadata.uid | metadata.product_log_id | |
| metadata.product.name | metadata.product_name | |
| metadata.product.version | metadata.product_version | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.logged_time | metadata.collected_timestamp | |
| api.response.code | network.http.response_code | |
| session.uid | network.session_id | If the session.uidlog field value is empty then,actor.session.uidlog field is mapped to thenetwork.session_idUDM field. | 
| actor.session.uid | network.session_id | If the session.uidlog field value is empty then,actor.session.uidlog field is mapped to thenetwork.session_idUDM field. | 
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| actor.process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.user.domain | principal.administrative_domain | |
| device.created_time | principal.asset.attribute.creation_time | |
| device.modified_time | principal.asset.attribute.last_update_time | |
| device.first_seen_time | principal.asset.first_seen_time | |
| device.hw_info.cpu_speed | principal.asset.hardware.cpu_clock_speed | |
| device.hw_info.cpu_type | principal.asset.hardware.cpu_model | |
| device.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| device.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| device.hw_info.ram_size | principal.asset.hardware.ram | |
| device.hw_info.serial_number | principal.asset.hardware.serial_number | |
| device.hostname | principal.asset.hostname | |
| device.ip | principal.asset.ip | |
| device.location.city | principal.asset.location.city | |
| device.location.country | principal.asset.location.country_or_region | |
| device.region | principal.asset.location.name | |
| device.location.coordinates.0 | principal.asset.location.region_coordinates.longitude | |
| device.location.coordinates.1 | principal.asset.location.region_coordinates.latitude | |
| device.location.region | principal.asset.loction.name | If the device.regionlog field value is empty then,device.location.regionlog field is mapped to theprincipal.asset.location.nameUDM field. | 
| device.mac | principal.asset.mac | |
| device.domain | principal.asset.network_domain | |
| device.os.type_id | principal.asset.platform_software.platform | If the device.os.type_idlog field value is equal to100orthe device.os.type_idlog field value is equal to101then, theprincipal.asset.platform_software.platformUDM field is set toWINDOWS.Else, if device.os.type_idlog field value is equal to200then, theprincipal.asset.platform_software.platformUDM field is set toLINUX.Else, if device.os.type_idlog field value is equal to201then, theprincipal.asset.platform_software.platformUDM field is set toANDROID.Else, if device.os.type_idlog field value is equal to300then, theprincipal.asset.platform_software.platformUDM field is set toMAC.Else, if device.os.type_idlog field value is equal to301then, theprincipal.asset.platform_software.platformUDM field is set toIOS.Else, the principal.asset.platform_software.platformUDM field is set toUNKNOWN_PLATFORM. | 
| device.os.version | principal.asset.platform_software.platform_version | |
| device.uid | principal.asset.product_object_id | |
| device.type_id | principal.asset.type | If the device.type_idlog field value is equal to1then, theprincipal.asset.typeUDM field is set toSERVER.Else, if device.type_idlog field value is equal to2then, theprincipal.asset.typeUDM field is set toWORKSTATION.Else, if device.type_idlog field value is equal to3then, theprincipal.asset.typeUDM field is set toLAPTOP.Else, if device.type_idlog field value is equal to4orthe device.type_idlog field value is equal to5then, theprincipal.asset.typeUDM field is set toMOBILE.Else, if device.type_idlog field value is equal to7then, theprincipal.asset.typeUDM field is set toIOT.Else, the principal.asset.typeUDM field is set toROLE_UNSPECIFIED. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.user.groups.privileges | principal.group.attribute.permissions.name | |
| actor.process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.user.groups.name | principal.group.group_display_name | |
| actor.process.cmd_line | principal.process.command_line | |
| actor.process.file.created_time | principal.process.file.first_seen_time | |
| actor.process.file.path | principal.process.file.full_path | |
| actor.process.file.modified_time | principal.process.file.last_modification_time | |
| actor.process.file.accessed_time | principal.process.file.last_seen_time | |
| actor.process.file.mime_type | principal.process.file.mime_type | |
| actor.process.file.name | principal.process.file.names | |
| actor.process.file.size | principal.process.file.size | |
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | |
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | |
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | |
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | |
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | |
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | |
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | |
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | |
| actor.process.parent_process.pid | principal.process.parent_process.pid | |
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | |
| actor.process.pid | principal.process.pid | |
| actor.process.uid | principal.process.product_specific_process_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| actor.process.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is empty and if thetype_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, iftype_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, iftype_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, iftype_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.type_id | principal.user.attribute.roles.name | If the type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is empty then,%{actor.process.user.org.name}log field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.user.org.name | principal.user.company_name | |
| actor.process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is empty then,%{actor.process.user.org.ou_name}log field is mapped to theprincipal.user.departmentUDM field. | 
| actor.user.org.ou_name | principal.user.department | |
| actor.process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is empty then,%{actor.process.user.email_addr}log field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.email_addr | principal.user.email_addresses | |
| actor.process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is empty then,%{actor.process.user.groups.uid}log field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.user.groups.uid | principal.user.group_identifiers | |
| actor.process.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is empty then,%{actor.process.user.full_name}log field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.user.full_name | principal.user.user_display_name | |
| actor.process.user.name | principal.user.userid | If the actor.user.namelog field value is empty then,%{actor.process.user.name}log field is mapped to theprincipal.user.useridUDM field. | 
| actor.user.name | principal.user.userid | |
| actor.process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is empty then,%{actor.process.user.uid}log field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.user.uid | principal.user.product_object_id | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| severity | security_result.severity_details | |
| user.domain | target.administrative_domain | |
| api.service.name | target.application | If the dst_endpoint.svc_namelog field value is empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| dst_endpoint.svc_name | target.application | |
| dst_endpoint.uid | target.asset_id | |
| dst_endpoint.domain | target.domain.name | |
| group.privileges | target.group.attribute.permissions.name | If the user.groups.privilegeslog field value is empty then,group.privilegeslog field is mapped to thetarget.group.attribute.permissions.nameUDM field. | 
| user.groups.privileges | target.group.attribute.permissions.name | |
| group.name | target.group.group_display_name | If the user.groups.namelog field value is empty then,group.namelog field is mapped to thetarget.group.group_display_nameUDM field. | 
| user.groups.name | target.group.group_display_name | |
| dst_endpoint.hostname | target.hostname | |
| dst_endpoint.ip | target.ip | |
| dst_endpoint.location.city | target.location.city | |
| dst_endpoint.location.country | target.location.country_or_region | |
| dst_endpoint.location.region | target.location.name | |
| dst_endpoint.location.coordinates | target.location.region_coordinates.longitude/latitude | |
| dst_endpoint.mac | target.mac | |
| dst_endpoint.port | target.port | |
| privileges | target.user.attribute.permissions.name | |
| user.type_id | target.user.attribute.roles.name | If the type_idlog field value is equal to0then, thetarget.user.attribute.roles.nameUDM field is set toUnknown.Else, if type_idlog field value is equal to1then, thetarget.user.attribute.roles.nameUDM field is set toUser.Else, if type_idlog field value is equal to2then, thetarget.user.attribute.roles.nameUDM field is set toAdmin.Else, if type_idlog field value is equal to3then, thetarget.user.attribute.roles.nameUDM field is set toSystem.Else, the target.user.attribute.roles.nameUDM field is set toOther. | 
| user.org.name | target.user.company_name | |
| user.org.ou_name | target.user.department | |
| user.email_addr | target.user.email_addresses | |
| group.uid | target.user.group_identifiers | If the user.groups.uidlog field value is empty then,group.uidlog field is mapped to thetarget.user.group_identifiersUDM field. | 
| user.groups.uid | target.user.group_identifiers | |
| user.full_name | target.user.user_display_name | |
| user.name | target.user.userid | |
| user.uid | target.user.product_object_id | |
| dst_endpoint.hw_info.bios_date | target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] | |
| dst_endpoint.hw_info.bios_manufacturer | target.asset.hardware.manufacturer | |
| dst_endpoint.hw_info.bios_ver | target.asset.hardware.model | |
| dst_endpoint.hw_info.cpu_bits | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.hw_info.cpu_cores | target.asset.hardware.cpu_number_cores | |
| dst_endpoint.hw_info.cpu_count | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] | |
| dst_endpoint.hw_info.chassis | target.asset.attribute.labels[dst_endpoint_hw_info_chassis] | |
| dst_endpoint.hw_info.desktop_display.color_depth | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.hw_info.desktop_display.physical_height | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.hw_info.desktop_display.physical_orientation | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.hw_info.desktop_display.physical_width | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.hw_info.desktop_display.scale_factor | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.hw_info.keyboard_info.function_keys | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.hw_info.keyboard_info.ime | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_layout | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_subtype | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_type | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.hw_info.cpu_speed | target.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.hw_info.cpu_type | target.asset.hardware.cpu_platform | |
| dst_endpoint.hw_info.ram_size | target.asset.hardware.ram | |
| dst_endpoint.hw_info.serial_number | target.asset.hardware.serial_number | |
| dst_endpoint.zone | target.asset.attribute.labels[dst_endpoint_zone] | |
| dst_endpoint.type | additional.fields[dst_endpoint_type] | |
| dst_endpoint.type_id | additional.fields[dst_endpoint_type_id] | |
| dst_endpoint.os.cpe_name | target.asset.attribute.labels[dst_endpoint_os_cpe_name] | |
| dst_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| dst_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| dst_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| dst_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| dst_endpoint.proxy_endpoint.ip | intermediary.ip | |
| dst_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| dst_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| dst_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| dst_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| dst_endpoint.proxy_endpoint.mac | intermediary.mac | |
| dst_endpoint.proxy_endpoint.port | intermediary.port | |
| dst_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| dst_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] | |
| dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| dst_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| dst_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| dst_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| dst_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| dst_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] | |
| dst_endpoint.proxy_endpoint.type | additional.fields[dst_endpoint_proxy_endpoint_type] | |
| dst_endpoint.proxy_endpoint.type_id | additional.fields[dst_endpoint_proxy_endpoint_type_id] | |
| dst_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] | |
| group.domain | principal.user.group_identifiers | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
| session.uid_alt | additional.fields[session_uid_alt] | |
| session.count | additional.fields[session_count] | |
| session.expiration_reason | additional.fields[session_expiration_reason] | |
| session.is_mfa | additional.fields[session_is_mfa] | |
| session.terminal | additional.fields[session_terminal] | |
| session.is_vpn | additional.fields[session_is_vpn] | |
| user.ldap_person.cost_center | target.user.attribute.labels[user_ldap_person_cost_center] | If the user.ldap_person.cost_centerlog field value is not empty then,user.ldap_person.cost_centerlog field is mapped to thetarget.user.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| user.ldap_person.created_time | target.user.attribute.labels[user_ldap_person_created_time] | If the user.ldap_person.created_timelog field value is not empty then,user.ldap_person.created_timelog field is mapped to thetarget.user.attribute.labels[user_ldap_person_created_time]UDM field. | 
| user.ldap_person.deleted_time | target.user.attribute.labels[user_ldap_person_deleted_time] | If the user.ldap_person.deleted_timelog field value is not empty then,user.ldap_person.deleted_timelog field is mapped to thetarget.user.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| user.ldap_person.email_addrs | target.user.email_addresses | If the user.ldap_person.email_addrslog field value is not empty then,user.ldap_person.email_addrslog field is mapped to thetarget.user.email_addressesUDM field. | 
| user.ldap_person.employee_uid | target.user.employee_uid | If the user.ldap_person.employee_uidlog field value is not empty then,. | 
| user.ldap_person.location | target.user.attribute.labels[user_ldap_person_location] | If the user.ldap_person.locationlog field value is not empty then,user.ldap_person.locationlog field is mapped to thetarget.user.attribute.labels[user_ldap_person_location]UDM field. | 
| user.ldap_person.given_name | target.user.first_name | If the user.ldap_person.given_namelog field value is not empty then,user.ldap_person.given_namelog field is mapped to thetarget.user.first_nameUDM field. | 
| user.ldap_person.hire_time | target.user.hire_date | If the user.ldap_person.hire_timelog field value is not empty then,user.ldap_person.hire_timelog field is mapped to thetarget.user.hire_dateUDM field. | 
| user.ldap_person.job_title | target.user.title | If the user.ldap_person.job_titlelog field value is not empty then,user.ldap_person.job_titlelog field is mapped to thetarget.user.titleUDM field. | 
| user.ldap_person.ldap_cn | target.user.attribute.labels[user_ldap_person_ldap_cn] | If the user.ldap_person.ldap_cnlog field value is not empty then,user.ldap_person.ldap_cnlog field is mapped to thetarget.user.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| user.ldap_person.ldap_dn | target.user.attribute.labels[user_ldap_person_ldap_dn] | If the user.ldap_person.ldap_dnlog field value is not empty then,user.ldap_person.ldap_dnlog field is mapped to thetarget.user.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| user.ldap_person.labels | target.user.attribute.labels[user_ldap_person_labels] | If the user.ldap_person.labelslog field value is not empty then,user.ldap_person.labelslog field is mapped to thetarget.user.attribute.labels[user_ldap_person_labels]UDM field. | 
| user.ldap_person.last_login_time | target.user.last_login_time | If the user.ldap_person.last_login_timelog field value is not empty then,user.ldap_person.last_login_timelog field is mapped to thetarget.user.last_login_timeUDM field. | 
| user.ldap_person.leave_time | target.user.attribute.labels[user_ldap_person_leave_time] | If the user.ldap_person.leave_timelog field value is not empty then,user.ldap_person.leave_timelog field is mapped to thetarget.user.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| user.ldap_person.modified_time | target.user.attribute.labels[user_ldap_person_modified_time] | If the user.ldap_person.modified_timelog field value is not empty then,user.ldap_person.modified_timelog field is mapped to thetarget.user.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| user.ldap_person.office_location | target.user.office_address.name | If the user.ldap_person.office_locationlog field value is not empty then,user.ldap_person.office_locationlog field is mapped to thetarget.user.office_address.nameUDM field. | 
| user.ldap_person.surname | target.user.last_name | If the user.ldap_person.surnamelog field value is not empty then,user.ldap_person.surnamelog field is mapped to thetarget.user.last_nameUDM field. | 
| user.ldap_person.manager.cost_center | target.user.managers.attribute.labels[user_ldap_person_cost_center] | If the user.ldap_person.manager.cost_centerlog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.cost_centerlog field is mapped to thetarget.user.managers.attribute.labels[user_ldap_person_manager_cost_center]UDM field. | 
| user.ldap_person.manager.created_time | target.user.managers.attribute.labels[user_ldap_person_created_time] | If the user.ldap_person.manager.created_timelog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.created_timelog field is mapped to thetarget.user.managers.attribute.labels[user_ldap_person_manager_created_time]UDM field. | 
| user.ldap_person.manager.deleted_time | target.user.managers.attribute.labels[user_ldap_person_deleted_time] | If the user.ldap_person.manager.deleted_timelog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.deleted_timelog field is mapped to thetarget.user.managers.attribute.labels[user_ldap_person_manager_deleted_time]UDM field. | 
| user.ldap_person.manager.email_addrs | target.user.managers.email_addresses | If the user.ldap_person.manager.email_addrslog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.email_addrslog field is mapped to thetarget.user.managers.email_addressesUDM field. | 
| user.ldap_person.manager.employee_uid | target.user.managers.employee_uid | If the user.ldap_person.manager.employee_uidlog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.employee_uidlog field is mapped to thetarget.user.managers.employee_uidUDM field. | 
| user.ldap_person.manager.location | target.user.managers.attribute.labels[user_ldap_person_location] | If the user.ldap_person.manager.locationlog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.locationlog field is mapped to thetarget.user.managers.attribute.labels[user_ldap_person_manager_location]UDM field. | 
| user.ldap_person.manager.given_name | target.user.managers.first_name | If the user.ldap_person.manager.given_namelog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.given_namelog field is mapped to thetarget.user.managers.first_nameUDM field. | 
| user.ldap_person.manager.hire_time | target.user.managers.hire_date | If the user.ldap_person.manager.hire_timelog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.hire_timelog field is mapped to thetarget.user.managers.hire_dateUDM field. | 
| user.ldap_person.manager.job_title | target.user.managers.title | If the user.ldap_person.manager.job_titlelog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.job_titlelog field is mapped to thetarget.user.managers.titleUDM field. | 
| user.ldap_person.manager.ldap_cn | target.user.managers.attribute.labels[user_ldap_person_ldap_cn] | If the user.ldap_person.manager.ldap_cnlog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.ldap_cnlog field is mapped to thetarget.user.managers.attribute.labels[user_ldap_person_manager_ldap_cn]UDM field. | 
| user.ldap_person.manager.ldap_dn | target.user.managers.attribute.labels[user_ldap_person_ldap_dn] | If the user.ldap_person.manager.ldap_dnlog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.ldap_dnlog field is mapped to thetarget.user.managers.attribute.labels[user_ldap_person_manager_ldap_dn]UDM field. | 
| user.ldap_person.manager.labels | target.user.managers.attribute.labels[user_ldap_person_labels] | If the user.ldap_person.manager.labelslog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.labelslog field is mapped to thetarget.user.managers.attribute.labels[user_ldap_person_manager_labels]UDM field. | 
| user.ldap_person.manager.last_login_timelast_login_time | target.user.managers.last_login_time | If the user.ldap_person.manager.last_login_timelog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.last_login_timelog field is mapped to thetarget.user.managers.last_login_timeUDM field. | 
| user.ldap_person.manager.leave_time | target.user.managers.attribute.labels[user_ldap_person_leave_time] | If the user.ldap_person.manager.leave_timelog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.leave_timelog field is mapped to thetarget.user.managers.attribute.labels[user_ldap_person_manager_leave_time]UDM field. | 
| user.ldap_person.manager.modified_time | target.user.managers.attribute.labels[user_ldap_person_modified_time] | If the user.ldap_person.manager.modified_timelog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.modified_timelog field is mapped to thetarget.user.managers.attribute.labels[user_ldap_person_manager_modified_time]UDM field. | 
| user.ldap_person.manager.office_locationoffice_location | target.user.managers.office_address.name | If the user.ldap_person.manager.office_locationlog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.office_locationlog field is mapped to thetarget.user.managers.office_address.nameUDM field. | 
| user.ldap_person.manager.surname | target.user.managers.last_name | If the user.ldap_person.manager.surnamelog field value is not empty then,iterate through log field user.ldap_person.manager, thenuser.ldap_person.manager.surnamelog field is mapped to thetarget.user.managers.last_nameUDM field. | 
| user.groups.domain | target.user.group_identifiers | If the actor.process.user.groupslog field value is not empty then,iterate through log field user.groups, thenuser.groups.domainlog field is mapped to thetarget.user.group_identifiersUDM field. | 
Field mapping reference: OCSF Security Finding
The following table lists the log fields for theSecurity Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| activity_id | metadata.event_type | If the class_namelog field value is equal toSecurity Findingthen, themetadata.event_typeUDM field is set toSCAN_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| activity_name | network.http.response_code | |
| api.response.message | metadata.description | |
| api.service.name | target.application | |
| attacks.tactics.name | security_result.attack_details.tactics.name | |
| attacks.tactics.uid | security_result.attack_details.tactics.id | |
| attacks.technique.name | security_result.attack_details.technique.name | |
| attacks.technique.uid | security_result.attack_details.technique.id | |
| attacks.version | security_result.attack_details.version | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| class_name | metadata.log_type | |
| classname | metadata.log_type | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| confidence | security_result.confidence | If the confidencelog field value matches the regular expression patternLowthen, thesecurity_result.confidenceUDM field is set toLOW_CONFIDENCE.Else, if confidencelog field value matches the regular expression patternMediumthen, thesecurity_result.confidenceUDM field is set toMEDIUM_CONFIDENCE.Else, if confidencelog field value matches the regular expression patternHighthen, thesecurity_result.confidenceUDM field is set toHIGH_CONFIDENCE.Else, the security_result.confidenceUDM field is set toUNKNOWN_CONFIDENCE. | 
| confidence_score | security_result.confidence_details | |
| finding.desc | security_result.description | |
| finding.product_uid | principal.asset_id | |
| finding.remediation.desc | security_result.outcomes [finding_remediation_desc] | |
| finding.remediation.kb_articles | security_result.outcomes [finding_remediation_kb_articles] | |
| finding.src_url | security_result.url_back_to_product | |
| finding.title | security_result.summary | |
| malware.cves.created_time | extensions.vulns.vulnerabilities.first_found | |
| malware.cves.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| malware.cves.cvss.severity | extensions.vulns.vulnerabilities.severity | If the malware.cves.cvss.severitylog field value matches the regular expression patternLowthen, theextensions.vulns.vulnerabilities.severityUDM field is set toLOW.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternMediumthen, theextensions.vulns.vulnerabilities.severityUDM field is set toMEDIUM.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternHighthen, theextensions.vulns.vulnerabilities.severityUDM field is set toHIGH.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternCriticalthen, theextensions.vulns.vulnerabilities.severityUDM field is set toCRITICAL.Else, the extensions.vulns.vulnerabilities.severityUDM field is set toUNKNOWN_SEVERITY. | 
| malware.cves.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| malware.cves.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| malware.cves.product.name | extensions.vulns.vulnerabilities.about.application | |
| malware.cves.product.uid | extensions.vulns.vulnerabilities.about.asset_id | |
| malware.cves.product.vendor_name | extensions.vulns.vulnerabilities.vendor | |
| malware.cves.type | extensions.vulns.vulnerabilities.name | |
| malware.cves.uid | extensions.vulns.vulnerabilities.cve_id | |
| malware.name | security_result.threat_name | |
| malware.uid | security_result.threat_id | |
| message | metadata.description | |
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.product.name | metadata.product_name | |
| metadata.uid | metadata.product_log_id | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| observables.value | observer.hostname | Iterate through log field observables.type_id, thenif the observables.type_idlog field value is equal to1and if theobserver.hostnamelog field value is empty then,observables.valuelog field is mapped to theobserver.hostnameUDM field.Else, if observables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field.Else, if observables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field.Else, if observables.type_idlog field value is equal to4and if theobserver.user.useridlog field value is empty then,observables.valuelog field is mapped to theobserver.user.useridUDM field.Else, if observables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field.Else, if observables.type_idlog field value is equal to6and if theobserver.urllog field value is empty then,observables.valuelog field is mapped to theobserver.urlUDM field.Else, if observables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field.Else, if observables.type_idlog field value is equal to8and if theobserver.file.vhashlog field value is empty then,observables.valuelog field is mapped to theobserver.file.vhashUDM field.Else, if observables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field.Else, if observables.type_idlog field value is equal to10and if theobserver.resource.product_object_idlog field value is empty then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | |
| observables.value | observer.mac | |
| observables.value | observer.user.userid | |
| observables.value | observer.user.email_addresses | |
| observables.value | observer.url | |
| observables.value | observer.file.names | |
| observables.value | observer.file.vhash | |
| observables.value | observer.process.file.names | |
| observables.value | observer.resource.product_object_id | |
| process.cmd_line | principal.process.command_line | |
| process.file.mime_type | principal.process.file.mime_type | |
| process.file.modified_time | principal.process.file.last_modification_time | |
| process.file.name | principal.process.file.names | |
| process.file.path | principal.process.file.full_path | |
| process.file.size | principal.process.file.size | |
| process.file.created_time | principal.process.file.first_seen_time | |
| process.file.accessed_time | principal.process.file.last_seen_time | |
| process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | |
| process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | |
| process.parent_process.cmd_line | principal.process.parent_process.command_line | |
| process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | |
| process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | |
| process.parent_process.file.name | principal.process.parent_process.file.names | |
| process.parent_process.file.path | principal.process.parent_process.file.full_path | |
| process.parent_process.file.size | principal.process.parent_process.file.size | |
| process.parent_process.pid | principal.process.parent_process.pid | |
| process.parent_process.uid | principal.process.parent_process.product_specific_process_id | |
| process.parent_process.user.domain | principal.administrative_domain | If the process.user.domainlog field value is not empty then,process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.parent_process.user.domainlog field value is not empty then,process.parent_process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| process.parent_process.user.email_addr | principal.user.email_addresses | If the process.user.email_addrlog field value is not empty then,process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.parent_process.user.email_addrlog field value is not empty then,process.parent_process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| process.parent_process.user.full_name | principal.user.user_display_name | If the process.parent_process.user.full_namelog field value is not empty then,process.parent_process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.user.full_namelog field value is not empty then,process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| process.parent_process.user.groups.name | principal.group.group_display_name | If the process.user.groups.namelog field value is not empty then,process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.parent_process.user.groups.namelog field value is not empty then,process.parent_process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| process.parent_process.user.groups.privileges | principal.group.attribute.permissions.name | If the process.user.groups.privilegeslog field value is not empty then,process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.parent_process.user.groups.privilegeslog field value is not empty then,process.parent_process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| process.parent_process.user.groups.uid | principal.user.group_identifiers | If the process.user.groups.uidlog field value is not empty then,process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.parent_process.user.groups.uidlog field value is not empty then,process.parent_process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| process.parent_process.user.name | principal.user.userid | If the process.user.namelog field value is not empty then,process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.parent_process.user.namelog field value is not empty then,process.parent_process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| process.parent_process.user.org.name | principal.user.company_name | If the process.user.org.namelog field value is not empty then,process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.parent_process.user.org.namelog field value is not empty then,process.parent_process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| process.parent_process.user.org.ou_name | principal.user.department | If the process.user.org.ou_namelog field value is not empty then,process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.parent_process.user.org.ou_namelog field value is not empty then,process.parent_process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| process.parent_process.user.type_id | principal.user.attribute.roles.name | If the process.user.type_idlog field value is not empty and if theprocess.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifprocess.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifprocess.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifprocess.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther.Else, if process.parent_process.user.type_idlog field value is not empty and if theprocess.parent_process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifprocess.parent_process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifprocess.parent_process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifprocess.parent_process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| process.parent_process.user.uid | principal.user.product_object_id | If the process.user.uidlog field value is not empty then,process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.parent_process.user.uidlog field value is not empty then,process.parent_process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| process.pid | principal.process.pid | |
| process.uid | principal.process.product_specific_process_id | |
| process.user.domain | principal.administrative_domain | If the process.user.domainlog field value is not empty then,process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.parent_process.user.domainlog field value is not empty then,process.parent_process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| process.user.email_addr | principal.user.email_addresses | If the process.user.email_addrlog field value is not empty then,process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.parent_process.user.email_addrlog field value is not empty then,process.parent_process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| process.user.full_name | principal.user.user_display_name | If the process.parent_process.user.full_namelog field value is not empty then,process.parent_process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.user.full_namelog field value is not empty then,process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| process.user.groups.name | principal.group.group_display_name | If the process.user.groups.namelog field value is not empty then,process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.parent_process.user.groups.namelog field value is not empty then,process.parent_process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| process.user.groups.privileges | principal.group.attribute.permissions.name | If the process.user.groups.privilegeslog field value is not empty then,process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.parent_process.user.groups.privilegeslog field value is not empty then,process.parent_process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| process.user.groups.uid | principal.user.group_identifiers | If the process.user.groups.uidlog field value is not empty then,process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.parent_process.user.groups.uidlog field value is not empty then,process.parent_process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| process.user.name | principal.user.userid | If the process.user.namelog field value is not empty then,process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.parent_process.user.namelog field value is not empty then,process.parent_process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| process.user.org.name | principal.user.company_name | If the process.user.org.namelog field value is not empty then,process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.parent_process.user.org.namelog field value is not empty then,process.parent_process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| process.user.org.ou_name | principal.user.department | If the process.user.org.ou_namelog field value is not empty then,process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.parent_process.user.org.ou_namelog field value is not empty then,process.parent_process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| process.user.type_id | principal.user.attribute.roles.name | If the process.user.type_idlog field value is not empty and if theprocess.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifprocess.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifprocess.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifprocess.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther.Else, if process.parent_process.user.type_idlog field value is not empty and if theprocess.parent_process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifprocess.parent_process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifprocess.parent_process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifprocess.parent_process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| process.user.uid | principal.user.product_object_id | If the process.user.uidlog field value is not empty then,process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.parent_process.user.uidlog field value is not empty then,process.parent_process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| resources.name | target.resource.name | |
| resources.type | target.resource.resource_subtype | |
| resources.uid | target.resource.product_object_id | |
| risk_score | security_result.risk_score | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| time | metadata.event_timestamp | |
| vulnerabilities.cve.created_time | extensions.vulns.vulnerabilities.first_found | |
| vulnerabilities.cve.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| vulnerabilities.cve.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| vulnerabilities.cve.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| vulnerabilities.cve.product.name | extensions.vulns.vulnerabilities.about.application | |
| vulnerabilities.cve.product.uid | extensions.vulns.vulnerabilities.about.asset_id | |
| vulnerabilities.cve.type | extensions.vulns.vulnerabilities.description | |
| vulnerabilities.cve.uid | extensions.vulns.vulnerabilities.cve_id | |
| vulnerabilities.severity | extensions.vulns.vulnerabilities.severity | |
| vulnerabilities.title | extensions.vulns.vulnerabilities.name | |
| vulnerabilities.vendor_name | extensions.vulns.vulnerabilities.vendor | |
| analytic.desc | security_result.detection_fields [analytic_desc] | |
| analytic.name | security_result.detection_fields [analytic_name] | |
| analytic.relatedAnalytics.category | security_result.detection_fields [analytic_related_analytics_category] | |
| analytic.relatedAnalytics.name | security_result.detection_fields [analytic_related_analytics_name] | |
| analytic.relatedAnalytics.type | security_result.detection_fields [analytic_related_analytics_type] | |
| analytic.relatedAnalytics.typeId | security_result.detection_fields [analytic_related_analytics_typeId] | |
| analytic.relatedAnalytics.uid | security_result.detection_fields [analytic_related_analytics_uid] | |
| analytic.type | security_result.detection_fields [analytic_type] | |
| analytic.typeId | security_result.detection_fields [analytic_typeId] | |
| finding.uid | security_result.detection_fields [finding_uid] | |
| finding.first_seen_time | security_result.first_discovered_time | |
| finding.created_time | security_result.detection_fields [finding_created_time] | |
| finding.last_seen_time | security_result.detection_fields [finding_last_seen_time] | |
| confidence_id | security_result.detection_fields [confidence_id] | |
| data_sources | security_result.detection_fields [data_sources] | |
| impact | security_result.detection_fields [impact] | |
| impact_id | security_result.detection_fields [impact_id] | |
| impact_score | security_result.detection_fields [impact_score] | |
| malware.classification_ids | security_result.detection_fields [malware.classification_ids] | |
| malware.classifications | security_result.detection_fields [malware.classifications] | |
| risk_level | security_result.detection_fields [risk_level] | |
| risk_level_id | security_result.detection_fields [risk_level_id] | |
| state | security_result.detection_fields [state] | |
| state_id | security_result.detection_fields [state_id] | |
| count | security_result.detection_fields [count] | |
| end_time | security_result.detection_fields [end_time] | |
| enrichments.name | security_result.detection_fields [enrichments_name] | |
| enrichments.provider | security_result.detection_fields [enrichments_provider] | |
| enrichments.type | security_result.detection_fields [enrichments_type] | |
| enrichments.value | security_result.detection_fields [enrichments_value] | |
| metadata.log_name | about.labels [metadata_log_name] | |
| metadata.log_provider | about.labels [metadata_log_provider] | |
| metadata.modified_time | about.labels [metadata_modified_time] | |
| metadata.original_time | about.labels [metadata_original_time] | |
| metadata.product.lang | about.labels [metadata_product_lang] | |
| metadata.version | about.labels [metadata_version] | |
| metadata.log_name | additional.fields [metadata_log_name] | |
| metadata.log_provider | additional.fields [metadata_log_provider] | |
| metadata.modified_time | additional.fields [metadata_modified_time] | |
| metadata.original_time | additional.fields [metadata_original_time] | |
| metadata.product.lang | additional.fields [metadata_product_lang] | |
| metadata.version | additional.fields [metadata_version] | |
| severity | security_result.severity_details | |
| class_uid | about.labels [class_uid] | |
| metadata.labels | about.labels [metadata_labels] | |
| raw_data | about.labels [raw_data] | |
| metadata.product.feature.name | about.labels [metadata_product_feature_name] | |
| metadata.product.feature.uid | about.labels [metadata_product_feature_uid] | |
| metadata.profiles | about.labels [metadata_profiles] | |
| process.created_time | principal.labels [process_created_time] | |
| process.file.type_id | principal.labels [process_file_type_id] | |
| process.terminated_time | principal.labels [process_terminated_time] | |
| status | security_result.detection_fields [status] | |
| status_code | security_result.detection_fields [status_code] | |
| type_name | security_result.detection_fields [type_name] | |
| type_uid | security_result.detection_fields [type_uid] | |
| cloud.account_uid | about.resource.attribute.labels [cloud_account_uid] | |
| compliance.requirements | security_result.detection_fields [compliance_requirements] | |
| compliance.status | security_result.detection_fields [compliance_status] | |
| compliance.status_detail | security_result.detection_fields [compliance_status_detail] | |
| finding.modified_time | security_result.detection_fields [finding_modified_time] | |
| finding.related_events.product_uid | security_result.detection_fields [finding_related_events_product_uid] | |
| finding.related_events.uid | security_result.detection_fields [finding_related_events_uid] | |
| finding.types | security_result.detection_fields [finding_types] | |
| malware.path | security_result.detection_fields [malware_path] | |
| resources.cloud_partition | target.resource.attribute.labels [resources_cloud_partition] | |
| resources.details | target.resource.attribute.labels [resources_details] | |
| resources.labels | target.resource.attribute.labels [resources_labels] | |
| resources.region | target.location.name | |
| vulnerabilities.cve.modified_time | extensions.vulns.vulnerabilities.about.labels [vuln_cve_modified_time] | |
| vulnerabilities.kb_articles | extensions.vulns.vulnerabilities.about.labels [vuln_kb_articles] | |
| vulnerabilities.packages.architecture | extensions.vulns.vulnerabilities.about.labels [vuln_packages_architecture] | |
| vulnerabilities.packages.epoch | extensions.vulns.vulnerabilities.about.labels [vuln_packages_epoch] | |
| vulnerabilities.packages.name | extensions.vulns.vulnerabilities.about.labels [vuln_packages_name] | |
| vulnerabilities.packages.release | extensions.vulns.vulnerabilities.about.labels [vuln_packages_release] | |
| vulnerabilities.packages.version | extensions.vulns.vulnerabilities.about.labels [vuln_packages_version] | |
| vulnerabilities.references | extensions.vulns.vulnerabilities.about.labels [vuln_references] | |
| vulnerabilities.related_vulnerabilities | extensions.vulns.vulnerabilities.about.labels [vuln_related_vulnerabilities] | |
| vulnerabilities.cve.modified_time | additional.fields [vuln_cve_modified_time] | |
| vulnerabilities.kb_articles | additional.fields [vuln_kb_articles] | |
| vulnerabilities.packages.architecture | additional.fields [vuln_packages_architecture] | |
| vulnerabilities.packages.epoch | additional.fields [vuln_packages_epoch] | |
| vulnerabilities.packages.name | additional.fields [vuln_packages_name] | |
| vulnerabilities.packages.release | additional.fields [vuln_packages_release] | |
| vulnerabilities.packages.version | additional.fields [vuln_packages_version] | |
| vulnerabilities.references | additional.fields [vuln_references] | |
| vulnerabilities.related_vulnerabilities | additional.fields [vuln_related_vulnerabilities] | |
| compliance.control | security_result.detection_fields[compliance_control] | |
| compliance.standards | security_result.detection_fields[compliance_standards] | Iterate through log field compliance.standards, thencompliance.standardslog field is mapped to thesecurity_result.detection_fields[compliance_standards]UDM field. | 
| compliance.status_code | security_result.detection_fields[compliance_status_code] | |
| compliance.status_id | security_result.detection_fields[compliance_status_id] | |
| finding.related_events.kill_chain.phase | security_result.detection_fields[related_events_kill_chain_phase] | Iterate through log field finding.related_events, theniterate through log field findind.related_events.kill_chain, thenfinding.related_events.kill_chain.phaselog field is mapped to thesecurity_result.detection_fields[related_events_kill_chain_phase]UDM field. | 
| finding.related_events.kill_chain.phase_id | security_result.detection_fields[related_events_kill_chain_phase_id] | Iterate through log field finding.related_events, theniterate through log field findind.related_events.kill_chain, thenfinding.related_events.kill_chain.phase_idlog field is mapped to thesecurity_result.detection_fields[related_events_kill_chain_phase_id]UDM field. | 
| finding.remediation.kb_article_list.os.name | security_result.outcomes[finding_remediation_kb_article_list_os_name] | Iterate through log field finding.remediation.kb_article_list, thenfinding.remediation.kb_article_list.os.namelog field is mapped to thesecurity_result.outcomes[finding_remediation_kb_article_list_os_name]UDM field. | 
| finding.remediation.kb_article_list.os.type_id | security_result.outcomes[finding_remediation_kb_article_list_os_type_id] | Iterate through log field finding.remediation.kb_article_list, thenfinding.remediation.kb_article_list.os.type_idlog field is mapped to thesecurity_result.outcomes[finding_remediation_kb_article_list_os_type_id]UDM field. | 
| finding.remediation.kb_article_list.severity | security_result.outcomes[finding_remediation_kb_article_list_severity] | Iterate through log field finding.remediation.kb_article_list, thenfinding.remediation.kb_article_list.severitylog field is mapped to thesecurity_result.outcomes[finding_remediation_kb_article_list_severity]UDM field. | 
| finding.remediation.kb_article_list.title | security_result.outcomes[finding_remediation_kb_article_list_title] | Iterate through log field finding.remediation.kb_article_list, thenfinding.remediation.kb_article_list.titlelog field is mapped to thesecurity_result.outcomes[finding_remediation_kb_article_list_title]UDM field. | 
| finding.remediation.kb_article_list.uid | security_result.outcomes[finding_remediation_kb_article_list_uid] | Iterate through log field finding.remediation.kb_article_list, thenfinding.remediation.kb_article_list.uidlog field is mapped to thesecurity_result.outcomes[finding_remediation_kb_article_list_uid]UDM field. | 
| finding.remediation.kb_article_list.product.name | security_result.outcomes[finding_remediation_kb_article_list_product_name] | Iterate through log field finding.remediation.kb_article_list, thenfinding.remediation.kb_article_list.product.namelog field is mapped to thesecurity_result.outcomes[finding_remediation_kb_article_list_product_name]UDM field. | 
| finding.remediation.kb_article_list.product.uid | security_result.outcomes[finding_remediation_kb_article_list_product_uid] | Iterate through log field finding.remediation.kb_article_list, thenfinding.remediation.kb_article_list.product.uidlog field is mapped to thesecurity_result.outcomes[finding_remediation_kb_article_list_product_uid]UDM field. | 
| finding.remediation.kb_article_list.product.vendor_name | security_result.outcomes[finding_remediation_kb_article_list_product_vendor_name] | Iterate through log field finding.remediation.kb_article_list, thenfinding.remediation.kb_article_list.product.vendor_namelog field is mapped to thesecurity_result.outcomes[finding_remediation_kb_article_list_product_vendor_name]UDM field. | 
| finding.remediation.kb_article_list.product.version | security_result.outcomes[finding_remediation_kb_article_list_product_version] | Iterate through log field finding.remediation.kb_article_list, thenfinding.remediation.kb_article_list.product.versionlog field is mapped to thesecurity_result.outcomes[finding_remediation_kb_article_list_product_version]UDM field. | 
| finding.remediation.reference | security_result.outcomes[finding_remediation_reference] | Iterate through log field finding.remediation.reference, thenfinding.remediation.referencelog field is mapped to thesecurity_result.outcomes[finding_remediation_reference]UDM field. | 
| finding.related_events.attacks.sub_technique.name | security_result.attack_details.techniques.subtechnique_name | Iterate through log field finding.related_events, theniterate through log field finding.related_events.attack, thenfinding.related_events.attacks.sub_technique.namelog field is mapped to thesecurity_result.attack_details.techniques.subtechnique_nameUDM field. | 
| finding.related_events.attacks.sub_technique.uid | security_result.attack_details.techniques.subtechnique_id | Iterate through log field finding.related_events, theniterate through log field finding.related_events.attack, thenfinding.related_events.attacks.sub_technique.uidlog field is mapped to thesecurity_result.attack_details.techniques.subtechnique_idUDM field. | 
| finding.related_events.attacks.sub_technique.src_url | security_result.outcomes[finding_related_events_attacks_sub_technique_src_url] | Iterate through log field finding.related_events.attacks, thenfinding.related_events.attacks.sub_technique.src_urllog field is mapped to thesecurity_result.outcomes[finding_related_events_attacks_sub_technique_src_url]UDM field. | 
| attacks.sub_technique.name | security_result.attack_details.techniques.subtechnique_name | Iterate through log field finding.related_events.attacks, thenattacks.sub_technique.namelog field is mapped to thesecurity_result.attack_details.techniques.subtechnique_nameUDM field. | 
| attacks.sub_technique.uid | security_result.attack_details.techniques.subtechnique_id | Iterate through log field finding.related_events.attacks, thenattacks.sub_technique.uidlog field is mapped to thesecurity_result.attack_details.techniques.subtechnique_idUDM field. | 
| attacks.sub_technique.src_url | security_result.detection_fields[attacks_sub_technique_src_url] | Iterate through log field finding.related_events.attacks, thenattacks.sub_technique.src_urllog field is mapped to thesecurity_result.outcomes[finding_related_events_attacks_sub_technique_src_url]UDM field. | 
| malware.cvec.title | extensions.vulns.vulnerabilities.description | |
| malware.cves.product.cpe_name | extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_product_cpe_name] | Iterate through log field malware.cves, thenmalware.cves.product.cpe_namelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_product_cpe_name]UDM field. | 
| malware.cves.epass.created_time | extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_created_time] | Iterate through log field malware.cves, thenmalware.cves.epass.created_timelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_created_time]UDM field. | 
| malware.cves.epass.score | extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_score] | Iterate through log field malware.cves, thenmalware.cves.epass.scorelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_score]UDM field. | 
| malware.cves.epass.percentile | extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_percentile] | Iterate through log field malware.cves, thenmalware.cves.epass.percentilelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_percentile]UDM field. | 
| malware.cves.epass.version | extensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_version] | Iterate through log field malware.cves, thenmalware.cves.epass.versionlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[malware_cves_epass_version]UDM field. | 
| malware.cves.reference | additional.fields[malware_cves_reference] | Iterate through log field malware.cves.reference, thenmalware.cves.referencelog field is mapped to theadditional.fields[malware_cves_reference]UDM field. | 
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
| actor.session.uid | network.session_id | If the actor.sesion.uidlog field value is not empty then,actor.session.uidlog field is mapped to thenetwork.session_idUDM field.Else, if process.sesion.uidlog field value is not empty then,process.session.uidlog field is mapped to thenetwork.session_idUDM field.Else, if process.sesion.uid_altlog field value is not empty then,process.session.uid_altlog field is mapped to thenetwork.session_idUDM field. | 
| process.session.uid | network.session_id | If the actor.sesion.uidlog field value is not empty then,actor.session.uidlog field is mapped to thenetwork.session_idUDM field.Else, if process.sesion.uidlog field value is not empty then,process.session.uidlog field is mapped to thenetwork.session_idUDM field.Else, if process.sesion.uid_altlog field value is not empty then,process.session.uid_altlog field is mapped to thenetwork.session_idUDM field. | 
| process.session.uid_alt | network.session_id | If the actor.sesion.uidlog field value is not empty then,actor.session.uidlog field is mapped to thenetwork.session_idUDM field.Else, if process.sesion.uidlog field value is not empty then,process.session.uidlog field is mapped to thenetwork.session_idUDM field.Else, if process.sesion.uid_altlog field value is not empty then,process.session.uid_altlog field is mapped to thenetwork.session_idUDM field. | 
| process.session.expiration_reason | additonal.fields[process_session_expiration_reason] | |
| process.user.ldap_person.cost_center | principal.user.attribute.labels[process_user_ldap_person_cost_center] | |
| process.user.ldap_person.created_time | principal.user.attribute.labels[process_user_ldap_person_created_time] | |
| process.user.ldap_person.deleted_time | principal.user.attribute.labels[process_user_ldap_person_deleted_time] | |
| process.user.ldap_person.email_addrs | principal.user.email_addresses | |
| process.user.ldap_person.employee_uid | principal.user.employee_uid | |
| process.user.ldap_person.location | principal.user.attribute.labels[process_user_ldap_person_location] | |
| process.user.ldap_person.given_name | principal.user.first_name | |
| process.user.ldap_person.hire_time | principal.user.hire_date | |
| process.user.ldap_person.job_title | principal.user.title | |
| process.user.ldap_person.ldap_cn | principal.user.attribute.labels[process_user_ldap_person_ldap_cn] | |
| process.user.ldap_person.ldap_dn | principal.user.attribute.labels[process_user_ldap_person_ldap_dn] | |
| process.user.ldap_person.labels | principal.user.attribute.labels[process_user_ldap_person_labels] | |
| process.user.ldap_person.last_login_time | principal.user.last_login_time | |
| process.user.ldap_person.leave_time | principal.user.attribute.labels[process_user_ldap_person_leave_time] | |
| process.user.ldap_person.modified_time | principal.user.attribute.labels[process_user_ldap_person_modified_time] | |
| process.user.ldap_person.office_location | principal.user.office_address.name | |
| process.user.ldap_person.surname | principal.user.last_name | |
| process.user.ldap_person.manager.cost_center | principal.user.managers.attribute.labels[process_user_ldap_person_cost_center] | |
| process.user.ldap_person.manager.created_time | principal.user.managers.attribute.labels[process_user_ldap_person_created_time] | |
| process.user.ldap_person.manager.deleted_time | principal.user.managers.attribute.labels[process_user_ldap_person_deleted_time] | |
| process.user.ldap_person.manager.email_addrs | principal.user.managers.email_addresses | |
| process.user.ldap_person.manager.employee_uid | principal.user.managers.employee_uid | |
| process.user.ldap_person.manager.location | principal.user.managers.attribute.labels[process_user_ldap_person_location] | |
| process.user.ldap_person.manager.given_name | principal.user.managers.first_name | |
| process.user.ldap_person.manager.hire_time | principal.user.managers.hire_date | |
| process.user.ldap_person.manager.job_title | principal.user.managers.title | |
| process.user.ldap_person.manager.ldap_cn | principal.user.managers.attribute.labels[process_user_ldap_person_ldap_cn] | |
| process.user.ldap_person.manager.ldap_dn | principal.user.managers.attribute.labels[process_user_ldap_person_ldap_dn] | |
| process.user.ldap_person.manager.labels | principal.user.managers.attribute.labels[process_user_ldap_person_labels] | |
| process.user.ldap_person.manager.last_login_time | principal.user.managers.last_login_time | |
| process.user.ldap_person.manager.leave_time | principal.user.managers.attribute.labels[process_user_ldap_person_leave_time] | |
| process.user.ldap_person.manager.modified_time | principal.user.managers.attribute.labels[process_user_ldap_person_modified_time] | |
| process.user.ldap_person.manager.office_location | principal.user.managers.office_address.name | |
| process.user.ldap_person.manager.surname | principal.user.managers.last_name | |
| process.user.groups.domain | principal.user.group_identifiers | |
| resources.owner.ldap_person.cost_center | about.user.attribute.labels[process_user_ldap_person_cost_center] | Iterate through log field resources, thenresources.owner.ldap_person.cost_centerlog field is mapped to theabout.user.attribute.labels[process_user_ldap_person_cost_center]UDM field. | 
| resources.owner.ldap_person.created_time | about.user.attribute.labels[process_user_ldap_person_created_time] | Iterate through log field resources, thenresources.owner.ldap_person.created_timelog field is mapped to theabout.user.attribute.labels[process_user_ldap_person_created_time]UDM field. | 
| resources.owner.ldap_person.deleted_time | about.user.attribute.labels[process_user_ldap_person_deleted_time] | Iterate through log field resources, thenresources.owner.ldap_person.deleted_timelog field is mapped to theabout.user.attribute.labels[process_user_ldap_person_deleted_time]UDM field. | 
| resources.owner.ldap_person.email_addrs | about.user.email_addresses | Iterate through log field resources, thenresources.owner.ldap_person.email_addrslog field is mapped to theabout.user.email_addressesUDM field. | 
| resources.owner.ldap_person.employee_uid | about.user.employee_uid | Iterate through log field resources, thenresources.owner.ldap_person.employee_uidlog field is mapped to theabout.user.employee_uidUDM field. | 
| resources.owner.ldap_person.location | about.user.attribute.labels[process_user_ldap_person_location] | Iterate through log field resources, thenresources.owner.ldap_person.locationlog field is mapped to theabout.user.attribute.labels[process_user_ldap_person_location]UDM field. | 
| resources.owner.ldap_person.given_name | about.user.first_name | Iterate through log field resources, thenresources.owner.ldap_person.given_namelog field is mapped to theabout.user.first_nameUDM field. | 
| resources.owner.ldap_person.hire_time | about.user.hire_date | Iterate through log field resources, thenresources.owner.ldap_person.hire_timelog field is mapped to theabout.user.hire_dateUDM field. | 
| resources.owner.ldap_person.job_title | about.user.title | Iterate through log field resources, thenresources.owner.ldap_person.job_titlelog field is mapped to theabout.user.titleUDM field. | 
| resources.owner.ldap_person.ldap_cn | about.user.attribute.labels[process_user_ldap_person_ldap_cn] | Iterate through log field resources, thenresources.owner.ldap_person.ldap_cnlog field is mapped to theabout.user.attribute.labels[process_user_ldap_person_ldap_cn]UDM field. | 
| resources.owner.ldap_person.ldap_dn | about.user.attribute.labels[process_user_ldap_person_ldap_dn] | Iterate through log field resources, thenresources.owner.ldap_person.ldap_dnlog field is mapped to theabout.user.attribute.labels[process_user_ldap_person_ldap_dn]UDM field. | 
| resources.owner.ldap_person.labels | about.user.attribute.labels[process_user_ldap_person_labels] | Iterate through log field resources, thenresources.owner.ldap_person.labelslog field is mapped to theabout.user.attribute.labels[process_user_ldap_person_labels]UDM field. | 
| resources.owner.ldap_person.last_login_time | about.user.last_login_time | Iterate through log field resources, thenresources.owner.ldap_person.last_login_timelog field is mapped to theabout.user.last_login_timeUDM field. | 
| resources.owner.ldap_person.leave_time | about.user.attribute.labels[process_user_ldap_person_leave_time] | Iterate through log field resources, thenresources.owner.ldap_person.leave_timelog field is mapped to theabout.user.attribute.labels[process_user_ldap_person_leave_time]UDM field. | 
| resources.owner.ldap_person.modified_time | about.user.attribute.labels[process_user_ldap_person_modified_time] | Iterate through log field resources, thenresources.owner.ldap_person.modified_timelog field is mapped to theabout.user.attribute.labels[process_user_ldap_person_modified_time]UDM field. | 
| resources.owner.ldap_person.office_location | about.user.office_address.name | Iterate through log field resources, thenresources.owner.ldap_person.office_locationlog field is mapped to theabout.user.office_address.nameUDM field. | 
| resources.owner.ldap_person.surname | about.user.last_name | Iterate through log field resources, thenresources.owner.ldap_person.surnamelog field is mapped to theabout.user.last_nameUDM field. | 
| resources.owner.ldap_person.manager.cost_center | about.user.managers.attribute.labels[process_user_ldap_person_cost_center] | Iterate through log field resources, thenresources.owner.ldap_person.manager.cost_centerlog field is mapped to theabout.user.managers.attribute.labels[process_user_ldap_person_cost_center]UDM field. | 
| resources.owner.ldap_person.manager.created_time | about.user.managers.attribute.labels[process_user_ldap_person_created_time] | Iterate through log field resources, thenresources.owner.ldap_person.manager.created_timelog field is mapped to theabout.user.managers.attribute.labels[process_user_ldap_person_created_time]UDM field. | 
| resources.owner.ldap_person.manager.deleted_time | about.user.managers.attribute.labels[process_user_ldap_person_deleted_time] | Iterate through log field resources, thenresources.owner.ldap_person.manager.deleted_timelog field is mapped to theabout.user.managers.attribute.labels[process_user_ldap_person_deleted_time]UDM field. | 
| resources.owner.ldap_person.manager.email_addrs | about.user.managers.email_addresses | Iterate through log field resources, thenresources.owner.ldap_person.manager.email_addrslog field is mapped to theabout.user.managers.email_addressesUDM field. | 
| resources.owner.ldap_person.manager.employee_uid | about.user.managers.employee_uid | Iterate through log field resources, thenresources.owner.ldap_person.manager.employee_uidlog field is mapped to theabout.user.managers.employee_uidUDM field. | 
| resources.owner.ldap_person.manager.location | about.user.managers.attribute.labels[process_user_ldap_person_location] | Iterate through log field resources, thenresources.owner.ldap_person.manager.locationlog field is mapped to theabout.user.managers.attribute.labels[process_user_ldap_person_location]UDM field. | 
| resources.owner.ldap_person.manager.given_name | about.user.managers.first_name | Iterate through log field resources, thenresources.owner.ldap_person.manager.given_namelog field is mapped to theabout.user.managers.first_nameUDM field. | 
| resources.owner.ldap_person.manager.hire_time | about.user.managers.hire_date | Iterate through log field resources, thenresources.owner.ldap_person.manager.hire_timelog field is mapped to theabout.user.managers.hire_dateUDM field. | 
| resources.owner.ldap_person.manager.job_title | about.user.managers.title | Iterate through log field resources, thenresources.owner.ldap_person.manager.job_titlelog field is mapped to theabout.user.managers.titleUDM field. | 
| resources.owner.ldap_person.manager.ldap_cn | about.user.managers.attribute.labels[process_user_ldap_person_ldap_cn] | Iterate through log field resources, thenresources.owner.ldap_person.manager.ldap_cnlog field is mapped to theabout.user.managers.attribute.labels[process_user_ldap_person_ldap_cn]UDM field. | 
| resources.owner.ldap_person.manager.ldap_dn | about.user.managers.attribute.labels[process_user_ldap_person_ldap_dn] | Iterate through log field resources, thenresources.owner.ldap_person.manager.ldap_dnlog field is mapped to theabout.user.managers.attribute.labels[process_user_ldap_person_ldap_dn]UDM field. | 
| resources.owner.ldap_person.manager.labels | about.user.managers.attribute.labels[process_user_ldap_person_labels] | Iterate through log field resources, thenresources.owner.ldap_person.manager.labelslog field is mapped to theabout.user.managers.attribute.labels[process_user_ldap_person_labels]UDM field. | 
| resources.owner.ldap_person.manager.last_login_time | about.user.managers.last_login_time | Iterate through log field resources, thenresources.owner.ldap_person.manager.last_login_timelog field is mapped to theabout.user.managers.last_login_timeUDM field. | 
| resources.owner.ldap_person.manager.leave_time | about.user.managers.attribute.labels[process_user_ldap_person_leave_time] | Iterate through log field resources, thenresources.owner.ldap_person.manager.leave_timelog field is mapped to theabout.user.managers.attribute.labels[process_user_ldap_person_leave_time]UDM field. | 
| resources.owner.ldap_person.manager.modified_time | about.user.managers.attribute.labels[process_user_ldap_person_modified_time] | Iterate through log field resources, thenresources.owner.ldap_person.manager.modified_timelog field is mapped to theabout.user.managers.attribute.labels[process_user_ldap_person_modified_time]UDM field. | 
| resources.owner.ldap_person.manager.office_location | about.user.managers.office_address.name | Iterate through log field resources, thenresources.owner.ldap_person.manager.office_locationlog field is mapped to theabout.user.managers.office_address.nameUDM field. | 
| resources.owner.ldap_person.manager.surname | about.user.managers.last_name | Iterate through log field resources, thenresources.owner.ldap_person.manager.surnamelog field is mapped to theabout.user.managers.last_nameUDM field. | 
| resource.owner.groups.domain | about.user.group_identifiers | Iterate through log field resources, theniterate through log field resource.owner.groups, thenresource.owner.groups.domainlog field is mapped to theabout.user.group_identifiersUDM field. | 
| vulnerabilities.is_exploit_available | additional.fields[vulnerabilities_is_exploit_available] | Iterate through log field vulnerabilities, thenvulnerabilities.is_exploit_availablelog field is mapped to theadditional.fields[vulnerabilities_is_exploit_available]UDM field. | 
| vulnerabilities.is_fix_available | additional.fields[vulnerabilities_is_fix_available] | Iterate through log field vulnerabilities, thenvulnerabilities.is_fix_availablelog field is mapped to theadditional.fields[vulnerabilities_is_fix_available]UDM field. | 
| vulnerabilities.cve.title | additional.fields[vulnerabilities_cve_title] | Iterate through log field vulnerabilities, thenvulnerabilities.cve.titlelog field is mapped to theadditional.fields[vulnerabilities_cve_title]UDM field. | 
| vulnerabilities.cve.references | additional.fields[vulnerabilities_cve_references] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.cve.references, thenvulnerabilities.cve.referenceslog field is mapped to theadditional.fields[vulnerabilities_cve_references]UDM field. | 
| vulnerabilities.first_seen_time | extensions.vulns.vulnerabilities.first_found | Iterate through log field vulnerabilities, thenif the vulnerabilities.cve.created_timelog field value is not empty then,vulnerabilities.cve.created_timelog field is mapped to theextensions.vulns.vulnerabilities.first_foundUDM field.Else, vulnerabilities.first_seen_timelog field is mapped to theextensions.vulns.vulnerabilities.first_foundUDM field. | 
| vulnerabilities.last_seen_time | extensions.vulns.vulnerabilities.last_found | Iterate through log field vulnerabilities, thenvulnerabilities.last_seen_timelog field is mapped to theextensions.vulns.vulnerabilities.last_foundUDM field. | 
| vulnerabilities.cve.desc | extensions.vulns.vulnerabilities.cve_description | Iterate through log field vulnerabilities, thenvulnerabilities.cve.desclog field is mapped to theextensions.vulns.vulnerabilities.cve_descriptionUDM field. | 
| vulnerabilities.kb_article_list.os.name | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_name] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.os.namelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_name]UDM field. | 
| vulnerabilities.kb_article_list.os.type | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.os.typelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type]UDM field. | 
| vulnerabilities.kb_article_list.os.type_id | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type_id] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.os.type_idlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_os_type_id]UDM field. | 
| vulnerabilities.kb_article_list.product.name | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_name] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.product.namelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_name]UDM field. | 
| vulnerabilities.kb_article_list.product.uid | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_uid] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.product.uidlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_uid]UDM field. | 
| vulnerabilities.kb_article_list.product.vendor_name | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_vendor_name] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.product.vendor_namelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_product_vendor_name]UDM field. | 
| vulnerabilities.kb_article_list.title | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_title] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.titlelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_title]UDM field. | 
| vulnerabilities.kb_article_list.uid | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_uid] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.uidlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_uid]UDM field. | 
| vulnerabilities.kb_article_list.bulletin | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_bulletin] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.bulletinlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_bulletin]UDM field. | 
| vulnerabilities.kb_article_list.classification | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_classification] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.classificationlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_classification]UDM field. | 
| vulnerabilities.kb_article_list.created_time | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_created_time] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.created_timelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_created_time]UDM field. | 
| vulnerabilities.kb_article_list.severity | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_severity] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.severitylog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_severity]UDM field. | 
| vulnerabilities.kb_article_list.size | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_size] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.sizelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_size]UDM field. | 
| vulnerabilities.kb_article_list.src_url | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_src_url] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.src_urllog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_src_url]UDM field. | 
| vulnerabilities.kb_article_list.is_superseded | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_is_superseded] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.kb_article_list, thenvulnerabilities.kb_article_list.is_supersededlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_kb_article_list_is_superseded]UDM field. | 
| vulnerabilities.remediation.reference | additional.fields[vulnerabilities_remediation_references] | Iterate through log field vulnerabilities, thenvulnerabilities.remediation.referencelog field is mapped to theadditional.fields[vulnerabilities_remediation_references]UDM field. | 
| vulnerabilities.affected_code.end_line | extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_end_line] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, thenvulnerabilities.affected_code.end_linelog field is mapped to theextensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_end_line]UDM field. | 
| vulnerabilities.affected_code.start_line | extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_start_line] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, thenvulnerabilities.affected_code.start_linelog field is mapped to theextensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_start_line]UDM field. | 
| vulnerabilities.affected_code.file.mime_type | extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_mime_type] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, thenvulnerabilities.affected_code.file.mime_typelog field is mapped to theextensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_mime_type]UDM field. | 
| vulnerabilities.affected_code.file.path | extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_path] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, thenvulnerabilities.affected_code.file.pathlog field is mapped to theextensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_path]UDM field. | 
| vulnerabilities.affected_code.file.modified_time | extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_modified_time] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, thenvulnerabilities.affected_code.file.modified_timelog field is mapped to theextensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_modified_time]UDM field. | 
| vulnerabilities.affected_code.file.created_time | extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_created_time] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, thenvulnerabilities.affected_code.file.created_timelog field is mapped to theextensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_created_time]UDM field. | 
| vulnerabilities.affected_code.file.accessed_time | extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_accessed_time] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, thenvulnerabilities.affected_code.file.accessed_timelog field is mapped to theextensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_accessed_time]UDM field. | 
| vulnerabilities.affected_code.file.name | extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_name] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, thenvulnerabilities.affected_code.file.namelog field is mapped to theextensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_name]UDM field. | 
| vulnerabilities.affected_code.file.size | extensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_size] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_code, thenvulnerabilities.affected_code.file.sizelog field is mapped to theextensions.vulns.vulnerabilities.about.file.security_result.detection_fields[vulnerabilities_affected_code_file_size]UDM field. | 
| vulnerabilities.affected_packages.architecture | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_architecture] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, thenvulnerabilities.affected_packages.architecturelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_architecture]UDM field. | 
| vulnerabilities.affected_packages.epoch | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_epoch] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, thenvulnerabilities.affected_packages.epochlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_epoch]UDM field. | 
| vulnerabilities.affected_packages.name | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_name] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, thenvulnerabilities.affected_packages.namelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_name]UDM field. | 
| vulnerabilities.affected_packages.release | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_release] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, thenvulnerabilities.affected_packages.releaselog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_release]UDM field. | 
| vulnerabilities.affected_packages.version | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_version] | Iterate through log field vulnerabilities, theniterate through log field vulnerabilities.affected_packages, thenvulnerabilities.affected_packages.versionlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_affected_packages_version]UDM field. | 
| vulnerabilities.cwe.uid | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_uid] | Iterate through log field vulnerabilities, thenvulnerabilities.cwe.uidlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_uid]UDM field. | 
| vulnerabilities.cwe.caption | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_caption] | Iterate through log field vulnerabilities, thenvulnerabilities.cwe.captionlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_caption]UDM field. | 
| vulnerabilities.cwe.src_url | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_src_url] | Iterate through log field vulnerabilities, thenvulnerabilities.cwe.src_urllog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_src_url]UDM field. | 
| vulnerabilities.cve.cwe.uid | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_cwe_uid] | Iterate through log field vulnerabilities, thenvulnerabilities.cwe.uidlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_uid]UDM field. | 
| vulnerabilities.cve.cwe.caption | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_cwe_caption] | Iterate through log field vulnerabilities, thenvulnerabilities.cwe.captionlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_caption]UDM field. | 
| vulnerabilities.cve.cwe.src_url | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_cwe_src_url] | Iterate through log field vulnerabilities, thenvulnerabilities.cwe.src_urllog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cwe_src_url]UDM field. | 
| vulnerabilities.cve.epass.created_time | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_created_time] | Iterate through log field vulnerabilities, thenvulnerabilities.cve.epass.created_timelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_created_time]UDM field. | 
| vulnerabilities.cve.epass.score | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_score] | Iterate through log field vulnerabilities, thenvulnerabilities.cve.epass.scorelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_score]UDM field. | 
| vulnerabilities.cve.epass.percentile | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_percentile] | Iterate through log field vulnerabilities, thenvulnerabilities.cve.epass.percentilelog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_percentile]UDM field. | 
| vulnerabilities.cve.epass.version | extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_version] | Iterate through log field vulnerabilities, thenvulnerabilities.cve.epass.versionlog field is mapped to theextensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerabilities_cve_epass_version]UDM field. | 
Field mapping reference: OCSF FTP Activity
The following table lists the log fields for theFTP Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.org.name | about.resource.name | |
| cloud.org.uid | about.resource.product_object_id | |
| malware.cves.product.name | extensions.vulns.vulnerabilities.about.application | |
| malware.cves.product.uid | extensions.vulns.vulnerabilities.about.asset_id | |
| malware.cves.uid | extensions.vulns.vulnerabilities.cve_id | |
| malware.cves.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| malware.cves.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| malware.cves.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| malware.cves.created_time | extensions.vulns.vulnerabilities.first_found | |
| malware.cves.type | extensions.vulns.vulnerabilities.name | |
| malware.cves.cvss.severity | extensions.vulns.vulnerabilities.severity | If the malware.cves.cvss.severitylog field value matches the regular expression patternLowthen, theextensions.vulns.vulnerabilities.severityUDM field is set toLOW.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternMediumthen, theextensions.vulns.vulnerabilities.severityUDM field is set toMEDIUM.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternHighthen, theextensions.vulns.vulnerabilities.severityUDM field is set toHIGH.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternCriticalthen, theextensions.vulns.vulnerabilities.severityUDM field is set toCRITICAL.Else, the extensions.vulns.vulnerabilities.severityUDM field is set toUNKNOWN_SEVERITY. | 
| malware.cves.product.vendor_name | extensions.vulns.vulnerabilities.vendor | |
| proxy.svc_name | intermediary.application | |
| proxy.uid | intermediary.asset_id | |
| proxy.domain | intermediary.domain.name | |
| proxy.hostname | intermediary.hostname | |
| dst_endpoint.intermediate_ips | intermediary.ip | |
| proxy.intermediate_ips | intermediary.ip | |
| proxy.ip | intermediary.ip | |
| src_endpoint.intermediate_ips | intermediary.ip | |
| proxy.location.city | intermediary.location.city | |
| proxy.location.country | intermediary.location.country_or_region | |
| proxy.location.region | intermediary.location.name | |
| proxy.location.coordinates.1 | intermediary.location.region_coordinates.latitude | |
| proxy.location.coordinates.0 | intermediary.location.region_coordinates.longitude | |
| proxy.mac | intermediary.mac | |
| proxy.port | intermediary.port | |
| metadata.logged_time | metadata.collected_timestamp | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| message | metadata.description | |
| time | metadata.event_timestamp | |
| class_name | metadata.log_type | |
| metadata.product.name | metadata.product_name | |
| metadata.product.version | metadata.product_version | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.uid | metadata.product_log_id | |
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| connection_info.protocol_ver_id | network.application_protocol_version | If the connection_info.protocol_ver_idlog field value is equal to4then, thenetwork.application_protocol_versionUDM field is set toInternet Protocol version 4 (IPv4).Else, if connection_info.protocol_ver_idlog field value is equal to6then, thenetwork.application_protocol_versionUDM field is set toInternet Protocol version 6 (IPv6). | 
| connection_info.direction_id | network.direction | If the connection_info.direction_idlog field value is equal to1then, thenetwork.directionUDM field is set toINBOUND.Else, if connection_info.direction_idlog field value is equal to2then, thenetwork.directionUDM field is set toOUTBOUND.Else, the network.directionUDM field is set toUNKNOWN_DIRECTION. | 
| command | network.ftp.command | |
| api.response.code | network.http.response_code | |
| connection_info.protocol_num | network.ip_protocol | If the connection_info.protocol_numlog field value is equal to1then, thenetwork.ip_protocolUDM field is set toICMP.Else, if connection_info.protocol_numlog field value is equal to2then, thenetwork.ip_protocolUDM field is set toIGMP.Else, if connection_info.protocol_numlog field value is equal to6then, thenetwork.ip_protocolUDM field is set toTCP.Else, if connection_info.protocol_numlog field value is equal to17then, thenetwork.ip_protocolUDM field is set toUDP.Else, if connection_info.protocol_numlog field value is equal to41then, thenetwork.ip_protocolUDM field is set toIP6IN4.Else, if connection_info.protocol_numlog field value is equal to47then, thenetwork.ip_protocolUDM field is set toGRE.Else, if connection_info.protocol_numlog field value is equal to50then, thenetwork.ip_protocolUDM field is set toESP.Else, if connection_info.protocol_numlog field value is equal to58then, thenetwork.ip_protocolUDM field is set toICMP6.Else, if connection_info.protocol_numlog field value is equal to88then, thenetwork.ip_protocolUDM field is set toEIGRP.Else, if connection_info.protocol_numlog field value is equal to97then, thenetwork.ip_protocolUDM field is set toETHERIP.Else, if connection_info.protocol_numlog field value is equal to103then, thenetwork.ip_protocolUDM field is set toPIM.Else, if connection_info.protocol_numlog field value is equal to112then, thenetwork.ip_protocolUDM field is set toVRRP.Else, if connection_info.protocol_numlog field value is equal to132then, thenetwork.ip_protocolUDM field is set toSCTP.Else, the network.ip_protocolUDM field is set toUNKNOWN_IP_PROTOCOL. | 
| traffic.bytes_out | network.sent_bytes | |
| traffic.packets_out | network.sent_packets | |
| traffic.bytes_in | network.received_bytes | |
| traffic.packets_in | network.received_packets | |
| actor.session.uid | network.session_id | |
| tls.cipher | network.tls.cipher | |
| tls.certificate.issuer | network.tls.client.certificate.issuer | |
| tls.certificate.expiration_time | network.tls.client.certificate.not_after | |
| tls.certificate.created_time | network.tls.client.certificate.not_before | |
| tls.certificate.serial_number | network.tls.client.certificate.serial | |
| tls.certificate.subject | network.tls.client.certificate.subject | |
| tls.certificate.version | network.tls.client.certificate.version | |
| tls.ja3_hash.value | network.tls.client.ja3 | |
| tls.ja3s_hash.value | network.tls.client.ja3s | |
| tls.sni | network.tls.client.server_name | |
| tls.client_ciphers | network.tls.client.supported_ciphers | |
| tls.version | network.tls.version_protocol | |
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| actor.process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.user.domain | principal.administrative_domain | |
| src_endpoint.svc_name | principal.application | |
| src_endpoint.uid | principal.asset_id | |
| device.created_time | principal.asset.attribute.creation_time | |
| device.modified_time | principal.asset.attribute.last_update_time | |
| device.first_seen_time | principal.asset.first_seen_time | |
| device.hw_info.cpu_speed | principal.asset.hardware.cpu_clock_speed | |
| device.hw_info.cpu_type | principal.asset.hardware.cpu_model | |
| device.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| device.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| device.hw_info.ram_size | principal.asset.hardware.ram | |
| device.hw_info.serial_number | principal.asset.hardware.serial_number | |
| device.hostname | principal.asset.hostname | |
| device.ip | principal.asset.ip | |
| device.location.city | principal.asset.location.city | |
| device.location.country | principal.asset.location.country_or_region | |
| device.region | principal.asset.location.name | |
| device.location.coordinates.1 | principal.asset.location.region_coordinates.latitude | |
| device.location.coordinates.0 | principal.asset.location.region_coordinates.longitude | |
| device.location.region | principal.asset.loction.name | If the device.regionlog field value is empty then,device.location.regionlog field is mapped to theprincipal.asset.location.nameUDM field. | 
| device.mac | principal.asset.mac | |
| device.domain | principal.asset.network_domain | |
| device.os.type_id | principal.asset.platform_software.platform | If the device.os.type_idlog field value is equal to100orthe device.os.type_idlog field value is equal to101then, theprincipal.asset.platform_software.platformUDM field is set toWINDOWS.Else, if device.os.type_idlog field value is equal to200then, theprincipal.asset.platform_software.platformUDM field is set toLINUX.Else, if device.os.type_idlog field value is equal to201then, theprincipal.asset.platform_software.platformUDM field is set toANDROID.Else, if device.os.type_idlog field value is equal to300then, theprincipal.asset.platform_software.platformUDM field is set toMAC.Else, if device.os.type_idlog field value is equal to301then, theprincipal.asset.platform_software.platformUDM field is set toIOS.Else, the principal.asset.platform_software.platformUDM field is set toUNKNOWN_PLATFORM. | 
| device.os.version | principal.asset.platform_software.platform_version | |
| device.uid | principal.asset.product_object_id | |
| device.type_id | principal.asset.type | If the device.type_idlog field value is equal to1then, theprincipal.asset.typeUDM field is set toSERVER.Else, if device.type_idlog field value is equal to2then, theprincipal.asset.typeUDM field is set toWORKSTATION.Else, if device.type_idlog field value is equal to3then, theprincipal.asset.typeUDM field is set toLAPTOP.Else, if device.type_idlog field value is equal to4orthe device.type_idlog field value is equal to5then, theprincipal.asset.typeUDM field is set toMOBILE.Else, if device.type_idlog field value is equal to7then, theprincipal.asset.typeUDM field is set toIOT.Else, the principal.asset.typeUDM field is set toROLE_UNSPECIFIED. | 
| src_endpoint.domain | principal.domain.name | |
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.user.groups.privileges | principal.group.attribute.permissions.name | |
| actor.process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.user.groups.name | principal.group.group_display_name | |
| src_endpoint.hostname | principal.hostname | |
| src_endpoint.ip | principal.ip | |
| src_endpoint.location.city | principal.location.city | |
| src_endpoint.location.country | principal.location.country_or_region | |
| src_endpoint.location.region | principal.location.name | |
| src_endpoint.location.coordinates.1 | principal.location.region_coordinates.latitude | |
| src_endpoint.location.coordinates.0 | principal.location.region_coordinates.longitude | |
| src_endpoint.mac | principal.mac | |
| src_endpoint.port | principal.port | |
| actor.process.cmd_line | principal.process.command_line | |
| actor.process.file.created_time | principal.process.file.first_seen_time | |
| actor.process.file.path | principal.process.file.full_path | |
| actor.process.file.modified_time | principal.process.file.last_modification_time | |
| actor.process.file.accessed_time | principal.process.file.last_seen_time | |
| actor.process.file.mime_type | principal.process.file.mime_type | |
| actor.process.file.name | principal.process.file.names | |
| actor.process.file.size | principal.process.file.size | |
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | |
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | |
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | |
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | |
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | |
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | |
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | |
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | |
| actor.process.parent_process.pid | principal.process.parent_process.pid | |
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | |
| actor.process.pid | principal.process.pid | |
| actor.process.uid | principal.process.product_specific_process_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| actor.process.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is empty and if thetype_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, iftype_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, iftype_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, iftype_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.type_id | principal.user.attribute.roles.name | If the type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is empty then,%{actor.process.user.org.name}log field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.user.org.name | principal.user.company_name | |
| actor.process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is empty then,%{actor.process.user.org.ou_name}log field is mapped to theprincipal.user.departmentUDM field. | 
| actor.user.org.ou_name | principal.user.department | |
| actor.process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is empty then,%{actor.process.user.email_addr}log field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.email_addr | principal.user.email_addresses | |
| actor.process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is empty then,%{actor.process.user.groups.uid}log field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.user.groups.uid | principal.user.group_identifiers | |
| actor.process.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is empty then,%{actor.process.user.full_name}log field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.user.full_name | principal.user.user_display_name | |
| actor.process.user.name | principal.user.userid | If the actor.user.namelog field value is empty then,%{actor.process.user.name}log field is mapped to theprincipal.user.useridUDM field. | 
| actor.user.name | principal.user.userid | |
| actor.process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is empty then,%{actor.process.user.uid}log field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.user.uid | principal.user.product_object_id | |
| disposition_id | security_result.action | If the disposition_idlog field value is equal to1then, thesecurity_result.actionUDM field is set toALLOW.Else, if disposition_idlog field value is equal to2then, thesecurity_result.actionUDM field is set toBLOCK.Else, if disposition_idlog field value is equal to4then, thesecurity_result.actionUDM field is set toQUARANTINE.Else, the security_result.actionUDM field is set toUNKNOWN_ACTION. | 
| disposition | security_result.action_details | |
| attacks.tactics.uid | security_result.attack_details.tactics.id | |
| attacks.tactics.name | security_result.attack_details.tactics.name | |
| attacks.technique.uid | security_result.attack_details.technique.id | |
| attacks.technique.name | security_result.attack_details.technique.name | |
| attacks.version | security_result.attack_details.version | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| severity | security_result.severity_details | |
| malware.uid | security_result.threat_id | |
| malware.name | security_result.threat_name | |
| api.service.name | target.application | If the dst_endpoint.svc_namelog field value is empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| dst_endpoint.svc_name | target.application | |
| dst_endpoint.uid | target.asset_id | |
| dst_endpoint.domain | target.domain.name | |
| dst_endpoint.hostname | target.hostname | |
| dst_endpoint.ip | target.ip | |
| dst_endpoint.location.city | target.location.city | |
| dst_endpoint.location.country | target.location.country_or_region | |
| dst_endpoint.location.region | target.location.name | |
| dst_endpoint.location.coordinates.1 | target.location.region_coordinates.latitude | |
| dst_endpoint.location.coordinates.0 | target.location.region_coordinates.longitude | |
| dst_endpoint.mac | target.mac | |
| dst_endpoint.port | target.port | |
| type_uid | security_result.detection_fields[type_uid] | |
| connection_info.session.uid_alt | additional.fields[connection_info_session_uid_alt] | |
| connection_info.session.count | additional.fields[connection_info_session_count] | |
| connection_info.session.expiration_reason | additional.fields[connection_info_session_expiration_reason] | |
| connection_info.session.is_mfa | additional.fields[connection_info_session_is_mfa] | |
| connection_info.session.terminal | additional.fields[connection_info_session_terminal] | |
| connection_info.session.is_vpn | additional.fields[connection_info_session_is_vpn] | |
| dst_endpoint.hw_info.bios_date | target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] | |
| dst_endpoint.hw_info.bios_manufacturer | target.asset.hardware.manufacturer | |
| dst_endpoint.hw_info.bios_ver | target.asset.hardware.model | |
| dst_endpoint.hw_info.cpu_bits | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.hw_info.cpu_cores | target.asset.hardware.cpu_number_cores | |
| dst_endpoint.hw_info.cpu_count | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] | |
| dst_endpoint.hw_info.chassis | target.asset.attribute.labels[dst_endpoint_hw_info_chassis] | |
| dst_endpoint.hw_info.desktop_display.color_depth | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.hw_info.desktop_display.physical_height | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.hw_info.desktop_display.physical_orientation | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.hw_info.desktop_display.physical_width | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.hw_info.desktop_display.scale_factor | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.hw_info.keyboard_info.function_keys | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.hw_info.keyboard_info.ime | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_layout | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_subtype | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_type | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.hw_info.cpu_speed | target.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.hw_info.cpu_type | target.asset.hardware.cpu_platform | |
| dst_endpoint.hw_info.ram_size | target.asset.hardware.ram | |
| dst_endpoint.hw_info.serial_number | target.asset.hardware.serial_number | |
| dst_endpoint.zone | target.asset.attribute.labels[dst_endpoint_zone] | |
| dst_endpoint.type | additional.fields[dst_endpoint_type] | |
| dst_endpoint.type_id | additional.fields[dst_endpoint_type_id] | |
| dst_endpoint.os.cpe_name | target.asset.attribute.labels[dst_endpoint_os_cpe_name] | |
| dst_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| dst_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| dst_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| dst_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| dst_endpoint.proxy_endpoint.ip | intermediary.ip | |
| dst_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| dst_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| dst_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| dst_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| dst_endpoint.proxy_endpoint.mac | intermediary.mac | |
| dst_endpoint.proxy_endpoint.port | intermediary.port | |
| dst_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| dst_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] | |
| dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| dst_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| dst_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| dst_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| dst_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| dst_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] | |
| dst_endpoint.proxy_endpoint.type | additional.fields[dst_endpoint_proxy_endpoint_type] | |
| dst_endpoint.proxy_endpoint.type_id | additional.fields[dst_endpoint_proxy_endpoint_type_id] | |
| dst_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
| src_endpoint.hw_info.bios_date | principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] | |
| src_endpoint.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| src_endpoint.hw_info.bios_ver | principal.asset.hardware.model | |
| src_endpoint.hw_info.cpu_bits | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] | |
| src_endpoint.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| src_endpoint.hw_info.cpu_count | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] | |
| src_endpoint.hw_info.chassis | principal.asset.attribute.labels[src_endpoint_hw_info_chassis] | |
| src_endpoint.hw_info.desktop_display.color_depth | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.hw_info.desktop_display.physical_height | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.hw_info.desktop_display.physical_orientation | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.hw_info.desktop_display.physical_width | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.hw_info.desktop_display.scale_factor | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.hw_info.keyboard_info.function_keys | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.hw_info.keyboard_info.ime | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.hw_info.keyboard_info.keyboard_layout | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.hw_info.keyboard_info.keyboard_subtype | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.hw_info.keyboard_info.keyboard_type | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.hw_info.cpu_speed | principal.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.hw_info.cpu_type | principal.asset.hardware.cpu_platform | |
| src_endpoint.hw_info.ram_size | principal.asset.hardware.ram | |
| src_endpoint.hw_info.serial_number | principal.asset.hardware.serial_number | |
| src_endpoint.zone | principal.asset.attribute.labels[src_endpoint_zone] | |
| src_endpoint.type | additional.fields[src_endpoint_type] | |
| src_endpoint.type_id | additional.fields[src_endpoint_type_id] | |
| src_endpoint.os.cpe_name | principal.asset.attribute.labels[src_endpoint_os_cpe_name] | |
| src_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| src_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| src_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| src_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| src_endpoint.proxy_endpoint.ip | intermediary.ip | |
| src_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| src_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| src_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| src_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| src_endpoint.proxy_endpoint.mac | intermediary.mac | |
| src_endpoint.proxy_endpoint.port | intermediary.port | |
| src_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| src_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] | |
| src_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| src_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| src_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| src_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| src_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| src_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| src_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| src_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] | |
| src_endpoint.proxy_endpoint.type | additional.fields[src_endpoint_proxy_endpoint_type] | |
| src_endpoint.proxy_endpoint.type_id | additional.fields[src_endpoint_proxy_endpoint_type_id] | |
| src_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] | |
| tls.certificate.uid | additional.fields[tls_certificate_uid] | |
| traffic.chunks | additional.fields[traffic_chunks] | |
| traffic.chunks_in | additional.fields[traffic_chunks_in] | |
| traffic.chunks_out | additional.fields[traffic_chunks_out] | 
Field mapping reference: OCSF Compliance Finding
The following table lists the log fields for theCompliance Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| activity_id | metadata.event_type | If the class_namelog field value is equal toCompliance Findingthen, themetadata.event_typeUDM field is set toSCAN_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| actor.process.cmd_line | principal.process.command_line | |
| actor.process.file.accessed_time | principal.process.file.last_seen_time | |
| actor.process.file.created_time | principal.process.file.first_seen_time | |
| actor.process.file.mime_type | principal.process.file.mime_type | |
| actor.process.file.modified_time | principal.process.file.last_modification_time | |
| actor.process.file.name | principal.process.file.names | |
| actor.process.file.path | principal.process.file.full_path | |
| actor.process.file.signature.algorithm | principal.process.file.signature_info.sigcheck.x509.algorithm | |
| actor.process.file.signature.certificate.issuer | principal.process.file.signature_info.sigcheck.x509.cert_issuer | |
| actor.process.file.signature.certificate.serial_number | principal.process.file.signature_info.sigcheck.x509.serial_number | |
| actor.process.file.size | principal.process.file.size | |
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | |
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | |
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | |
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | |
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | |
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | |
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | |
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | |
| actor.process.parent_process.pid | principal.process.parent_process.pid | |
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | |
| actor.process.pid | principal.process.pid | |
| actor.process.uid | principal.process.product_specific_process_id | |
| actor.process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is empty then,%{actor.process.user.email_addr}log field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is empty then,%{actor.process.user.full_name}log field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is empty then,%{actor.process.user.groups.uid}log field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.name | principal.user.userid | If the actor.user.namelog field value is empty then,%{actor.process.user.name}log field is mapped to theprincipal.user.useridUDM field. | 
| actor.process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is empty then,%{actor.process.user.org.name}log field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is empty then,%{actor.process.user.org.ou_name}log field is mapped to theprincipal.user.departmentUDM field. | 
| actor.process.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is empty and if thetype_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, iftype_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, iftype_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, iftype_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is empty then,%{actor.process.user.uid}log field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.session.uid | network.session_id | |
| actor.user.domain | principal.administrative_domain | |
| actor.user.email_addr | principal.user.email_addresses | |
| actor.user.full_name | principal.user.user_display_name | |
| actor.user.groups.name | principal.group.group_display_name | |
| actor.user.groups.privileges | principal.group.attribute.permissions.name | |
| actor.user.groups.uid | principal.user.group_identifiers | |
| actor.user.name | principal.user.userid | |
| actor.user.org.name | principal.user.company_name | |
| actor.user.org.ou_name | principal.user.department | |
| actor.user.type_id | principal.user.attribute.roles.name | If the type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.uid | principal.user.product_object_id | |
| api.response.code | network.http.response_code | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.service.name | target.application | |
| api.response.error_message | additional.fields[res_error_message] | |
| api.response.error | additional.fields[res_error] | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| class_name | metadata.log_type | |
| cloud.org.name | about.resource.name | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| compliance.requirements | security_result.detection_fields [compliance_requirements] | |
| compliance.status | security_result.detection_fields [compliance_status] | |
| compliance.status_detail | security_result.detection_fields [compliance_status_detail] | |
| confidence | security_result.confidence | If the confidencelog field value matches the regular expression patternLowthen, thesecurity_result.confidenceUDM field is set toLOW_CONFIDENCE.Else, if confidencelog field value matches the regular expression patternMediumthen, thesecurity_result.confidenceUDM field is set toMEDIUM_CONFIDENCE.Else, if confidencelog field value matches the regular expression patternHighthen, thesecurity_result.confidenceUDM field is set toHIGH_CONFIDENCE.Else, the security_result.confidenceUDM field is set toUNKNOWN_CONFIDENCE. | 
| confidence_score | security_result.confidence_details | |
| count | security_result.detection_fields [count] | |
| device.created_time | principal.asset.attribute.creation_time | |
| device.domain | principal.asset.network_domain | |
| device.first_seen_time | principal.asset.first_seen_time | |
| device.hostname | principal.asset.hostname | |
| device.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| device.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| device.hw_info.cpu_speed | principal.asset.hardware.cpu_clock_speed | |
| device.hw_info.cpu_type | principal.asset.hardware.cpu_model | |
| device.hw_info.ram_size | principal.asset.hardware.ram | |
| device.hw_info.serial_number | principal.asset.hardware.serial_number | |
| device.ip | principal.asset.ip | |
| device.location.city | principal.asset.location.city | |
| device.location.coordinates.0 | principal.asset.location.region_coordinates.longitude | |
| device.location.coordinates.1 | principal.asset.location.region_coordinates.latitude | |
| device.location.country | principal.asset.location.country_or_region | |
| device.location.region | principal.asset.loction.name | If the device.regionlog field value is empty then,device.location.regionlog field is mapped to theprincipal.asset.location.nameUDM field. | 
| device.mac | principal.asset.mac | |
| device.modified_time | principal.asset.attribute.last_update_time | |
| device.os.type_id | principal.asset.platform_software.platform | If the device.os.type_idlog field value is equal to100orthe device.os.type_idlog field value is equal to101then, theprincipal.asset.platform_software.platformUDM field is set toWINDOWS.Else, if device.os.type_idlog field value is equal to200then, theprincipal.asset.platform_software.platformUDM field is set toLINUX.Else, if device.os.type_idlog field value is equal to201then, theprincipal.asset.platform_software.platformUDM field is set toANDROID.Else, if device.os.type_idlog field value is equal to300then, theprincipal.asset.platform_software.platformUDM field is set toMAC.Else, if device.os.type_idlog field value is equal to301then, theprincipal.asset.platform_software.platformUDM field is set toIOS.Else, the principal.asset.platform_software.platformUDM field is set toUNKNOWN_PLATFORM. | 
| device.os.version | principal.asset.platform_software.platform_version | |
| device.region | principal.asset.location.name | |
| device.type_id | principal.asset.type | If the device.type_idlog field value is equal to1then, theprincipal.asset.typeUDM field is set toSERVER.Else, if device.type_idlog field value is equal to2then, theprincipal.asset.typeUDM field is set toWORKSTATION.Else, if device.type_idlog field value is equal to3then, theprincipal.asset.typeUDM field is set toLAPTOP.Else, if device.type_idlog field value is equal to4orthe device.type_idlog field value is equal to5then, theprincipal.asset.typeUDM field is set toMOBILE.Else, if device.type_idlog field value is equal to7then, theprincipal.asset.typeUDM field is set toIOT.Else, the principal.asset.typeUDM field is set toROLE_UNSPECIFIED. | 
| device.uid | principal.asset.product_object_id | |
| end_time | security_result.detection_fields [end_time] | |
| enrichments.name | security_result.detection_fields [enrichments_name] | |
| enrichments.provider | security_result.detection_fields [enrichments_provider] | |
| enrichments.type | security_result.detection_fields [enrichments_type] | |
| enrichments.value | security_result.detection_fields [enrichments_value] | |
| finding_info.analytic.desc | security_result.detection_fields [finding_info_analytic_desc] | |
| finding_info.analytic.name | security_result.analytics_metadata.analytic | |
| finding_info.analytic.related_analytics.category | security_result.detection_fields [finding_info_analytic_related_analytics_category] | |
| finding_info.analytic.related_analytics.desc | security_result.detection_fields [finding_info_analytic_related_analytics_desc] | |
| finding_info.analytic.related_analytics.name | security_result.detection_fields [finding_info_analytic_related_analytics_name] | |
| finding_info.analytic.related_analytics.type | security_result.detection_fields [finding_info_analytic_related_analytics_type] | |
| finding_info.analytic.related_analytics.type_id | security_result.detection_fields [finding_info_analytic_related_analytics_typeId] | |
| finding_info.analytic.related_analytics.uid | security_result.detection_fields [finding_info_analytic_related_analytics_uid] | |
| finding_info.analytic.type | security_result.detection_fields [finding_info_analytic_type] | |
| finding_info.analytic.type_id | security_result.detection_fields [finding_info_analytic_typeId] | |
| finding_info.attacks.sub_technique.name | security_result.attack_details.techniques.subtechnique_name | |
| finding_info.attacks.sub_technique.uid | security_result.attack_details.techniques.subtechnique_id | |
| finding_info.attacks.tactic.name | security_result.attack_details.tactics.name | |
| finding_info.attacks.tactic.uid | security_result.attack_details.tactics.id | |
| finding_info.attacks.technique.name | security_result.attack_details.techniques.name | |
| finding_info.attacks.technique.uid | security_result.attack_details.techniques.id | |
| finding_info.attacks.version | security_result.attack_details.version | |
| finding_info.created_time | security_result.detection_fields [finding_info_created_time] | |
| finding_info.data_sources | security_result.detection_fields[finding_info_data_sources] | |
| finding_info.desc | security_result.description | |
| finding_info.first_seen_time | security_result.first_discovered_time | |
| finding_info.last_seen_time | security_result.detection_fields [finding_info_last_seen_time] | |
| finding_info.modified_time | security_result.detection_fields [finding_info_modified_time] | |
| finding_info.product_uid | principal.asset_id | |
| finding_info.related_events.product_uid | security_result.detection_fields[finding_info_related_events_product_uid] | |
| finding_info.related_events.uid | security_result.detection_fields [finding_info_related_events_uid] | |
| finding_info.src_url | security_result.url_back_to_product | |
| finding_info.title | security_result.summary | |
| finding_info.types | security_result.detection_fields [finding_info_types] | |
| finding_info.uid | security_result.detection_fields [finding_info_uid] | |
| message | metadata.description | |
| metadata.labels | additional.fields[metadata_labels] | |
| metadata.log_name | additional.fields[metadata_log_name] | |
| metadata.log_provider | additional.fields[metadata_log_provider] | |
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.modified_time | additional.fields[metadata_modified_time] | |
| metadata.original_time | additional.fields[metadata_original_time] | |
| metadata.product.feature.name | additional.fields[metadata_product_feature_name] | |
| metadata.product.feature.uid | additional.fields[metadata_product_feature_uid] | |
| metadata.product.lang | additional.fields[metadata_product_lang] | |
| metadata.product.name | metadata.product_name | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| metadata.profiles | additional.fields[metadata_profiles] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.uid | metadata.product_log_id | |
| metadata.version | additional.fields[metadata_version] | |
| observables.value | observer.file.names | |
| observables.value | observer.file.vhash | |
| observables.value | observer.hostname | Iterate through log field observables.type_id, thenif the observables.type_idlog field value is equal to1and if theobserver.hostnamelog field value is empty then,observables.valuelog field is mapped to theobserver.hostnameUDM field.Else, if observables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field.Else, if observables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field.Else, if observables.type_idlog field value is equal to4and if theobserver.user.useridlog field value is empty then,observables.valuelog field is mapped to theobserver.user.useridUDM field.Else, if observables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field.Else, if observables.type_idlog field value is equal to6and if theobserver.urllog field value is empty then,observables.valuelog field is mapped to theobserver.urlUDM field.Else, if observables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field.Else, if observables.type_idlog field value is equal to8and if theobserver.file.vhashlog field value is empty then,observables.valuelog field is mapped to theobserver.file.vhashUDM field.Else, if observables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field.Else, if observables.type_idlog field value is equal to10and if theobserver.resource.product_object_idlog field value is empty then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | |
| observables.value | observer.mac | |
| observables.value | observer.process.file.names | |
| observables.value | observer.resource.product_object_id | |
| observables.value | observer.url | |
| observables.value | observer.user.email_addresses | |
| observables.value | observer.user.userid | |
| raw_data | additional.fields[raw_data] | |
| severity | security_result.severity_details | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| status | security_result.detection_fields [status] | |
| status_code | security_result.detection_fields [status_code] | |
| time | metadata.event_timestamp | |
| type_name | security_result.detection_fields [type_name] | |
| type_uid | security_result.detection_fields [type_uid] | 
Field mapping reference: OCSF Detection Finding
The following table lists the log fields for theDetection Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| activity_id | metadata.event_type | If the class_namelog field value is equal to Detection Findingthen, themetadata.event_typeUDM field is set toSCAN_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | |
| actor.process.cmd_line | principal.process.command_line | |
| actor.process.file.accessed_time | principal.process.file.last_seen_time | |
| actor.process.file.created_time | principal.process.file.first_seen_time | |
| actor.process.file.mime_type | principal.process.file.mime_type | |
| actor.process.file.modified_time | principal.process.file.last_modification_time | |
| actor.process.file.name | principal.process.file.names | |
| actor.process.file.path | principal.process.file.full_path | |
| actor.process.file.signature.algorithm | principal.process.file.signature_info.sigcheck.x509.algorithm | |
| actor.process.file.signature.certificate.issuer | principal.process.file.signature_info.sigcheck.x509.cert_issuer | |
| actor.process.file.signature.certificate.serial_number | principal.process.file.signature_info.sigcheck.x509.serial_number | |
| actor.process.file.size | principal.process.file.size | |
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | |
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | |
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | |
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | |
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | |
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | |
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | |
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | |
| actor.process.parent_process.pid | principal.process.parent_process.pid | |
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | |
| actor.process.pid | principal.process.pid | |
| actor.process.uid | principal.process.product_specific_process_id | |
| actor.process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is empty then,%{actor.process.user.email_addr}log field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is empty then,%{actor.process.user.full_name}log field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is empty then,%{actor.process.user.groups.uid}log field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.name | principal.user.userid | If the actor.user.namelog field value is empty then,%{actor.process.user.name}log field is mapped to theprincipal.user.useridUDM field. | 
| actor.process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is empty then,%{actor.process.user.org.name}log field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is empty then,%{actor.process.user.org.ou_name}log field is mapped to theprincipal.user.departmentUDM field. | 
| actor.process.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is empty and if thetype_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, iftype_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, iftype_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, iftype_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is empty then,%{actor.process.user.uid}log field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.session.uid | network.session_id | |
| actor.user.domain | principal.administrative_domain | |
| actor.user.email_addr | principal.user.email_addresses | |
| actor.user.full_name | principal.user.user_display_name | |
| actor.user.groups.name | principal.group.group_display_name | |
| actor.user.groups.privileges | principal.group.attribute.permissions.name | |
| actor.user.groups.uid | principal.user.group_identifiers | |
| actor.user.name | principal.user.userid | |
| actor.user.org.name | principal.user.company_name | |
| actor.user.org.ou_name | principal.user.department | |
| actor.user.type_id | principal.user.attribute.roles.name | If the type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.uid | principal.user.product_object_id | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.service.name | target.application | |
| api.response.code | network.http.response_code | |
| api.response.error_message | additional.fields[res_error_message] | |
| api.response.error | additional.fields[res_error] | |
| attacks.sub_technique.name | security_result.attack_details.technique.subtechnique_name | |
| attacks.sub_technique.uid | security_result.attack_details.technique.subtechnique_id | |
| attacks.tactic.name | security_result.attack_details.tactics.name | |
| attacks.tactic.uid | security_result.attack_details.tactics.id | |
| attacks.technique.name | security_result.attack_details.technique.name | |
| attacks.technique.uid | security_result.attack_details.technique.id | |
| attacks.version | security_result.attack_details.version | |
| category_name | security_result.category_details | |
| category_uid | security_result.category_details | |
| class_name | metadata.log_type | |
| cloud.org.name | about.resource.name | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | |
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| confidence | security_result.confidence | |
| confidence_score | security_result.confidence_details | |
| count | security_result.detection_fields [count] | |
| device.created_time | principal.asset.attribute.creation_time | |
| device.domain | principal.asset.network_domain | |
| device.first_seen_time | principal.asset.first_seen_time | |
| device.hostname | principal.asset.hostname | |
| device.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| device.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| device.hw_info.cpu_speed | principal.asset.hardware.cpu_clock_speed | |
| device.hw_info.cpu_type | principal.asset.hardware.cpu_model | |
| device.hw_info.ram_size | principal.asset.hardware.ram | |
| device.hw_info.serial_number | principal.asset.hardware.serial_number | |
| device.ip | principal.asset.ip | |
| device.location.city | principal.asset.location.city | |
| device.location.coordinates.0 | principal.asset.location.region_coordinates.longitude | |
| device.location.coordinates.1 | principal.asset.location.region_coordinates.latitude | |
| device.location.country | principal.asset.location.country_or_region | |
| device.location.region | principal.asset.loction.name | |
| device.mac | principal.asset.mac | |
| device.modified_time | principal.asset.attribute.last_update_time | |
| device.os.type_id | principal.asset.platform_software.platform | |
| device.os.version | principal.asset.platform_software.platform_version | |
| device.region | principal.asset.location.name | |
| device.type_id | principal.asset.type | |
| device.uid | principal.asset.product_object_id | |
| end_time | security_result.detection_fields [end_time] | |
| enrichments.name | security_result.detection_fields [enrichments_name] | |
| enrichments.provider | security_result.detection_fields [enrichments_provider] | |
| enrichments.type | security_result.detection_fields [enrichments_type] | |
| enrichments.value | security_result.detection_fields [enrichments_value] | |
| finding_info.analytic.desc | security_result.detection_fields [finding_info_analytic_desc] | |
| finding_info.analytic.name | security_result.analytics_metadata.analytic | |
| finding_info.analytic.related_analytics.category | security_result.detection_fields [finding_info_analytic_related_analytics_category] | |
| finding_info.analytic.related_analytics.desc | security_result.detection_fields [finding_info_analytic_related_analytics_desc] | |
| finding_info.analytic.related_analytics.name | security_result.detection_fields [finding_info_analytic_related_analytics_name] | |
| finding_info.analytic.related_analytics.type | security_result.detection_fields [finding_info_analytic_related_analytics_type] | |
| finding_info.analytic.related_analytics.type_id | security_result.detection_fields [finding_info_analytic_related_analytics_typeId] | |
| finding_info.analytic.related_analytics.uid | security_result.detection_fields [finding_info_analytic_related_analytics_uid] | |
| finding_info.analytic.type | security_result.detection_fields [finding_info_analytic_type] | |
| finding_info.analytic.type_id | security_result.detection_fields [finding_info_analytic_typeId] | |
| finding_info.attacks.sub_technique.name | security_result.attack_details.techniques.subtechnique_name | |
| finding_info.attacks.sub_technique.uid | security_result.attack_details.techniques.subtechnique_id | |
| finding_info.attacks.tactic.name | security_result.attack_details.tactics.name | |
| finding_info.attacks.tactic.uid | security_result.attack_details.tactics.id | |
| finding_info.attacks.technique.name | security_result.attack_details.techniques.name | |
| finding_info.attacks.technique.uid | security_result.attack_details.techniques.id | |
| finding_info.attacks.version | security_result.attack_details.version | |
| finding_info.created_time | security_result.detection_fields [finding_info_created_time] | |
| finding_info.data_sources | security_result.detection_fields[finding_info_data_sources] | |
| finding_info.desc | security_result.description | |
| finding_info.first_seen_time | security_result.first_discovered_time | |
| finding_info.last_seen_time | security_result.detection_fields [finding_info_last_seen_time] | |
| finding_info.modified_time | security_result.detection_fields [finding_info_modified_time] | |
| finding_info.product_uid | principal.asset_id | |
| finding_info.related_events.product_uid | security_result.detection_fields[finding_info_related_events_product_uid] | |
| finding_info.related_events.uid | security_result.detection_fields [finding_info_related_events_uid] | |
| finding_info.src_url | security_result.url_back_to_product | |
| finding_info.title | security_result.summary | |
| finding_info.types | security_result.detection_fields [finding_info_types] | |
| finding_info.uid | security_result.detection_fields [finding_info_uid] | |
| firewall_rule.category | security_result.rule_labels [firewall_rule_category] | |
| firewall_rule.desc | security_result.rule_labels [firewall_rule_description] | |
| firewall_rule.name | security_result.rule_name | |
| firewall_rule.type | security_result.rule_type | |
| firewall_rule.uid | security_result.rule_id | |
| firewall_rule.version | security_result.rule_version | |
| malware.classification_ids | security_result.detection_fields [malware.classification_ids] | |
| malware.classifications | security_result.detection_fields [malware.classifications] | |
| malware.cves.created_time | extensions.vulns.vulnerabilities.first_found | |
| malware.cves.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| malware.cves.cvss.severity | extensions.vulns.vulnerabilities.severity | |
| malware.cves.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| malware.cves.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| malware.cves.product.name | extensions.vulns.vulnerabilities.about.application | |
| malware.cves.product.uid | extensions.vulns.vulnerabilities.about.asset_id | |
| malware.cves.product.vendor_name | extensions.vulns.vulnerabilities.vendor | |
| malware.cves.type | extensions.vulns.vulnerabilities.name | |
| malware.cves.uid | extensions.vulns.vulnerabilities.cve_id | |
| malware.name | security_result.threat_name | |
| malware.path | security_result.detection_fields [malware_path] | |
| malware.uid | security_result.threat_id | |
| message | metadata.description | |
| metadata.labels | additional.fields [metadata_labels] | |
| metadata.log_name | additional.fields [metadata_log_name] | |
| metadata.log_provider | additional.fields [metadata_log_provider] | |
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.modified_time | additional.fields [metadata_modified_time] | |
| metadata.original_time | additional.fields [metadata_original_time] | |
| metadata.product.feature.name | additional.fields [metadata_product_feature_name] | |
| metadata.product.feature.uid | additional.fields [metadata_product_feature_uid] | |
| metadata.product.lang | additional.fields [metadata_product_lang] | |
| metadata.product.name | metadata.product_name | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| metadata.profiles | additional.fields [metadata_profiles] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.uid | metadata.product_log_id | |
| metadata.version | additional.fields [metadata_version] | |
| observables.value | observer.file.names | |
| observables.value | observer.file.vhash | |
| observables.value | observer.hostname | |
| observables.value | observer.ip | |
| observables.value | observer.mac | |
| observables.value | observer.process.file.names | |
| observables.value | observer.resource.product_object_id | |
| observables.value | observer.url | |
| observables.value | observer.user.email_addresses | |
| observables.value | observer.user.userid | |
| raw_data | additional.fields [raw_data] | |
| remediation.desc | security_result.outcomes [remediation_desc] | |
| remediation.kb_articles | security_result.outcomes [remediation_kb_articles] | |
| risk_level | security_result.detection_fields [risk_level] | |
| risk_level_id | security_result.detection_fields [risk_level_id] | |
| risk_score | security_result.risk_score | |
| severity | security_result.severity_details | |
| severity_id | security_result.severity | |
| status | security_result.detection_fields [status] | |
| status_code | security_result.detection_fields [status_code] | |
| time | metadata.event_timestamp | |
| type_name | security_result.detection_fields [type_name] | |
| type_uid | security_result.detection_fields [type_uid] | |
| vulnerabilities.affected_code.file.created_time | extensions.vulns.vulnerabilities.about.file.first_seen_time | |
| vulnerabilities.affected_code.file.creator.email_addr | extensions.vulns.vulnerabilities.about.user.email_addresses | |
| vulnerabilities.affected_code.file.creator.full_name | extensions.vulns.vulnerabilities.about.user.user_display_name | |
| vulnerabilities.affected_code.file.creator.groups.uid | extensions.vulns.vulnerabilities.about.user.group_identifiers | |
| vulnerabilities.affected_code.file.creator.name | extensions.vulns.vulnerabilities.about.user.first_name | |
| vulnerabilities.affected_code.file.creator.org.name | extensions.vulns.vulnerabilities.about.user.company_name | |
| vulnerabilities.affected_code.file.creator.uid | extensions.vulns.vulnerabilities.about.user.userid | |
| vulnerabilities.affected_code.file.mime_type | extensions.vulns.vulnerabilities.about.file.mime_type | |
| vulnerabilities.affected_code.file.modified_time | extensions.vulns.vulnerabilities.about.file.last_modification_time | |
| vulnerabilities.affected_code.file.name | extensions.vulns.vulnerabilities.about.file.names | |
| vulnerabilities.affected_code.file.path | extensions.vulns.vulnerabilities.about.file.full_path | |
| vulnerabilities.affected_code.file.signature.algorithm | extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.algorithm | |
| vulnerabilities.affected_code.file.signature.certificate.issuer | extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.cert_issuer | |
| vulnerabilities.affected_code.file.signature.certificate.serial_number | extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.serial_number | |
| vulnerabilities.affected_code.file.size | extensions.vulns.vulnerabilities.about.file.size | |
| vulnerabilities.cve.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| vulnerabilities.cve.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| vulnerabilities.cve.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| vulnerabilities.cve.modified_time | additional.fields [vuln_cve_modified_time] | |
| vulnerabilities.cve.product.name | extensions.vulns.vulnerabilities.about.application | |
| vulnerabilities.cve.product.uid | extensions.vulns.vulnerabilities.about.asset_id | |
| vulnerabilities.cve.type | extensions.vulns.vulnerabilities.description | %{vulnerabilities.cve.type} - %{vulnerabilities.desc}log field is mapped to theextensions.vulns.vulnerabilities.descriptionUDM field. | 
| vulnerabilities.desc | extensions.vulns.vulnerabilities.description | %{vulnerabilities.cve.type} - %{vulnerabilities.desc}log field is mapped to theextensions.vulns.vulnerabilities.descriptionUDM field. | 
| vulnerabilities.cve.uid | extensions.vulns.vulnerabilities.cve_id | |
| vulnerabilities.first_seen_time | extensions.vulns.vulnerabilities.first_found | |
| vulnerabilities.kb_articles | additional.fields [vuln_kb_articles] | |
| vulnerabilities.last_seen_time | extensions.vulns.vulnerabilities.last_found | |
| vulnerabilities.packages.architecture | additional.fields [vuln_packages_architecture] | |
| vulnerabilities.packages.epoch | additional.fields [vuln_packages_epoch] | |
| vulnerabilities.packages.name | additional.fields [vuln_packages_name] | |
| vulnerabilities.packages.release | additional.fields [vuln_packages_release] | |
| vulnerabilities.packages.version | additional.fields [vuln_packages_version] | |
| vulnerabilities.references | additional.fields [vuln_references] | |
| vulnerabilities.related_vulnerabilities | additional.fields [vuln_related_vulnerabilities] | |
| vulnerabilities.severity | extensions.vulns.vulnerabilities.severity | |
| vulnerabilities.title | extensions.vulns.vulnerabilities.name | |
| vulnerabilities.vendor_name | extensions.vulns.vulnerabilities.vendor | 
Field mapping reference: OCSF Incident Finding
The following table lists the log fields for theIncident Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| activity_id | metadata.event_type | If class_namelog field value is equal toIncident Findingthen, themetadata.event_typeUDM field is set toSCAN_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| api.response.code | network.http.response_code | |
| api.response.error | additional.fields[res_error] | |
| api.response.error_message | additional.fields[res_error_message] | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.service.name | target.application | |
| assignee.account.name | principal.resource.name | |
| assignee.account.type | principal.resource.resource_subtype | |
| assignee.account.uid | principal.resource.product_object_id | |
| assignee.domain | principal.administrative_domain | |
| assignee.email_addr | principal.user.email_addresses | |
| assignee.full_name | principal.user.user_display_name | |
| assignee.groups.name | principal.group.group_display_name | |
| assignee.groups.privileges | principal.group.attribute.permissions.name | |
| assignee.groups.uid | principal.user.group_identifiers | |
| assignee.ldap_person.created_time | principal.user.attribute.creation_time | |
| assignee.ldap_person.deleted_time | principal.user.attribute.labels[ldap_person_deleted_time] | |
| assignee.ldap_person.email_addrs | principal.user.email_addresses | |
| assignee.ldap_person.location.city | principal.location.city | |
| assignee.ldap_person.location.region | principal.location.country_or_region | |
| assignee.name | principal.user.userid | |
| assignee.org.name | principal.user.company_name | |
| assignee.org.ou_name | principal.user.department | |
| assignee.type_id | principal.user.attribute.roles.name | If the assignee.type_idlog field value is not empty and if theassignee.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifassignee.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifassignee.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifassignee.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| assignee.uid | principal.user.product_object_id | |
| attacks.sub_technique.name | security_result.attack_details.technique.subtechnique_name | |
| attacks.sub_technique.uid | security_result.attack_details.technique.subtechnique_id | |
| attacks.tactic.name | security_result.attack_details.tactics.name | |
| attacks.tactic.uid | security_result.attack_details.tactics.id | |
| attacks.technique.name | security_result.attack_details.technique.name | |
| attacks.technique.uid | security_result.attack_details.technique.id | |
| attacks.version | security_result.attack_details.version | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| class_name | metadata.log_type | |
| class_uid | additional.fields[class_uid] | |
| cloud.org.name | about.resource.name | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | If cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if coud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if coud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| confidence | security_result.confidence | If confidencelog field value matches the regular expression patternLowthen, thesecurity_result.confidenceUDM field is set toLOW_CONFIDENCE.Else, if confidencelog field value matches the regular expression patternMediumthen, thesecurity_result.confidenceUDM field is set toMEDIUM_CONFIDENCE.Else, if confidencelog field value matches the regular expression patternHighthen, thesecurity_result.confidenceUDM field is set toHIGH_CONFIDENCE.Else, the security_result.confidenceUDM field is set toUNKNOWN_CONFIDENCE. | 
| confidence_id | security_result.detection_fields[confidence_id] | |
| confidence_score | security_result.confidence_details | |
| count | security_result.detection_fields[count] | |
| desc | security_result.description | |
| duration | security_result.detection_fields[duration] | |
| end_time | security_result.detection_fields[end_time] | |
| enrichments.name | security_result.detection_fields[enrichments_name] | |
| enrichments.provider | security_result.detection_fields[enrichments_provider] | |
| enrichments.type | security_result.detection_fields[enrichments_type] | |
| enrichments.value | security_result.detection_fields[enrichments_value] | |
| finding_info_list.analytic.desc | security_result.detection_fields[finding_info_analytic_desc] | |
| finding_info_list.analytic.name | security_result.analytics_metadata.analytic | |
| finding_info_list.analytic.related_analytics.category | security_result.detection_fields[finding_info_analytic_related_analytics_category] | |
| finding_info_list.analytic.related_analytics.desc | security_result.detection_fields[finding_info_analytic_related_analytics_desc] | |
| finding_info_list.analytic.related_analytics.name | security_result.detection_fields[finding_info_analytic_related_analytics_name] | |
| finding_info_list.analytic.related_analytics.type | security_result.detection_fields[finding_info_analytic_related_analytics_type] | |
| finding_info_list.analytic.related_analytics.type_id | security_result.detection_fields[finding_info_analytic_related_analytics_type_id] | |
| finding_info_list.analytic.related_analytics.uid | security_result.detection_fields[finding_info_analytic_related_analytics_uid] | |
| finding_info_list.analytic.type | security_result.detection_fields[finding_info_analytic_type] | |
| finding_info_list.analytic.type_id | security_result.detection_fields[finding_info_analytic_type_id] | |
| finding_info_list.attacks.sub_technique.name | security_result.attack_details.technique.subtechnique_name | |
| finding_info_list.attacks.sub_technique.uid | security_result.attack_details.technique.subtechnique_id | |
| finding_info_list.attacks.tactic.name | security_result.attack_details.tactics.name | |
| finding_info_list.attacks.tactic.uid | security_result.attack_details.tactics.id | |
| finding_info_list.attacks.technique.name | security_result.attack_details.technique.name | |
| finding_info_list.attacks.technique.uid | security_result.attack_details.technique.id | |
| finding_info_list.attacks.version | security_result.attack_details.version | |
| finding_info_list.created_time | security_result.detection_fields[finding_info_created_time] | |
| finding_info_list.data_sources | security_result.detection_fields[finding_info_data_sources] | |
| finding_info_list.desc | security_result.description | If the desclog field value is empty then,finding_info_list.desclog field is mapped to thesecurity_result.descriptionUDM field. | 
| finding_info_list.first_seen_time | security_result.first_discovered_time | |
| finding_info_list.last_seen_time | security_result.detection_fields[finding_info_last_seen_time] | |
| finding_info_list.modified_time | security_result.detection_fields[finding_info_modified_time] | |
| finding_info_list.product_uid | principal.asset_id | |
| finding_info_list.related_events.product_uid | security_result.detection_fields[finding_info_related_events_product_uid] | |
| finding_info_list.related_events.uid | security_result.detection_fields[finding_info_related_events_uid] | |
| finding_info_list.src_url | security_result.url_back_to_product | |
| finding_info_list.title | security_result.summary | |
| finding_info_list.types | security_result.detection_fields[finding_info_types] | |
| finding_info_list.uid | security_result.detection_fields[finding_info_uid] | |
| impact | security_result.detection_fields[impact] | |
| impact_id | security_result.detection_fields[impact_id] | |
| impact_score | security_result.detection_fields[impact_score] | |
| message | metadata.description | |
| metadata.labels | additional.fields[metadata_labels] | |
| metadata.log_name | additional.fields[metadata_log_name] | |
| metadata.log_provider | additional.fields[metadata_log_provider] | |
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.modified_time | additional.fields[metadata_modified_time] | |
| metadata.original_time | additional.fields[metadata_original_time] | |
| metadata.product.feature.name | additional.fields[metadata_product_feature_name] | |
| metadata.product.feature.uid | additional.fields[metadata_product_feature_uid] | |
| metadata.product.lang | additional.fields[metadata_product_lang] | |
| metadata.product.name | metadata.product_name | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| metadata.profiles | additional.fields[metadata_profiles] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.uid | metadata.product_log_id | |
| metadata.version | additional.fields[metadata_version] | |
| observables.value | observer.hostname | Iterate through log field observables.type_id, thenif o observables.type_idlog field value is equal to1and ifobserver.hostnamelog field value is empty then,observables.valuelog field is mapped to theobserver.hostnameUDM field.Else, if observables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field.Else, if observables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field.Else, if observables.type_idlog field value is equal to4and ifobserver.user.useridlog field value is empty then,observables.valuelog field is mapped to theobserver.user.useridUDM field.Else, if observables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field.Else, if observables.type_idlog field value is equal to6and ifobserver.urllog field value is empty then,observables.valuelog field is mapped to theobserver.urlUDM field.Else, if observables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field.Else, if observables.type_idlog field value is equal to8and ifobserver.file.vhashlog field value is empty then,observables.valuelog field is mapped to theobserver.file.vhashUDM field.Else, if observables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field.Else, if observables.type_idlog field value is equal to10and ifobserver.resource.product_object_idlog field value is empty then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | |
| observables.value | observer.mac | |
| observables.value | observer.user.userid | |
| observables.value | observer.user.email_addresses | |
| observables.value | observer.url | |
| observables.value | observer.file.names | |
| observables.value | observer.file.vhash | |
| observables.value | observer.process.file.names | |
| observables.value | observer.resource.product_object_id | |
| priority | security_result.priority_details | |
| raw_data | additional.fields[raw_data] | |
| severity | security_result.severity_details | |
| severity_id | security_result.severity | If severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| start_time | additional.fields[start_time] | |
| status | security_result.detection_fields[status] | |
| status_code | security_result.detection_fields[status_code] | |
| status_detail | security_result.detection_fields[status_detail] | |
| status_id | security_result.detection_fields[status_id] | |
| time | metadata.event_timestamp | |
| type_name | security_result.detection_fields[type_name] | |
| type_uid | security_result.detection_fields[type_uid] | |
| verdict | security_result.detection_fields[verdict] | |
| verdict_id | security_result.detection_fields[verdict_id] | 
Field mapping reference: OCSF Vulnerability Finding
The following table lists the log fields for theVulnerability Finding log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| activity_id | metadata.event_type | If class_namelog field value is equal to Vulnerability Findingthen, themetadata.event_typeUDM field is set toSCAN_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| actor.process.cmd_line | principal.process.command_line | |
| actor.process.file.accessed_time | principal.process.file.last_seen_time | |
| actor.process.file.created_time | principal.process.file.first_seen_time | |
| actor.process.file.mime_type | principal.process.file.file.mime_type | |
| actor.process.file.modified_time | principal.process.file.file.last_modification_time | |
| actor.process.file.name | principal.process.file.names | |
| actor.process.file.path | principal.process.file.full_path | |
| actor.process.file.signature.algorithm | principal.process.file.signature_info.sigcheck.x509.algorithm | |
| actor.process.file.signature.certificate.issuer | principal.process.file.signature_info.sigcheck.x509.cert_issuer | |
| actor.process.file.signature.certificate.serial_number | principal.process.file.signature_info.sigcheck.x509.serial_number | |
| actor.process.file.size | principal.process.file.size | |
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | |
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | |
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | |
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | |
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | |
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | |
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | |
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | |
| actor.process.parent_process.pid | principal.process.parent_process.pid | |
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | |
| actor.process.pid | principal.process.pid | |
| actor.process.uid | principal.process.product_specific_process_id | |
| actor.process.user.domain | principal.administrative_domain | If actor.user.domainlog field value is empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.process.user.email_addr | principal.user.email_addresses | If a actor.user.email_addrlog field value is empty then,%{actor.process.user.email_addr}log field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.full_name | principal.user.user_display_name | If actor.user.full_namelog field value is empty then,%{actor.process.user.full_name}log field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.process.user.groups.name | principal.group.group_display_name | If actor.user.groups.namelog field value is empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If actor.user.groups.privilegeslog field value is empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.process.user.groups.uid | principal.user.group_identifiers | If actor.user.groups.uidlog field value is empty then,%{actor.process.user.groups.uid}log field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.name | principal.user.userid | If actor.user.namelog field value is empty then,%{actor.process.user.name}log field is mapped to theprincipal.user.useridUDM field. | 
| actor.process.user.org.name | principal.user.company_name | If actor.user.org.namelog field value is empty then,%{actor.process.user.org.name}log field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.process.user.org.ou_name | principal.user.department | If actor.user.org.ou_namelog field value is empty then,%{actor.process.user.org.ou_name}log field is mapped to theprincipal.user.departmentUDM field. | 
| actor.process.user.type_id | principal.user.attribute.roles.name | If a actor.user.type_idlog field value is empty and iftype_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, iftype_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, iftype_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, iftype_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.uid | principal.user.product_object_id | If actor.user.uidlog field value is empty then,%{actor.process.user.uid}log field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.session.uid | network.session_id | |
| actor.user.domain | principal.administrative_domain | |
| actor.user.email_addr | principal.user.email_addresses | |
| actor.user.groups.name | principal.group.group_display_name | |
| actor.user.groups.privileges | principal.group.attribute.permissions.name | |
| actor.user.groups.uid | principal.user.group_identifiers | |
| actor.user.name | principal.user.userid | |
| actor.user.org.name | principal.user.company_name | |
| actor.user.org.ou_name | principal.user.department | |
| actor.user.type_id | principal.user.attribute.roles.name | If type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.uid | principal.user.product_object_id | |
| api.response.code | network.http.response_code | |
| api.response.error | additional.fields[res_error] | |
| api.response.error_message | additional.fields[res_error_message] | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.service.name | target.application | |
| category_name | security_result.category_details | |
| category_uid | security_result.category_details | |
| class_name | metadata.log_type | |
| class_uid | additional.fields[class_uid] | |
| cloud.org.name | about.resource.name | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | |
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| confidence | security_result.confidence | |
| confidence_id | security_result.detection_fields[confidence_id] | |
| confidence_score | security_result.confidence_details | |
| count | security_result.detection_fields[count] | |
| device.created_time | principal.asset.attribute.creation_time | |
| device.domain | principal.asset.network_domain | |
| device.first_seen_time | principal.asset.first_seen_time | |
| device.hostname | principal.asset.hostname | |
| device.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| device.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| device.hw_info.cpu_speed | principal.asset.hardware.cpu_clock_speed | |
| device.hw_info.cpu_type | principal.asset.hardware.cpu_model | |
| device.hw_info.ram_size | principal.asset.hardware.ram | |
| device.hw_info.serial_number | principal.asset.hardware.serial_number | |
| device.ip | principal.asset.ip | |
| device.location.city | principal.asset.location.city | |
| device.location.country | principal.asset.location.country_or_region | |
| device.location.region | principal.asset.loction.name | |
| device.mac | principal.asset.mac | |
| device.modified_time | principal.asset.attribute.last_update_time | |
| device.os.type_id | principal.asset.platform_software.platform | |
| device.os.version | principal.asset.platform_software.platform_version | |
| device.region | principal.asset.location.name | |
| device.type_id | principal.asset.type | |
| device.uid | principal.asset.product_object_id | |
| duration | security_result.detection_fields[duration] | |
| end_time | security_result.detection_fields[end_time] | |
| enrichments.name | security_result.detection_fields[enrichments_name] | |
| enrichments.provider | security_result.detection_fields[enrichments_provider] | |
| enrichments.type | security_result.detection_fields[enrichments_type] | |
| enrichments.value | security_result.detection_fields[enrichments_value] | |
| finding_info.analytic.desc | security_result.detection_fields[finding_info_analytic_desc] | |
| finding_info.analytic.name | security_result.analytics_metadata.analytic | |
| finding_info.analytic.related_analytics.category | security_result.detection_fields[finding_info_analytic_related_analytics_category] | |
| finding_info.analytic.related_analytics.desc | security_result.detection_fields[finding_info_analytic_related_analytics_desc] | |
| finding_info.analytic.related_analytics.name | security_result.detection_fields[finding_info_analytic_related_analytics_name] | |
| finding_info.analytic.related_analytics.type | security_result.detection_fields[finding_info_analytic_related_analytics_type] | |
| finding_info.analytic.related_analytics.type_id | security_result.detection_fields[finding_info_analytic_related_analytics_typeId] | |
| finding_info.analytic.related_analytics.uid | security_result.detection_fields[finding_info_analytic_related_analytics_uid] | |
| finding_info.analytic.type | security_result.detection_fields[finding_info_analytic_type] | |
| finding_info.analytic.type_id | security_result.detection_fields[finding_info_analytic_typeId] | |
| finding_info.attacks.sub_technique.name | security_result.attack_details.techniques.subtechnique_name | |
| finding_info.attacks.sub_technique.uid | security_result.attack_details.techniques.subtechnique_id | |
| finding_info.attacks.tactic.name | security_result.attack_details.tactics.name | |
| finding_info.attacks.tactic.uid | security_result.attack_details.tactics.id | |
| finding_info.attacks.technique.name | security_result.attack_details.techniques.name | |
| finding_info.attacks.technique.uid | security_result.attack_details.techniques.id | |
| finding_info.attacks.version | security_result.attack_details.version | |
| finding_info.created_time | security_result.detection_fields[finding_info_created_time] | |
| finding_info.data_sources | security_result.detection_fields[finding_info_data_sources] | |
| finding_info.desc | security_result.description | |
| finding_info.first_seen_time | security_result.first_discovered_time | |
| finding_info.last_seen_time | security_result.detection_fields[finding_info_last_seen_time] | |
| finding_info.modified_time | security_result.detection_fields[finding_info_modified_time] | |
| finding_info.product_uid | principal.asset_id | |
| finding_info.related_events.product_uid | security_result.detection_fields[finding_info_related_events_product_uid] | |
| finding_info.related_events.uid | security_result.detection_fields[finding_info_related_events_uid] | |
| finding_info.src_url | security_result.url_back_to_product | |
| finding_info.title | security_result.summary | |
| finding_info.types | security_result.detection_fields[finding_info_types] | |
| finding_info.uid | security_result.detection_fields[finding_info_uid] | |
| message | metadata.description | |
| metadata.labels | additional.fields[metadata_labels] | |
| metadata.log_name | additional.fields[metadata_log_name] | |
| metadata.log_provider | additional.fields[metadata_log_provider] | |
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.modified_time | additional.fields[metadata_modified_time] | |
| metadata.original_time | additional.fields[metadata_original_time] | |
| metadata.product.feature.name | additional.fields[metadata_product_feature_name] | |
| metadata.product.feature.uid | additional.fields[metadata_product_feature_uid] | |
| metadata.product.lang | additional.fields[metadata_product_lang] | |
| metadata.product.name | metadata.product_name | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| metadata.profiles | additional.fields[metadata_profiles] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.uid | metadata.product_log_id | |
| metadata.version | additional.fields[metadata_version] | |
| observables.value | observer.ip | Iterate through log field observables.type_id, thenif o observables.type_idlog field value is equal to1and ifobserver.hostnamelog field value is empty then,observables.valuelog field is mapped to theobserver.hostnameUDM field.Else, if observables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field.Else, if observables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field.Else, if observables.type_idlog field value is equal to4and ifobserver.user.useridlog field value is empty then,observables.valuelog field is mapped to theobserver.user.useridUDM field.Else, if observables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field.Else, if observables.type_idlog field value is equal to6and ifobserver.urllog field value is empty then,observables.valuelog field is mapped to theobserver.urlUDM field.Else, if observables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field.Else, if observables.type_idlog field value is equal to8and ifobserver.file.vhashlog field value is empty then,observables.valuelog field is mapped to theobserver.file.vhashUDM field.Else, if observables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field.Else, if observables.type_idlog field value is equal to10and ifobserver.resource.product_object_idlog field value is empty then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | |
| observables.value | observer.user.userid | |
| observables.value | observer.user.email_addresses | |
| observables.value | observer.url | |
| observables.value | observer.file.names | |
| observables.value | observer.file.vhash | |
| observables.value | observer.process.file.names | |
| observables.value | observer.resource.product_object_id | |
| raw_data | additional.fields[raw_data] | |
| resource.group.name | target.group.group_display_name | |
| resource.group.privileges | target.group.attribute.permissions.name | |
| resource.group.uid | target.group.product_object_id | |
| resource.name | target.resource.name | |
| resource.region | target.location.country_or_region | |
| resource.type | target.resource.resource_subtype | |
| resource.uid | target.resource.product_object_id | |
| severity | security_result.severity_details | |
| severity_id | security_result.severity | |
| start_time | additional.fields[start_time] | |
| status | security_result.detection_fields[status] | |
| status_code | security_result.detection_fields[status_code] | |
| status_detail | security_result.detection_fields[status_detail] | |
| status_id | security_result.detection_fields[status_id] | |
| time | metadata.event_timestamp | |
| type_name | security_result.detection_fields[type_name] | |
| type_uid | security_result.detection_fields[type_uid] | |
| vulnerabilities.affected_code.file.created_time | extensions.vulns.vulnerabilities.about.file.first_seen_time | |
| vulnerabilities.affected_code.file.creator.email_addr | extensions.vulns.vulnerabilities.about.user.email_addresses | |
| vulnerabilities.affected_code.file.creator.full_name | extensions.vulns.vulnerabilities.about.user.user_display_name | |
| vulnerabilities.affected_code.file.creator.groups.uid | extensions.vulns.vulnerabilities.about.user.group_identifiers | |
| vulnerabilities.affected_code.file.creator.name | extensions.vulns.vulnerabilities.about.user.first_name | |
| vulnerabilities.affected_code.file.creator.org.name | extensions.vulns.vulnerabilities.about.user.company_name | |
| vulnerabilities.affected_code.file.creator.uid | extensions.vulns.vulnerabilities.about.user.userid | |
| vulnerabilities.affected_code.file.mime_type | extensions.vulns.vulnerabilities.about.file.mime_type | |
| vulnerabilities.affected_code.file.modified_time | extensions.vulns.vulnerabilities.about.file.last_modification_time | |
| vulnerabilities.affected_code.file.name | extensions.vulns.vulnerabilities.about.file.names | |
| vulnerabilities.affected_code.file.path | extensions.vulns.vulnerabilities.about.file.full_path | |
| vulnerabilities.affected_code.file.signature.algorithm | extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.algorithm | |
| vulnerabilities.affected_code.file.signature.certificate.issuer | extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.cert_issuer | |
| vulnerabilities.affected_code.file.signature.certificate.serial_number | extensions.vulns.vulnerabilities.about.file.signature_info.sigcheck.x509.serial_number | |
| vulnerabilities.affected_code.file.size | extensions.vulns.vulnerabilities.about.file.size | |
| vulnerabilities.cve.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| vulnerabilities.cve.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| vulnerabilities.cve.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| vulnerabilities.cve.modified_time | additional.fields[vuln_cve_modified_time] | |
| vulnerabilities.cve.product.name | extensions.vulns.vulnerabilities.about.application | |
| vulnerabilities.cve.product.uid | extensions.vulns.vulnerabilities.about.asset_id | |
| vulnerabilities.cve.type | extensions.vulns.vulnerabilities.description | %{vulnerabilities.cve.type} - %{vulnerabilities.desc}log field is mapped to theextensions.vulns.vulnerabilities.descriptionUDM field. | 
| vulnerabilities.desc | extensions.vulns.vulnerabilities.description | %{vulnerabilities.cve.type} - %{vulnerabilities.desc}log field is mapped to theextensions.vulns.vulnerabilities.descriptionUDM field. | 
| vulnerabilities.cve.uid | extensions.vulns.vulnerabilities.cve_id | |
| vulnerabilities.first_seen_time | extensions.vulns.vulnerabilities.first_found | |
| vulnerabilities.kb_articles | additional.fields[vuln_kb_articles] | |
| vulnerabilities.last_seen_time | extensions.vulns.vulnerabilities.last_found | |
| vulnerabilities.packages.architecture | additional.fields[vuln_packages_architecture] | |
| vulnerabilities.packages.epoch | additional.fields[vuln_packages_epoch] | |
| vulnerabilities.packages.name | additional.fields[vuln_packages_name] | |
| vulnerabilities.packages.release | additional.fields[vuln_packages_release] | |
| vulnerabilities.packages.version | additional.fields[vuln_packages_version] | |
| vulnerabilities.references | additional.fields[vuln_references] | |
| vulnerabilities.related_vulnerabilities | additional.fields[vuln_related_vulnerabilities] | |
| vulnerabilities.remediation.desc | security_result.outcomes[vuln_remediation_desc] | |
| vulnerabilities.remediation.kb_articles | security_result.outcomes[vuln_remediation_kb_articles] | |
| vulnerabilities.severity | extensions.vulns.vulnerabilities.severity | |
| vulnerabilities.title | extensions.vulns.vulnerabilities.name | |
| vulnerabilities.vendor_name | extensions.vulns.vulnerabilities.vendor | 
Field mapping reference: OCSF Process Activity
The following table lists the log fields for theProcess Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| activity_id | metadata.event_type | If the class_namelog field value is equal to Process Activityand if theactivity_idlog field value is equal to1then, themetadata.event_typeUDM field is set toPROCESS_LAUNCH. Else, if theactivity_idlog field value is equal to2then, themetadata.event_typeUDM field is set toPROCESS_TERMINATION. Else, if theactivity_idlog field value is equal to3then, themetadata.event_typeUDM field is set toPROCESS_OPEN. Else, if theactivity_idlog field value is equal to4then, themetadata.event_typeUDM field is set toPROCESS_INJECTION. Else, themetadata.event_typeUDM field is set toPROCESS_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| actor.process.cmd_line | principal.process.command_line | If the actor.process.cmd_linelog field value is not empty then,actor.process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field.Else, if process.cmd_linelog field value is not empty then,process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field. | 
| actor.process.file.accessed_time | principal.process.file.last_seen_time | If the actor.process.file.accessed_timelog field value is not empty then,actor.process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field.Else, if process.file.accessed_timelog field value is not empty then,process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field. | 
| actor.process.file.created_time | principal.process.file.first_seen_time | If the actor.process.file.created_timelog field value is not empty then,actor.process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field.Else, if process.file.created_timelog field value is not empty then,process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field. | 
| actor.process.file.mime_type | principal.process.file.mime_type | If the actor.process.file.mime_typelog field value is not empty then,actor.process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field.Else, if process.file.mime_typelog field value is not empty then,process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field. | 
| actor.process.file.modified_time | principal.process.file.last_modification_time | If the actor.process.file.modified_timelog field value is not empty then,actor.process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field.Else, if process.file.modified_timelog field value is not empty then,process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field. | 
| actor.process.file.name | principal.process.file.names | If the actor.process.file.namelog field value is not empty then,actor.process.file.namelog field is mapped to theprincipal.process.file.namesUDM field.Else, if process.file.namelog field value is not empty then,process.file.namelog field is mapped to theprincipal.process.file.namesUDM field. | 
| actor.process.file.path | principal.process.file.full_path | If the actor.process.file.pathlog field value is not empty then,actor.process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field.Else, if process.file.pathlog field value is not empty then,process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| actor.process.file.size | principal.process.file.size | If the actor.process.file.sizelog field value is not empty then,actor.process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field.Else, if process.file.sizelog field value is not empty then,process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field. | 
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | If the actor.process.parent_process.cmd_linelog field value is not empty then,actor.process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field.Else, if process.parent_process.cmd_linelog field value is not empty then,process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field. | 
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | If the actor.process.parent_process.file.accessed_timelog field value is not empty then,actor.process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field.Else, if process.parent_process.file.accessed_timelog field value is not empty then,process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field. | 
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | If the actor.process.parent_process.file.created_timelog field value is not empty then,actor.process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field.Else, if process.parent_process.file.created_timelog field value is not empty then,process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field. | 
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | If the actor.process.parent_process.file.mime_typelog field value is not empty then,actor.process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field.Else, if process.parent_process.file.mime_typelog field value is not empty then,process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field. | 
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | If the actor.process.parent_process.file.modified_timelog field value is not empty then,actor.process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field.Else, if process.parent_process.file.modified_timelog field value is not empty then,process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field. | 
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | If the actor.process.parent_process.file.namelog field value is not empty then,actor.process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field.Else, if process.parent_process.file.namelog field value is not empty then,process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field. | 
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | If the actor.process.parent_process.file.pathlog field value is not empty then,actor.process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field.Else, if process.parent_process.file.pathlog field value is not empty then,process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field. | 
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | If the actor.process.parent_process.file.sizelog field value is not empty then,actor.process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field.Else, if process.parent_process.file.sizelog field value is not empty then,process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field. | 
| actor.process.parent_process.pid | principal.process.parent_process.pid | If the actor.process.parent_process.pidlog field value is not empty then,actor.process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field.Else, if process.parent_process.pidlog field value is not empty then,process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field. | 
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | If the actor.process.parent_process.uidlog field value is not empty then,actor.process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field.Else, if process.parent_process.uidlog field value is not empty then,process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field. | 
| actor.process.pid | principal.process.pid | If the actor.process.pidlog field value is not empty then,actor.process.pidlog field is mapped to theprincipal.process.pidUDM field.Else, if process.pidlog field value is not empty then,process.pidlog field is mapped to theprincipal.process.pidUDM field. | 
| actor.process.uid | principal.process.product_specific_process_id | If the actor.process.uidlog field value is not empty then,actor.process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field.Else, if process.uidlog field value is not empty then,process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field. | 
| actor.process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.user.domainlog field value is not empty then,process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.parent_process.user.domainlog field value is not empty then,process.parent_process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.user.email_addrlog field value is not empty then,process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.parent_process.user.email_addrlog field value is not empty then,process.parent_process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.full_name | principal.user.user_display_name | If the actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.parent_process.user.full_namelog field value is not empty then,process.parent_process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.user.full_namelog field value is not empty then,process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.user.groups.namelog field value is not empty then,process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.parent_process.user.groups.namelog field value is not empty then,process.parent_process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.user.groups.privilegeslog field value is not empty then,process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.parent_process.user.groups.privilegeslog field value is not empty then,process.parent_process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.user.groups.uidlog field value is not empty then,process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.parent_process.user.groups.uidlog field value is not empty then,process.parent_process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.user.namelog field value is not empty then,process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.parent_process.user.namelog field value is not empty then,process.parent_process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| actor.process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.user.org.namelog field value is not empty then,process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.parent_process.user.org.namelog field value is not empty then,process.parent_process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.user.org.ou_namelog field value is not empty then,process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.parent_process.user.org.ou_namelog field value is not empty then,process.parent_process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.process.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is empty and if theactor.process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.user.uidlog field value is not empty then,process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.parent_process.user.uidlog field value is not empty then,process.parent_process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.user.domainlog field value is not empty then,process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.parent_process.user.domainlog field value is not empty then,process.parent_process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.user.email_addrlog field value is not empty then,process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.parent_process.user.email_addrlog field value is not empty then,process.parent_process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.full_name | principal.user.user_display_name | If the actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.parent_process.user.full_namelog field value is not empty then,process.parent_process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.user.full_namelog field value is not empty then,process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.user.groups.namelog field value is not empty then,process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.parent_process.user.groups.namelog field value is not empty then,process.parent_process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.user.groups.privilegeslog field value is not empty then,process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.parent_process.user.groups.privilegeslog field value is not empty then,process.parent_process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.user.groups.uidlog field value is not empty then,process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.parent_process.user.groups.uidlog field value is not empty then,process.parent_process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.user.namelog field value is not empty then,process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.parent_process.user.namelog field value is not empty then,process.parent_process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| actor.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.user.org.namelog field value is not empty then,process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.parent_process.user.org.namelog field value is not empty then,process.parent_process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.user.org.ou_namelog field value is not empty then,process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.parent_process.user.org.ou_namelog field value is not empty then,process.parent_process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if actor.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if actor.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if actor.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.user.uidlog field value is not empty then,process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.parent_process.user.uidlog field value is not empty then,process.parent_process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| api.response.code | network.http.response_code | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.service.name | target.application | |
| attacks.tactics.name | security_result.attack_details.tactics.name | |
| attacks.tactics.uid | security_result.attack_details.tactics.id | |
| attacks.technique.name | security_result.attack_details.technique.name | |
| attacks.technique.uid | security_result.attack_details.technique.id | |
| attacks.version | security_result.attack_details.version | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| class_name | metadata.log_type | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| device.created_time | principal.asset.attribute.creation_time | |
| device.domain | principal.asset.network_domain | |
| device.first_seen_time | principal.asset.first_seen_time | |
| device.hostname | principal.asset.hostname | |
| device.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| device.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| device.hw_info.cpu_speed | principal.asset.hardware.cpu_clock_speed | |
| device.hw_info.cpu_type | principal.asset.hardware.cpu_model | |
| device.hw_info.ram_size | principal.asset.hardware.ram | |
| device.hw_info.serial_number | principal.asset.hardware.serial_number | |
| device.ip | principal.asset.ip | |
| device.location.city | principal.asset.location.city | |
| device.location.coordinates | principal.asset.location.region_coordinates.longitude/latitude | |
| device.location.country | principal.asset.location.country_or_region | |
| device.location.region | principal.asset.loction.name | If the device.regionlog field value is empty then,device.location.regionlog field is mapped to theprincipal.asset.location.nameUDM field. | 
| device.mac | principal.asset.mac | |
| device.modified_time | principal.asset.attribute.last_update_time | |
| device.os.type_id | principal.asset.platform_software.platform | If the device.os.type_idlog field value is equal to100orthe device.os.type_idlog field value is equal to101then, theprincipal.asset.platform_software.platformUDM field is set toWINDOWS.Else, if device.os.type_idlog field value is equal to200then, theprincipal.asset.platform_software.platformUDM field is set toLINUX.Else, if device.os.type_idlog field value is equal to201then, theprincipal.asset.platform_software.platformUDM field is set toANDROID.Else, if device.os.type_idlog field value is equal to300then, theprincipal.asset.platform_software.platformUDM field is set toMAC.Else, if device.os.type_idlog field value is equal to301then, theprincipal.asset.platform_software.platformUDM field is set toIOS.Else, the principal.asset.platform_software.platformUDM field is set toUNKNOWN_PLATFORM. | 
| device.os.version | principal.asset.platform_software.platform_version | |
| device.region | principal.asset.location.name | |
| device.type_id | principal.asset.type | |
| device.uid | principal.asset.product_object_id | |
| disposition | security_result.action_details | |
| disposition_id | security_result.action | If the class_namelog field value is equal toProcess Activityand if thedisposition_idlog field value is equal to1then, thesecurity_result.actionUDM field is set toALLOW. Else, ifdisposition_idlog field value is equal to2then, thesecurity_result.actionUDM field is set toBLOCK. Else, ifdisposition_idlog field value is equal to3then, thesecurity_result.actionUDM field is set toQUARANTINE. | 
| malware.cves.created_time | extensions.vulns.vulnerabilities.first_found | |
| malware.cves.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| malware.cves.cvss.severity | extensions.vulns.vulnerabilities.severity | If the malware.cves.cvss.severitylog field value matches the regular expression patternLowthen, theextensions.vulns.vulnerabilities.severityUDM field is set toLOW.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternMediumthen, theextensions.vulns.vulnerabilities.severityUDM field is set toMEDIUM.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternHighthen, theextensions.vulns.vulnerabilities.severityUDM field is set toHIGH.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternCriticalthen, theextensions.vulns.vulnerabilities.severityUDM field is set toCRITICAL.Else, the extensions.vulns.vulnerabilities.severityUDM field is set toUNKNOWN_SEVERITY. | 
| malware.cves.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| malware.cves.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| malware.cves.product.name | extensions.vulns.vulnerabilities.about.application' | |
| malware.cves.product.uid | extensions.vulns.vulnerabilities.about.asset_id | |
| malware.cves.product.vendor_name | extensions.vulns.vulnerabilities.vendor | |
| malware.cves.type | extensions.vulns.vulnerabilities.name | |
| malware.cves.uid | extensions.vulns.vulnerabilities.cve_id | |
| malware.name | security_result.threat_name | |
| malware.uid | security_result.threat_id | |
| message | metadata.description | |
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.product.name | metadata.product_name | |
| metadata.uid | metadata.product_log_id | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| module.file.accessed_time | target.process.file.last_seen_time | |
| module.file.created_time | target.process.file.first_seen_time | |
| module.file.mime_type | target.process.file.mime_type | |
| module.file.modified_time | target.process.file.last_modification_time | |
| module.file.name | target.process.file.names | |
| module.file.path | target.process.file.full_path | |
| module.file.signature.certificate.issuer | target.process.file.signature_info.x509.cert_issuer | |
| module.file.signature.certificate.serial_number | target.process.file.signature_info.x509.serial_number | |
| module.file.signature.developer_uid | target.process.file.signature_info.sigcheck.signers.name | |
| module.file.size | target.process.file.size | |
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| process.cmd_line | principal.process.command_line | If the actor.process.cmd_linelog field value is not empty then,actor.process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field.Else, if process.cmd_linelog field value is not empty then,process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field. | 
| process.file.accessed_time | principal.process.file.last_seen_time | If the actor.process.file.accessed_timelog field value is not empty then,actor.process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field.Else, if process.file.accessed_timelog field value is not empty then,process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field. | 
| process.file.created_time | principal.process.file.first_seen_time | If the actor.process.file.created_timelog field value is not empty then,actor.process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field.Else, if process.file.created_timelog field value is not empty then,process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field. | 
| process.file.mime_type | principal.process.file.mime_type | If the actor.process.file.mime_typelog field value is not empty then,actor.process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field.Else, if process.file.mime_typelog field value is not empty then,process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field. | 
| process.file.modified_time | principal.process.file.last_modification_time | If the actor.process.file.modified_timelog field value is not empty then,actor.process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field.Else, if process.file.modified_timelog field value is not empty then,process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field. | 
| process.file.name | principal.process.file.names | If the actor.process.file.namelog field value is not empty then,actor.process.file.namelog field is mapped to theprincipal.process.file.namesUDM field.Else, if process.file.namelog field value is not empty then,process.file.namelog field is mapped to theprincipal.process.file.namesUDM field. | 
| process.file.path | principal.process.file.full_path | If the actor.process.file.pathlog field value is not empty then,actor.process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field.Else, if process.file.pathlog field value is not empty then,process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| process.file.size | principal.process.file.size | If the actor.process.file.sizelog field value is not empty then,actor.process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field.Else, if process.file.sizelog field value is not empty then,process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field. | 
| process.parent_process.cmd_line | principal.process.parent_process.command_line | If the actor.process.parent_process.cmd_linelog field value is not empty then,actor.process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field.Else, if process.parent_process.cmd_linelog field value is not empty then,process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field. | 
| process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | If the actor.process.parent_process.file.accessed_timelog field value is not empty then,actor.process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field.Else, if process.parent_process.file.accessed_timelog field value is not empty then,process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field. | 
| process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | If the actor.process.parent_process.file.created_timelog field value is not empty then,actor.process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field.Else, if process.parent_process.file.created_timelog field value is not empty then,process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field. | 
| process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | If the actor.process.parent_process.file.mime_typelog field value is not empty then,actor.process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field.Else, if process.parent_process.file.mime_typelog field value is not empty then,process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field. | 
| process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | If the actor.process.parent_process.file.modified_timelog field value is not empty then,actor.process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field.Else, if process.parent_process.file.modified_timelog field value is not empty then,process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field. | 
| process.parent_process.file.name | principal.process.parent_process.file.names | If the actor.process.parent_process.file.namelog field value is not empty then,actor.process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field.Else, if process.parent_process.file.namelog field value is not empty then,process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field. | 
| process.parent_process.file.path | principal.process.parent_process.file.full_path | If the actor.process.parent_process.file.pathlog field value is not empty then,actor.process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field.Else, if process.parent_process.file.pathlog field value is not empty then,process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field. | 
| process.parent_process.file.size | principal.process.parent_process.file.size | If the actor.process.parent_process.file.sizelog field value is not empty then,actor.process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field.Else, if process.parent_process.file.sizelog field value is not empty then,process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field. | 
| process.parent_process.pid | principal.process.parent_process.pid | If the actor.process.parent_process.pidlog field value is not empty then,actor.process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field.Else, if process.parent_process.pidlog field value is not empty then,process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field. | 
| process.parent_process.uid | principal.process.parent_process.product_specific_process_id | If the actor.process.parent_process.uidlog field value is not empty then,actor.process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field.Else, if process.parent_process.uidlog field value is not empty then,process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field. | 
| process.parent_process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.user.domainlog field value is not empty then,process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.parent_process.user.domainlog field value is not empty then,process.parent_process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| process.parent_process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.user.email_addrlog field value is not empty then,process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.parent_process.user.email_addrlog field value is not empty then,process.parent_process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| process.parent_process.user.full_name | principal.user.user_display_name | If the actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.parent_process.user.full_namelog field value is not empty then,process.parent_process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.user.full_namelog field value is not empty then,process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| process.parent_process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.user.groups.namelog field value is not empty then,process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.parent_process.user.groups.namelog field value is not empty then,process.parent_process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| process.parent_process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.user.groups.privilegeslog field value is not empty then,process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.parent_process.user.groups.privilegeslog field value is not empty then,process.parent_process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| process.parent_process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.user.groups.uidlog field value is not empty then,process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.parent_process.user.groups.uidlog field value is not empty then,process.parent_process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| process.parent_process.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.user.namelog field value is not empty then,process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.parent_process.user.namelog field value is not empty then,process.parent_process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| process.parent_process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.user.org.namelog field value is not empty then,process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.parent_process.user.org.namelog field value is not empty then,process.parent_process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| process.parent_process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.user.org.ou_namelog field value is not empty then,process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.parent_process.user.org.ou_namelog field value is not empty then,process.parent_process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| process.parent_process.user.type_id | principal.user.attribute.roles.name | If the process.user.type_idlog field value is empty and if theprocess.parent_process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifprocess.parent_process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifprocess.parent_process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifprocess.parent_process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| process.parent_process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.user.uidlog field value is not empty then,process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.parent_process.user.uidlog field value is not empty then,process.parent_process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| process.pid | principal.process.pid | If the actor.process.pidlog field value is not empty then,actor.process.pidlog field is mapped to theprincipal.process.pidUDM field.Else, if process.pidlog field value is not empty then,process.pidlog field is mapped to theprincipal.process.pidUDM field. | 
| process.uid | principal.process.product_specific_process_id | If the actor.process.uidlog field value is not empty then,actor.process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field.Else, if process.uidlog field value is not empty then,process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field. | 
| process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.user.domainlog field value is not empty then,process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if process.parent_process.user.domainlog field value is not empty then,process.parent_process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.user.email_addrlog field value is not empty then,process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if process.parent_process.user.email_addrlog field value is not empty then,process.parent_process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| process.user.full_name | principal.user.user_display_name | If the actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.parent_process.user.full_namelog field value is not empty then,process.parent_process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if process.user.full_namelog field value is not empty then,process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.user.groups.namelog field value is not empty then,process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if process.parent_process.user.groups.namelog field value is not empty then,process.parent_process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.user.groups.privilegeslog field value is not empty then,process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.parent_process.user.groups.privilegeslog field value is not empty then,process.parent_process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.user.groups.uidlog field value is not empty then,process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if process.parent_process.user.groups.uidlog field value is not empty then,process.parent_process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| process.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.user.namelog field value is not empty then,process.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if process.parent_process.user.namelog field value is not empty then,process.parent_process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.user.org.namelog field value is not empty then,process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if process.parent_process.user.org.namelog field value is not empty then,process.parent_process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.user.org.ou_namelog field value is not empty then,process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if process.parent_process.user.org.ou_namelog field value is not empty then,process.parent_process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| process.user.type_id | principal.user.attribute.roles.name | If the actor.process.user.type_idlog field value is empty and if theprocess.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifprocess.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifprocess.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifprocess.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.user.uidlog field value is not empty then,process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if process.parent_process.user.uidlog field value is not empty then,process.parent_process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| requested_permissions | principal.process.access_mask | |
| severity | security_result.severity_details | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| time | metadata.event_timestamp | |
| vulnerabilities.cve.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| vulnerabilities.cve.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| vulnerabilities.cve.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| vulnerabilities.cve.modified_time | extensions.vulns.vulnerabilities.about.labels [vuln_cve_modified_time] | |
| vulnerabilities.kb_articles | extensions.vulns.vulnerabilities.about.labels [vuln_kb_articles] | |
| vulnerabilities.packages.architecture | extensions.vulns.vulnerabilities.about.labels [vuln_packages_architecture] | |
| vulnerabilities.packages.epoch | extensions.vulns.vulnerabilities.about.labels [vuln_packages_epoch] | |
| vulnerabilities.packages.name | extensions.vulns.vulnerabilities.about.labels [vuln_packages_name] | |
| vulnerabilities.packages.release | extensions.vulns.vulnerabilities.about.labels [vuln_packages_release] | |
| vulnerabilities.packages.version | extensions.vulns.vulnerabilities.about.labels [vuln_packages_version] | |
| vulnerabilities.references | extensions.vulns.vulnerabilities.about.labels [vuln_references] | |
| vulnerabilities.related_vulnerabilities | extensions.vulns.vulnerabilities.about.labels [vuln_related_vulnerabilities] | |
| vulnerabilities.cve.modified_time | additional.fields [vuln_cve_modified_time] | |
| vulnerabilities.kb_articles | additional.fields [vuln_kb_articles] | |
| vulnerabilities.packages.architecture | additional.fields [vuln_packages_architecture] | |
| vulnerabilities.packages.epoch | additional.fields [vuln_packages_epoch] | |
| vulnerabilities.packages.name | additional.fields [vuln_packages_name] | |
| vulnerabilities.packages.release | additional.fields [vuln_packages_release] | |
| vulnerabilities.packages.version | additional.fields [vuln_packages_version] | |
| vulnerabilities.references | additional.fields [vuln_references] | |
| vulnerabilities.related_vulnerabilities | additional.fields [vuln_related_vulnerabilities] | |
| vulnerabilities.vendor_name | extensions.vulns.vulnerabilities.vendor | |
| status | security_result.detection_fields [status] | |
| type_name | security_result.detection_fields [type_name] | |
| type_uid | security_result.detection_fields [type_uid] | |
| status_id | security_result.detection_fields [status_id] | |
| actor.session.uid | network.session_id | If the actor.session.uidlog field value is not equal tothen,actor.session.uidlog field is mapped to thenetwork.session_idUDM field.Else, if process.session.uidlog field value is not equal tothen,process.session.uidlog field is mapped to thenetwork.session_idUDM field. | 
| actor.user.account_type | principal.user.attribute.labels[actor_user_account_type] | |
| actor.user.account_type_id | principal.user.attribute.labels[actor_user_account_type_id] | |
| device.os.name | principal.asset.attribute.labels[device_os_name] | |
| device.os.type | principal.asset.attribute.labels[device_os_type] | |
| device.type | principal.asset.attribute.labels[device_type] | |
| actor.process.file.parent_folder | principal.labels[actor_process_file_parent_folder] | |
| actor.process.file.type | principal.labels[actor_process_file_type] | |
| actor.process.file.type_id | principal.labels[actor_process_file_type_id] | |
| metadata.original_time | about.labels[metadata_original_time] | |
| metadata.product.feature.name | about.labels [metadata_product_feature_name] | |
| metadata.profiles | about.labels [metadata_profiles] | |
| metadata.uid | about.labels [metadata_uid] | |
| metadata.version | about.labels [metadata_version] | |
| process.file.parent_folder | principal.labels[process_file_parent_folder] | |
| process.file.type | principal.labels[process_file_type] | |
| process.file.type_id | principal.labels[process_file_type_id] | |
| exit_code | about.labels [exit_code] | |
| class_uid | about.labels [class_uid] | |
| actor.process.file.parent_folder | additional.fields [actor_process_file_parent_folder] | |
| actor.process.file.type | additional.fields [actor_process_file_type] | |
| actor.process.file.type_id | additional.fields [actor_process_file_type_id] | |
| metadata.original_time | additional.fields [metadata_original_time] | |
| metadata.product.feature.name | additional.fields [metadata_product_feature_name] | |
| metadata.profiles | additional.fields [metadata_profiles] | |
| metadata.uid | additional.fields [metadata_uid] | |
| metadata.version | additional.fields [metadata_version] | |
| process.file.parent_folder | additional.fields [process_file_parent_folder] | |
| process.file.type | additional.fields [process_file_type] | |
| process.file.type_id | additional.fields [process_file_type_id] | |
| exit_code | additional.fields [exit_code] | |
| class_uid | additional.fields [class_uid] | |
| process.session.uid | network.session_id | If the actor.session.uidlog field value is not equal tothen,actor.session.uidlog field is mapped to thenetwork.session_idUDM field.Else, if process.session.uidlog field value is not equal tothen,process.session.uidlog field is mapped to thenetwork.session_idUDM field. | 
| actor.user.ldap_person.cost_center | principal.user.attribute.labels[user_ldap_person_cost_center] | If the actor.user.ldap_person.cost_centerlog field value is not empty then,actor.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_cost_center]UDM field.Else, if actor.process.user.ldap_person.cost_centerlog field value then,actor.process.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.process.user.ldap_person.cost_center | principal.user.attribute.labels[user_ldap_person_cost_center] | If the actor.user.ldap_person.cost_centerlog field value is not empty then,actor.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_cost_center]UDM field.Else, if actor.process.user.ldap_person.cost_centerlog field value then,actor.process.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.user.ldap_person.created_time | principal.user.attribute.labels[user_ldap_person_created_time] | If the actor.user.ldap_person.created_timelog field value is not empty then,actor.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_created_time]UDM field.Else, if actor.process.user.ldap_person.created_timelog field value then,actor.process.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.process.user.ldap_person.created_time | principal.user.attribute.labels[user_ldap_person_created_time] | If the actor.user.ldap_person.created_timelog field value is not empty then,actor.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_created_time]UDM field.Else, if actor.process.user.ldap_person.created_timelog field value then,actor.process.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.user.ldap_person.deleted_time | principal.user.attribute.labels[user_ldap_person_deleted_time] | If the actor.user.ldap_person.deleted_timelog field value is not empty then,actor.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_deleted_time]UDM field.Else, if actor.process.user.ldap_person.deleted_timelog field value then,actor.process.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.process.user.ldap_person.deleted_time | principal.user.attribute.labels[user_ldap_person_deleted_time] | If the actor.user.ldap_person.deleted_timelog field value is not empty then,actor.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_deleted_time]UDM field.Else, if actor.process.user.ldap_person.deleted_timelog field value then,actor.process.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.user.ldap_person.email_addrs | principal.user.email_addresses | If the actor.user.ldap_person.email_addrslog field value is not empty then,actor.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.ldap_person.email_addrslog field value then,actor.process.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.ldap_person.email_addrs | principal.user.email_addresses | If the actor.user.ldap_person.email_addrslog field value is not empty then,actor.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.ldap_person.email_addrslog field value then,actor.process.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.ldap_person.employee_uid | principal.user.employee_uid | If the actor.user.ldap_person.employee_uidlog field value is not empty then,Else, if actor.process.user.ldap_person.employee_uidlog field value then,. | 
| actor.process.user.ldap_person.employee_uid | principal.user.employee_uid | If the actor.user.ldap_person.employee_uidlog field value is not empty then,Else, if actor.process.user.ldap_person.employee_uidlog field value then,. | 
| actor.user.ldap_person.location | principal.user.attribute.labels[user_ldap_person_location] | If the actor.user.ldap_person.locationlog field value is not empty then,actor.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_location]UDM field.Else, if actor.process.user.ldap_person.locationlog field value then,actor.process.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.process.user.ldap_person.location | principal.user.attribute.labels[user_ldap_person_location] | If the actor.user.ldap_person.locationlog field value is not empty then,actor.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_location]UDM field.Else, if actor.process.user.ldap_person.locationlog field value then,actor.process.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.user.ldap_person.given_name | principal.user.first_name | If the actor.user.ldap_person.given_namelog field value is not empty then,actor.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if actor.process.user.ldap_person.given_namelog field value then,actor.process.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field. | 
| actor.process.user.ldap_person.given_name | principal.user.first_name | If the actor.user.ldap_person.given_namelog field value is not empty then,actor.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if actor.process.user.ldap_person.given_namelog field value then,actor.process.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field. | 
| actor.user.ldap_person.hire_time | principal.user.hire_date | If the actor.user.ldap_person.hire_timelog field value is not empty then,actor.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if actor.process.user.ldap_person.hire_timelog field value then,actor.process.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field. | 
| actor.process.user.ldap_person.hire_time | principal.user.hire_date | If the actor.user.ldap_person.hire_timelog field value is not empty then,actor.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if actor.process.user.ldap_person.hire_timelog field value then,actor.process.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field. | 
| actor.user.ldap_person.job_title | principal.user.title | If the actor.user.ldap_person.job_titlelog field value is not empty then,actor.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if actor.process.user.ldap_person.job_titlelog field value then,actor.process.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field. | 
| actor.process.user.ldap_person.job_title | principal.user.title | If the actor.user.ldap_person.job_titlelog field value is not empty then,actor.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if actor.process.user.ldap_person.job_titlelog field value then,actor.process.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field. | 
| actor.user.ldap_person.ldap_cn | principal.user.attribute.labels[user_ldap_person_ldap_cn] | If the actor.user.ldap_person.ldap_cnlog field value is not empty then,actor.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_cn]UDM field.Else, if actor.process.user.ldap_person.ldap_cnlog field value then,actor.process.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.process.user.ldap_person.ldap_cn | principal.user.attribute.labels[user_ldap_person_ldap_cn] | If the actor.user.ldap_person.ldap_cnlog field value is not empty then,actor.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_cn]UDM field.Else, if actor.process.user.ldap_person.ldap_cnlog field value then,actor.process.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.user.ldap_person.ldap_dn | principal.user.attribute.labels[user_ldap_person_ldap_dn] | If the actor.user.ldap_person.ldap_dnlog field value is not empty then,actor.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_dn]UDM field.Else, if actor.process.user.ldap_person.ldap_dnlog field value then,actor.process.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.process.user.ldap_person.ldap_dn | principal.user.attribute.labels[user_ldap_person_ldap_dn] | If the actor.user.ldap_person.ldap_dnlog field value is not empty then,actor.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_dn]UDM field.Else, if actor.process.user.ldap_person.ldap_dnlog field value then,actor.process.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.user.ldap_person.labels | principal.user.attribute.labels[user_ldap_person_labels] | If the actor.user.ldap_person.labelslog field value is not empty then,actor.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_labels]UDM field.Else, if actor.process.user.ldap_person.labelslog field value then,actor.process.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.process.user.ldap_person.labels | principal.user.attribute.labels[user_ldap_person_labels] | If the actor.user.ldap_person.labelslog field value is not empty then,actor.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_labels]UDM field.Else, if actor.process.user.ldap_person.labelslog field value then,actor.process.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.user.ldap_person.last_login_time | principal.user.last_login_time | If the actor.user.ldap_person.last_login_timelog field value is not empty then,actor.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if actor.process.user.ldap_person.last_login_timelog field value then,actor.process.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field. | 
| actor.process.user.ldap_person.last_login_time | principal.user.last_login_time | If the actor.user.ldap_person.last_login_timelog field value is not empty then,actor.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if actor.process.user.ldap_person.last_login_timelog field value then,actor.process.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field. | 
| actor.user.ldap_person.leave_time | principal.user.attribute.labels[user_ldap_person_leave_time] | If the actor.user.ldap_person.leave_timelog field value is not empty then,actor.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_leave_time]UDM field.Else, if actor.process.user.ldap_person.leave_timelog field value then,actor.process.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.process.user.ldap_person.leave_time | principal.user.attribute.labels[user_ldap_person_leave_time] | If the actor.user.ldap_person.leave_timelog field value is not empty then,actor.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_leave_time]UDM field.Else, if actor.process.user.ldap_person.leave_timelog field value then,actor.process.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.user.ldap_person.modified_time | principal.user.attribute.labels[user_ldap_person_modified_time] | If the actor.user.ldap_person.modified_timelog field value is not empty then,actor.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_modified_time]UDM field.Else, if actor.process.user.ldap_person.modified_timelog field value then,actor.process.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.process.user.ldap_person.modified_time | principal.user.attribute.labels[user_ldap_person_modified_time] | If the actor.user.ldap_person.modified_timelog field value is not empty then,actor.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_modified_time]UDM field.Else, if actor.process.user.ldap_person.modified_timelog field value then,actor.process.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.user.ldap_person.office_location | principal.user.office_address.name | If the actor.user.ldap_person.office_locationlog field value is not empty then,actor.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if actor.process.user.ldap_person.office_locationlog field value then,actor.process.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field. | 
| actor.process.user.ldap_person.office_location | principal.user.office_address.name | If the actor.user.ldap_person.office_locationlog field value is not empty then,actor.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if actor.process.user.ldap_person.office_locationlog field value then,actor.process.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field. | 
| actor.user.ldap_person.surname | principal.user.last_name | If the actor.user.ldap_person.surnamelog field value is not empty then,actor.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if actor.process.user.ldap_person.surnamelog field value then,actor.process.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field. | 
| actor.process.user.ldap_person.surname | principal.user.last_name | If the actor.user.ldap_person.surnamelog field value is not empty then,actor.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if actor.process.user.ldap_person.surnamelog field value then,actor.process.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field. | 
| actor.user.ldap_person.manager.cost_center | principal.user.managers.attribute.labels[user_ldap_person_cost_center] | If the actor.user.ldap_person.manager.cost_centerlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_cost_center]UDM field.Else, if actor.process.user.ldap_person.manager.cost_centerlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.process.user.ldap_person.manager.cost_center | principal.user.managers.attribute.labels[user_ldap_person_cost_center] | If the actor.user.ldap_person.manager.cost_centerlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_cost_center]UDM field.Else, if actor.process.user.ldap_person.manager.cost_centerlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.user.ldap_person.manager.created_time | principal.user.managers.attribute.labels[user_ldap_person_created_time] | If the actor.user.ldap_person.manager.created_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_created_time]UDM field.Else, if actor.process.user.ldap_person.manager.created_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.process.user.ldap_person.manager.created_time | principal.user.managers.attribute.labels[user_ldap_person_created_time] | If the actor.user.ldap_person.manager.created_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_created_time]UDM field.Else, if actor.process.user.ldap_person.manager.created_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.user.ldap_person.manager.deleted_time | principal.user.managers.attribute.labels[user_ldap_person_deleted_time] | If the actor.user.ldap_person.manager.deleted_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_deleted_time]UDM field.Else, if actor.process.user.ldap_person.manager.deleted_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.process.user.ldap_person.manager.deleted_time | principal.user.managers.attribute.labels[user_ldap_person_deleted_time] | If the actor.user.ldap_person.manager.deleted_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_deleted_time]UDM field.Else, if actor.process.user.ldap_person.manager.deleted_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.user.ldap_person.manager.email_addrs | principal.user.managers.email_addresses | If the actor.user.ldap_person.manager.email_addrslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if actor.process.user.ldap_person.manager.email_addrslog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field. | 
| actor.process.user.ldap_person.manager.email_addrs | principal.user.managers.email_addresses | If the actor.user.ldap_person.manager.email_addrslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if actor.process.user.ldap_person.manager.email_addrslog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field. | 
| actor.user.ldap_person.manager.employee_uid | principal.user.managers.employee_uid | If the actor.user.ldap_person.manager.employee_uidlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uidlog field is mapped to theprincipal.user.managers.employee_uidUDM field.Else, if actor.process.user.ldap_person.manager.employee_uidlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.employee_uidlog field is mapped to theprincipal.user.managers.employee_uidUDM field. | 
| actor.process.user.ldap_person.manager.employee_uid | principal.user.managers.employee_uid | If the actor.user.ldap_person.manager.employee_uidlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uidlog field is mapped to theprincipal.user.managers.employee_uidUDM field.Else, if actor.process.user.ldap_person.manager.employee_uidlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.employee_uidlog field is mapped to theprincipal.user.managers.employee_uidUDM field. | 
| actor.user.ldap_person.manager.location | principal.user.managers.attribute.labels[user_ldap_person_location] | If the actor.user.ldap_person.manager.locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_location]UDM field.Else, if actor.process.user.ldap_person.manager.locationlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.process.user.ldap_person.manager.location | principal.user.managers.attribute.labels[user_ldap_person_location] | If the actor.user.ldap_person.manager.locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_location]UDM field.Else, if actor.process.user.ldap_person.manager.locationlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.user.ldap_person.manager.given_name | principal.user.managers.first_name | If the actor.user.ldap_person.manager.given_namelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if actor.process.user.ldap_person.manager.given_namelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field. | 
| actor.process.user.ldap_person.manager.given_name | principal.user.managers.first_name | If the actor.user.ldap_person.manager.given_namelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if actor.process.user.ldap_person.manager.given_namelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field. | 
| actor.user.ldap_person.manager.hire_time | principal.user.managers.hire_date | If the actor.user.ldap_person.manager.hire_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if actor.process.user.ldap_person.manager.hire_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field. | 
| actor.process.user.ldap_person.manager.hire_time | principal.user.managers.hire_date | If the actor.user.ldap_person.manager.hire_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if actor.process.user.ldap_person.manager.hire_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field. | 
| actor.user.ldap_person.manager.job_title | principal.user.managers.title | If the actor.user.ldap_person.manager.job_titlelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if actor.process.user.ldap_person.manager.job_titlelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field. | 
| actor.process.user.ldap_person.manager.job_title | principal.user.managers.title | If the actor.user.ldap_person.manager.job_titlelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if actor.process.user.ldap_person.manager.job_titlelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field. | 
| actor.user.ldap_person.manager.ldap_cn | principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] | If the actor.user.ldap_person.manager.ldap_cnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_cn]UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cnlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.process.user.ldap_person.manager.ldap_cn | principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] | If the actor.user.ldap_person.manager.ldap_cnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_cn]UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cnlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.user.ldap_person.manager.ldap_dn | principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] | If the actor.user.ldap_person.manager.ldap_dnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_dn]UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dnlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.process.user.ldap_person.manager.ldap_dn | principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] | If the actor.user.ldap_person.manager.ldap_dnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_dn]UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dnlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.user.ldap_person.manager.labels | principal.user.managers.attribute.labels[user_ldap_person_labels] | If the actor.user.ldap_person.manager.labelslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_labels]UDM field.Else, if actor.process.user.ldap_person.manager.labelslog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.process.user.ldap_person.manager.labels | principal.user.managers.attribute.labels[user_ldap_person_labels] | If the actor.user.ldap_person.manager.labelslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_labels]UDM field.Else, if actor.process.user.ldap_person.manager.labelslog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.user.ldap_person.manager.last_login_timelast_login_time | principal.user.managers.last_login_time | If the actor.user.ldap_person.manager.last_login_timelast_login_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.last_login_timelast_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.last_login_timelast_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field. | 
| actor.process.user.ldap_person.manager.last_login_timelast_login_time | principal.user.managers.last_login_time | If the actor.user.ldap_person.manager.last_login_timelast_login_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.last_login_timelast_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.last_login_timelast_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field. | 
| actor.user.ldap_person.manager.leave_time | principal.user.managers.attribute.labels[user_ldap_person_leave_time] | If the actor.user.ldap_person.manager.leave_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_leave_time]UDM field.Else, if actor.process.user.ldap_person.manager.leave_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.process.user.ldap_person.manager.leave_time | principal.user.managers.attribute.labels[user_ldap_person_leave_time] | If the actor.user.ldap_person.manager.leave_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_leave_time]UDM field.Else, if actor.process.user.ldap_person.manager.leave_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.user.ldap_person.manager.modified_time | principal.user.managers.attribute.labels[user_ldap_person_modified_time] | If the actor.user.ldap_person.manager.modified_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_modified_time]UDM field.Else, if actor.process.user.ldap_person.manager.modified_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, then%{actor.process.user.ldap_person.manager.modified_time}log field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.process.user.ldap_person.manager.modified_time | principal.user.managers.attribute.labels[user_ldap_person_modified_time] | If the actor.user.ldap_person.manager.modified_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_modified_time]UDM field.Else, if actor.process.user.ldap_person.manager.modified_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, then%{actor.process.user.ldap_person.manager.modified_time}log field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.user.ldap_person.manager.office_locationoffice_location | principal.user.managers.office_address.name | If the actor.user.ldap_person.manager.office_locationoffice_locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.office_locationoffice_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_locationlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.office_locationoffice_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field. | 
| actor.process.user.ldap_person.manager.office_locationoffice_location | principal.user.managers.office_address.name | If the actor.user.ldap_person.manager.office_locationoffice_locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.office_locationoffice_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_locationlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.office_locationoffice_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field. | 
| actor.user.ldap_person.manager.surname | principal.user.managers.last_name | If the actor.user.ldap_person.manager.surnamelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if actor.process.user.ldap_person.manager.surnamelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field. | 
| actor.process.user.ldap_person.manager.surname | principal.user.managers.last_name | If the actor.user.ldap_person.manager.surnamelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if actor.process.user.ldap_person.manager.surnamelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field. | 
| actor.user.groups.domain | principal.user.group_identifiers | If the actor.user.ldap_person.groups.domainlog field value is not empty then,iterate through log field actor.user.ldap_person.groups, thenactor.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.ldap_person.groups.domainlog field value then,iterate through log field actor.user.ldap_person.groups, thenactor.process.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.groups.domain | principal.user.group_identifiers | If the actor.user.ldap_person.groups.domainlog field value is not empty then,iterate through log field actor.user.ldap_person.groups, thenactor.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.ldap_person.groups.domainlog field value then,iterate through log field actor.user.ldap_person.groups, thenactor.process.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| additional.fields[actor.session.uid_alt] | additional.fields[actor_session_uid_alt] | |
| additional.fields[actor.session.count] | additional.fields[actor_session_count] | |
| additional.fields[actor.session.expiration_reason] | additional.fields[actor_session_expiration_reason] | |
| additional.fields[actor.session.is_mfa] | additional.fields[actor_session_is_mfa] | |
| additional.fields[actor.session.terminal] | additional.fields[actor_session_terminal] | |
| additional.fields[actor.session.is_vpn] | additional.fields[actor_session_is_vpn] | |
| device.zone | principal.asset.attribute.labels[device_zone] | |
| device.groups.domain | principal.asset.attribute.labels[device_groups_domain] | Iterate through log field device.groups.domain, thendevice.groups.domainlog field is mapped to theprincipal.asset.attribute.labels[device_domain]UDM field. | 
| device.os.cpe_name | principal.asset.attribute.labels[device_os_cpe_name] | |
| process.file.signature.certificate.uid | additional.fields[file_signature_certificate_uid] | |
| process.file.product.cpe_name | additional.fields[file_product_cpe_name] | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | additional.fields[metadata_product_cpe_name] | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
Field mapping reference: OCSF Http Activity
The following table lists the log fields for theHttp Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| actor.process.cmd_line | principal.process.command_line | |
| actor.process.file.accessed_time | principal.process.file.last_seen_time | |
| actor.process.file.created_time | principal.process.file.first_seen_time | |
| actor.process.file.mime_type | principal.process.file.mime_type | |
| actor.process.file.modified_time | principal.process.file.last_modification_time | |
| actor.process.file.name | principal.process.file.names | |
| actor.process.file.path | principal.process.file.full_path | |
| actor.process.file.size | principal.process.file.size | |
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | |
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | |
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | |
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | |
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | |
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | |
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | |
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | |
| actor.process.parent_process.pid | principal.process.parent_process.pid | |
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | |
| actor.process.pid | principal.process.pid | |
| actor.process.uid | principal.process.product_specific_process_id | |
| actor.process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is empty then,%{actor.process.user.email_addr}log field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is empty then,%{actor.process.user.full_name}log field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is empty then,%{actor.process.user.groups.uid}log field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.name | principal.user.userid | If the actor.user.namelog field value is empty then,%{actor.process.user.name}log field is mapped to theprincipal.user.useridUDM field. | 
| actor.process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is empty then,%{actor.process.user.org.name}log field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is empty then,%{actor.process.user.org.ou_name}log field is mapped to theprincipal.user.departmentUDM field. | 
| actor.process.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is empty and if thetype_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, iftype_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, iftype_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, iftype_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is empty then,%{actor.process.user.uid}log field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.session.uid | network.session_id | |
| actor.user.domain | principal.administrative_domain | |
| actor.user.email_addr | principal.user.email_addresses | |
| actor.user.full_name | principal.user.user_display_name | |
| actor.user.groups.name | principal.group.group_display_name | |
| actor.user.groups.privileges | principal.group.attribute.permissions.name | |
| actor.user.groups.uid | principal.user.group_identifiers | |
| actor.user.name | principal.user.userid | |
| actor.user.org.name | principal.user.company_name | |
| actor.user.org.ou_name | principal.user.department | |
| actor.user.type_id | principal.user.attribute.roles.name | If the type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.uid | principal.user.product_object_id | |
| api.response.code | network.http.response_code | If the http_response.codelog field value is empty and thehttp_statuslog field value is empty then,api.response.codelog field is mapped to thenetwork.http.response_codeUDM field. | 
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.service.name | target.application | If the dst_endpoint.svc_namelog field value is empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| attacks.tactics.name | security_result.attack_details.tactics.name | |
| attacks.tactics.uid | security_result.attack_details.tactics.id | |
| attacks.technique.name | security_result.attack_details.technique.name | |
| attacks.technique.uid | security_result.attack_details.technique.id | |
| attacks.version | security_result.attack_details.version | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| class_name | metadata.log_type | |
| cloud.org.name | about.resource.name | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| connection_info.direction_id | network.direction | If the connection_info.direction_idlog field value is equal to1then, thenetwork.directionUDM field is set toINBOUND.Else, if connection_info.direction_idlog field value is equal to2then, thenetwork.directionUDM field is set toOUTBOUND.Else, the network.directionUDM field is set toUNKNOWN_DIRECTION. | 
| connection_info.protocol_num | network.ip_protocol | If the connection_info.protocol_numlog field value is equal to1then, thenetwork.ip_protocolUDM field is set toICMP.Else, if connection_info.protocol_numlog field value is equal to2then, thenetwork.ip_protocolUDM field is set toIGMP.Else, if connection_info.protocol_numlog field value is equal to6then, thenetwork.ip_protocolUDM field is set toTCP.Else, if connection_info.protocol_numlog field value is equal to17then, thenetwork.ip_protocolUDM field is set toUDP.Else, if connection_info.protocol_numlog field value is equal to41then, thenetwork.ip_protocolUDM field is set toIP6IN4.Else, if connection_info.protocol_numlog field value is equal to47then, thenetwork.ip_protocolUDM field is set toGRE.Else, if connection_info.protocol_numlog field value is equal to50then, thenetwork.ip_protocolUDM field is set toESP.Else, if connection_info.protocol_numlog field value is equal to58then, thenetwork.ip_protocolUDM field is set toICMP6.Else, if connection_info.protocol_numlog field value is equal to88then, thenetwork.ip_protocolUDM field is set toEIGRP.Else, if connection_info.protocol_numlog field value is equal to97then, thenetwork.ip_protocolUDM field is set toETHERIP.Else, if connection_info.protocol_numlog field value is equal to103then, thenetwork.ip_protocolUDM field is set toPIM.Else, if connection_info.protocol_numlog field value is equal to112then, thenetwork.ip_protocolUDM field is set toVRRP.Else, if connection_info.protocol_numlog field value is equal to132then, thenetwork.ip_protocolUDM field is set toSCTP.Else, the network.ip_protocolUDM field is set toUNKNOWN_IP_PROTOCOL. | 
| connection_info.protocol_ver_id | network.application_protocol_version | If the connection_info.protocol_ver_idlog field value is equal to4then, thenetwork.application_protocol_versionUDM field is set toInternet Protocol version 4 (IPv4).Else, if connection_info.protocol_ver_idlog field value is equal to6then, thenetwork.application_protocol_versionUDM field is set toInternet Protocol version 6 (IPv6). | 
| device.created_time | principal.asset.attribute.creation_time | |
| device.domain | principal.asset.network_domain | |
| device.first_seen_time | principal.asset.first_seen_time | |
| device.hostname | principal.asset.hostname | |
| device.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| device.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| device.hw_info.cpu_speed | principal.asset.hardware.cpu_clock_speed | |
| device.hw_info.cpu_type | principal.asset.hardware.cpu_model | |
| device.hw_info.ram_size | principal.asset.hardware.ram | |
| device.hw_info.serial_number | principal.asset.hardware.serial_number | |
| device.ip | principal.asset.ip | |
| device.location.city | principal.asset.location.city | |
| device.location.coordinates.0 | principal.asset.location.region_coordinates.longitude | |
| device.location.coordinates.1 | principal.asset.location.region_coordinates.latitude | |
| device.location.country | principal.asset.location.country_or_region | |
| device.location.region | principal.asset.loction.name | If the device.regionlog field value is empty then,device.location.regionlog field is mapped to theprincipal.asset.location.nameUDM field. | 
| device.mac | principal.asset.mac | |
| device.modified_time | principal.asset.attribute.last_update_time | |
| device.os.type_id | principal.asset.platform_software.platform | If the device.os.type_idlog field value is equal to100orthe device.os.type_idlog field value is equal to101then, theprincipal.asset.platform_software.platformUDM field is set toWINDOWS.Else, if device.os.type_idlog field value is equal to200then, theprincipal.asset.platform_software.platformUDM field is set toLINUX.Else, if device.os.type_idlog field value is equal to201then, theprincipal.asset.platform_software.platformUDM field is set toANDROID.Else, if device.os.type_idlog field value is equal to300then, theprincipal.asset.platform_software.platformUDM field is set toMAC.Else, if device.os.type_idlog field value is equal to301then, theprincipal.asset.platform_software.platformUDM field is set toIOS.Else, the principal.asset.platform_software.platformUDM field is set toUNKNOWN_PLATFORM. | 
| device.os.version | principal.asset.platform_software.platform_version | |
| device.region | principal.asset.location.name | |
| device.type_id | principal.asset.type | If the device.type_idlog field value is equal to1then, theprincipal.asset.typeUDM field is set toSERVER.Else, if device.type_idlog field value is equal to2then, theprincipal.asset.typeUDM field is set toWORKSTATION.Else, if device.type_idlog field value is equal to3then, theprincipal.asset.typeUDM field is set toLAPTOP.Else, if device.type_idlog field value is equal to4orthe device.type_idlog field value is equal to5then, theprincipal.asset.typeUDM field is set toMOBILE.Else, if device.type_idlog field value is equal to7then, theprincipal.asset.typeUDM field is set toIOT.Else, the principal.asset.typeUDM field is set toROLE_UNSPECIFIED. | 
| device.uid | principal.asset.product_object_id | |
| disposition | security_result.action_details | |
| disposition_id | security_result.action | If the disposition_idlog field value is equal to1then, thesecurity_result.actionUDM field is set toALLOW.Else, if disposition_idlog field value is equal to2then, thesecurity_result.actionUDM field is set toBLOCK.Else, if disposition_idlog field value is equal to4then, thesecurity_result.actionUDM field is set toQUARANTINE.Else, the security_result.actionUDM field is set toUNKNOWN_ACTION. | 
| dst_endpoint.domain | target.domain.name | |
| dst_endpoint.hostname | target.hostname | |
| dst_endpoint.intermediate_ips | intermediary.ip | |
| dst_endpoint.ip | target.ip | |
| dst_endpoint.location.city | target.location.city | |
| dst_endpoint.location.coordinates.0 | target.location.region_coordinates.longitude | |
| dst_endpoint.location.coordinates.1 | target.location.region_coordinates.latitude | |
| dst_endpoint.location.country | target.location.country_or_region | |
| dst_endpoint.location.region | target.location.name | |
| dst_endpoint.mac | target.mac | |
| dst_endpoint.port | target.port | |
| dst_endpoint.svc_name | target.application | |
| dst_endpoint.uid | target.asset_id | |
| http_request.http_method | network.http.method | |
| http_request.referrer | network.http.referral_url | |
| http_request.user_agent | network.http.user_agent | |
| http_response.code | network.http.response_code | |
| http_status | network.http.response_code | If the http_response.codelog field value is empty then,http_statuslog field is mapped to thenetwork.http.response_codeUDM field. | 
| malware.cves.created_time | extensions.vulns.vulnerabilities.first_found | |
| malware.cves.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| malware.cves.cvss.severity | extensions.vulns.vulnerabilities.severity | If the malware.cves.cvss.severitylog field value matches the regular expression patternLowthen, theextensions.vulns.vulnerabilities.severityUDM field is set toLOW.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternMediumthen, theextensions.vulns.vulnerabilities.severityUDM field is set toMEDIUM.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternHighthen, theextensions.vulns.vulnerabilities.severityUDM field is set toHIGH.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternCriticalthen, theextensions.vulns.vulnerabilities.severityUDM field is set toCRITICAL.Else, the extensions.vulns.vulnerabilities.severityUDM field is set toUNKNOWN_SEVERITY. | 
| malware.cves.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| malware.cves.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| malware.cves.product.name | extensions.vulns.vulnerabilities.about.application' | |
| malware.cves.product.uid | extensions.vulns.vulnerabilities.about.asset_id | |
| malware.cves.product.vendor_name | extensions.vulns.vulnerabilities.vendor | |
| malware.cves.type | extensions.vulns.vulnerabilities.name | |
| malware.cves.uid | extensions.vulns.vulnerabilities.cve_id | |
| malware.name | security_result.threat_name | |
| malware.uid | security_result.threat_id | |
| message | metadata.description | |
| metadata.logged_time | metadata.collected_timestamp | |
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| metadata.product.name | metadata.product_name | |
| metadata.uid | metadata.product_log_id | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| proxy.domain | intermediary.domain.name | |
| proxy.hostname | intermediary.hostname | |
| proxy.intermediate_ips | intermediary.ip | |
| proxy.ip | intermediary.ip | |
| proxy.location.city | intermediary.location.city | |
| proxy.location.coordinates.0 | intermediary.location.region_coordinates.longitude | |
| proxy.location.coordinates.1 | intermediary.location.region_coordinates.latitude | |
| proxy.location.country | intermediary.location.country_or_region | |
| proxy.location.region | intermediary.location.name | |
| proxy.mac | intermediary.mac | |
| proxy.port | intermediary.port | |
| proxy.svc_name | intermediary.application | |
| proxy.uid | intermediary.asset_id | |
| severity | security_result.severity_details | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| src_endpoint.domain | principal.domain.name | |
| src_endpoint.hostname | principal.hostname | |
| src_endpoint.intermediate_ips | intermediary.ip | |
| src_endpoint.ip | principal.ip | |
| src_endpoint.location.city | principal.location.city | |
| src_endpoint.location.coordinates.0 | principal.location.region_coordinates.longitude | |
| src_endpoint.location.coordinates.1 | principal.location.region_coordinates.latitude | |
| src_endpoint.location.country | principal.location.country_or_region | |
| src_endpoint.location.region | principal.location.name | |
| src_endpoint.mac | principal.mac | |
| src_endpoint.port | principal.port | |
| src_endpoint.svc_name | principal.application | |
| src_endpoint.uid | principal.asset_id | |
| time | metadata.event_timestamp | |
| tls.certificate.created_time | network.tls.client.certificate.not_before | |
| tls.certificate.expiration_time | network.tls.client.certificate.not_after | |
| tls.certificate.issuer | network.tls.client.certificate.issuer | |
| tls.certificate.serial_number | network.tls.client.certificate.serial | |
| tls.certificate.subject | network.tls.client.certificate.subject | |
| tls.certificate.version | network.tls.client.certificate.version | |
| tls.cipher | network.tls.cipher | |
| tls.client_ciphers | network.tls.client.supported_ciphers | |
| tls.ja3_hash.value | network.tls.client.ja3 | |
| tls.ja3s_hash.value | network.tls.client.ja3s | |
| tls.sni | network.tls.client.server_name | |
| tls.version | network.tls.version_protocol | |
| traffic.bytes_in | network.received_bytes | |
| traffic.bytes_out | network.sent_bytes | |
| traffic.packets_in | network.received_packets | |
| traffic.packets_out | network.sent_packets | |
| connection_info.session.uid_alt | additional.fields[connection_info_session_uid_alt] | |
| connection_info.session.count | additional.fields[connection_info_session_count] | |
| connection_info.session.expiration_reason | additional.fields[connection_info_session_expiration_reason] | |
| connection_info.session.is_mfa | additional.fields[connection_info_session_is_mfa] | |
| connection_info.session.terminal | additional.fields[connection_info_session_terminal] | |
| connection_info.session.is_vpn | additional.fields[connection_info_session_is_vpn] | |
| dst_endpoint.hw_info.bios_date | target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] | |
| dst_endpoint.hw_info.bios_manufacturer | target.asset.hardware.manufacturer | |
| dst_endpoint.hw_info.bios_ver | target.asset.hardware.model | |
| dst_endpoint.hw_info.cpu_bits | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.hw_info.cpu_cores | target.asset.hardware.cpu_number_cores | |
| dst_endpoint.hw_info.cpu_count | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] | |
| dst_endpoint.hw_info.chassis | target.asset.attribute.labels[dst_endpoint_hw_info_chassis] | |
| dst_endpoint.hw_info.desktop_display.color_depth | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.hw_info.desktop_display.physical_height | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.hw_info.desktop_display.physical_orientation | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.hw_info.desktop_display.physical_width | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.hw_info.desktop_display.scale_factor | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.hw_info.keyboard_info.function_keys | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.hw_info.keyboard_info.ime | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_layout | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_subtype | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_type | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.hw_info.cpu_speed | target.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.hw_info.cpu_type | target.asset.hardware.cpu_platform | |
| dst_endpoint.hw_info.ram_size | target.asset.hardware.ram | |
| dst_endpoint.hw_info.serial_number | target.asset.hardware.serial_number | |
| dst_endpoint.zone | target.asset.attribute.labels[dst_endpoint_zone] | |
| dst_endpoint.type | additional.fields[dst_endpoint_type] | |
| dst_endpoint.type_id | additional.fields[dst_endpoint_type_id] | |
| dst_endpoint.os.cpe_name | target.asset.attribute.labels[dst_endpoint_os_cpe_name] | |
| dst_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| dst_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| dst_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| dst_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| dst_endpoint.proxy_endpoint.ip | intermediary.ip | |
| dst_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| dst_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| dst_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| dst_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| dst_endpoint.proxy_endpoint.mac | intermediary.mac | |
| dst_endpoint.proxy_endpoint.port | intermediary.port | |
| dst_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| dst_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] | |
| dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| dst_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| dst_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| dst_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| dst_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| dst_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] | |
| dst_endpoint.proxy_endpoint.type | additional.fields[dst_endpoint_proxy_endpoint_type] | |
| dst_endpoint.proxy_endpoint.type_id | additional.fields[dst_endpoint_proxy_endpoint_type_id] | |
| dst_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
| http_request.length | additional.fields[http_request_length] | |
| src_endpoint.hw_info.bios_date | principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] | |
| src_endpoint.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| src_endpoint.hw_info.bios_ver | principal.asset.hardware.model | |
| src_endpoint.hw_info.cpu_bits | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] | |
| src_endpoint.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| src_endpoint.hw_info.cpu_count | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] | |
| src_endpoint.hw_info.chassis | principal.asset.attribute.labels[src_endpoint_hw_info_chassis] | |
| src_endpoint.hw_info.desktop_display.color_depth | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.hw_info.desktop_display.physical_height | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.hw_info.desktop_display.physical_orientation | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.hw_info.desktop_display.physical_width | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.hw_info.desktop_display.scale_factor | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.hw_info.keyboard_info.function_keys | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.hw_info.keyboard_info.ime | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.hw_info.keyboard_info.keyboard_layout | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.hw_info.keyboard_info.keyboard_subtype | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.hw_info.keyboard_info.keyboard_type | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.hw_info.cpu_speed | principal.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.hw_info.cpu_type | principal.asset.hardware.cpu_platform | |
| src_endpoint.hw_info.ram_size | principal.asset.hardware.ram | |
| src_endpoint.hw_info.serial_number | principal.asset.hardware.serial_number | |
| src_endpoint.zone | principal.asset.attribute.labels[src_endpoint_zone] | |
| src_endpoint.type | additional.fields[src_endpoint_type] | |
| src_endpoint.type_id | additional.fields[src_endpoint_type_id] | |
| src_endpoint.os.cpe_name | principal.asset.attribute.labels[src_endpoint_os_cpe_name] | |
| src_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| src_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| src_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| src_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| src_endpoint.proxy_endpoint.ip | intermediary.ip | |
| src_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| src_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| src_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| src_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| src_endpoint.proxy_endpoint.mac | intermediary.mac | |
| src_endpoint.proxy_endpoint.port | intermediary.port | |
| src_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| src_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] | |
| src_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| src_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| src_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| src_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| src_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| src_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| src_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| src_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] | |
| src_endpoint.proxy_endpoint.type | additional.fields[src_endpoint_proxy_endpoint_type] | |
| src_endpoint.proxy_endpoint.type_id | additional.fields[src_endpoint_proxy_endpoint_type_id] | |
| src_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] | |
| tls.certificate.uid | additional.fields[tls_certificate_uid] | |
| traffic.chunks | additional.fields[traffic_chunks] | |
| traffic.chunks_in | additional.fields[traffic_chunks_in] | |
| traffic.chunks_out | additional.fields[traffic_chunks_out] | |
| http_cookies.domain | security_result.detection_fields[http_cookies_domain] | Iterate through log field http_cookies, thenhttp_cookies.domainlog field is mapped to thesecurity_result.detection_fields[http_cookies_domain]UDM field. | 
| http_cookies.expiration_time | security_result.detection_fields[http_cookies_expiration_time] | Iterate through log field http_cookies, thenhttp_cookies.expiration_timelog field is mapped to thesecurity_result.detection_fields[http_cookies_expiration_time]UDM field. | 
| http_cookies.is_http_only | security_result.detection_fields[http_cookies_is_http_only] | Iterate through log field http_cookies, thenhttp_cookies.is_http_onlylog field is mapped to thesecurity_result.detection_fields[http_cookies_is_http_only]UDM field. | 
| http_cookies.name | security_result.detection_fields[http_cookies_name] | Iterate through log field http_cookies, thenhttp_cookies.namelog field is mapped to thesecurity_result.detection_fields[http_cookies_name]UDM field. | 
| http_cookies.path | security_result.detection_fields[http_cookies_path] | Iterate through log field http_cookies, thenhttp_cookies.pathlog field is mapped to thesecurity_result.detection_fields[http_cookies_path]UDM field. | 
| http_cookies.samesite | security_result.detection_fields[http_cookies_samesite] | Iterate through log field http_cookies, thenhttp_cookies.samesitelog field is mapped to thesecurity_result.detection_fields[http_cookies_samesite]UDM field. | 
| http_cookies.is_secure | security_result.detection_fields[http_cookies_is_secure] | Iterate through log field http_cookies, thenhttp_cookies.is_securelog field is mapped to thesecurity_result.detection_fields[http_cookies_is_secure]UDM field. | 
| http_cookies.value | security_result.detection_fields[http_cookies_value] | Iterate through log field http_cookies, thenhttp_cookies.valuelog field is mapped to thesecurity_result.detection_fields[http_cookies_value]UDM field. | 
| http_response.http_headers.name | security_results.detection_fields[http_response_http_headers_name] | Iterate through log field http_response.http_headers, thenhttp_response.http_headers.namelog field is mapped to thesecurity_results.detection_fields[http_response_http_headers_name]UDM field. | 
| http_response.http_headers.value | security_results.detection_fields[http_response_http_headers_value] | Iterate through log field http_response.http_headers, thenhttp_response.http_headers.valuelog field is mapped to thesecurity_results.detection_fields[http_response_http_headers_value]UDM field. | 
Field mapping reference: OCSF Network Activity
The following table lists the log fields for theNetwork Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| api.response.code | network.http.response_code | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.service.name | target.application | If the dst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field.Else, if pi.s service.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| activity_id | metadata.event_type | If the class_namelog field value is equal to Network Activitythen, themetadata.event_typeUDM field is set toNETWORK_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| actor.process.cmd_line | principal.process.command_line | If the actor.process.cmd_linelog field value is not empty then,actor.process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field.Else, if process.cmd_linelog field value is not empty then,process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field. | 
| actor.process.file.accessed_time | principal.process.file.last_seen_time | If the actor.process.file.accessed_timelog field value is not empty then,actor.process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field.Else, if process.file.accessed_timelog field value is not empty then,process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field. | 
| actor.process.file.created_time | principal.process.file.first_seen_time | If the actor.process.file.created_timelog field value is not empty then,actor.process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field.Else, if process.file.created_timelog field value is not empty then,process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field. | 
| actor.process.file.mime_type | principal.process.file.mime_type | If the actor.process.file.mime_typelog field value is not empty then,actor.process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field.Else, if process.file.mime_typelog field value is not empty then,process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field. | 
| actor.process.file.modified_time | principal.process.file.last_modification_time | If the actor.process.file.modified_timelog field value is not empty then,actor.process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field.Else, if process.file.modified_timelog field value is not empty then,process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field. | 
| actor.process.file.name | principal.process.file.names | If the actor.process.file.namelog field value is not empty then,actor.process.file.namelog field is mapped to theprincipal.process.file.namesUDM field.Else, if process.file.namelog field value is not empty then,process.file.namelog field is mapped to theprincipal.process.file.namesUDM field. | 
| actor.process.file.path | principal.process.file.full_path | If the actor.process.file.pathlog field value is not empty then,actor.process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field.Else, if process.file.pathlog field value is not empty then,process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| actor.process.file.size | principal.process.file.size | If the actor.process.file.sizelog field value is not empty then,actor.process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field.Else, if process.file.sizelog field value is not empty then,process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field. | 
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | If the actor.process.parent_process.cmd_linelog field value is not empty then,actor.process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field.Else, if process.parent_process.cmd_linelog field value is not empty then,process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field. | 
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | If the actor.process.parent_process.file.accessed_timelog field value is not empty then,actor.process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field.Else, if process.parent_process.file.accessed_timelog field value is not empty then,process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field. | 
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | If the actor.process.parent_process.file.created_timelog field value is not empty then,actor.process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field.Else, if process.parent_process.file.created_timelog field value is not empty then,process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field. | 
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | If the actor.process.parent_process.file.mime_typelog field value is not empty then,actor.process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field.Else, if process.parent_process.file.mime_typelog field value is not empty then,process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field. | 
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | If the actor.process.parent_process.file.modified_timelog field value is not empty then,actor.process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field.Else, if process.parent_process.file.modified_timelog field value is not empty then,process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field. | 
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | If the actor.process.parent_process.file.namelog field value is not empty then,actor.process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field.Else, if process.parent_process.file.namelog field value is not empty then,process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field. | 
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | If the actor.process.parent_process.file.pathlog field value is not empty then,actor.process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field.Else, if process.parent_process.file.pathlog field value is not empty then,process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field. | 
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | If the actor.process.parent_process.file.sizelog field value is not empty then,actor.process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field.Else, if process.parent_process.file.sizelog field value is not empty then,process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field. | 
| actor.process.parent_process.pid | principal.process.parent_process.pid | If the actor.process.parent_process.pidlog field value is not empty then,actor.process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field.Else, if process.parent_process.pidlog field value is not empty then,process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field. | 
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | If the actor.process.parent_process.uidlog field value is not empty then,actor.process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field.Else, if process.parent_process.uidlog field value is not empty then,process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field. | 
| actor.process.pid | principal.process.pid | If the actor.process.pidlog field value is not empty then,actor.process.pidlog field is mapped to theprincipal.process.pidUDM field.Else, if process.pidlog field value is not empty then,process.pidlog field is mapped to theprincipal.process.pidUDM field. | 
| actor.process.uid | principal.process.product_specific_process_id | If the actor.process.uidlog field value is not empty then,actor.process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field.Else, if process.uidlog field value is not empty then,process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field. | 
| actor.process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| actor.process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.process.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is empty and if theactor.process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| actor.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if actor.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if actor.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if actor.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| attacks.tactics.name | security_result.attack_details.tactics.name | |
| attacks.tactics.uid | security_result.attack_details.tactics.id | |
| attacks.technique.name | security_result.attack_details.technique.name | |
| attacks.technique.uid | security_result.attack_details.technique.id | |
| attacks.version | security_result.attack_details.version | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| class_name | metadata.log_type | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| connection_info.direction_id | network.direction | If the connection_info.direction_idlog field value is equal to1then, thenetwork.directionUDM field is set toINBOUND.Else, if connection_info.direction_idlog field value is equal to2then, thenetwork.directionUDM field is set toOUTBOUND.Else, the network.directionUDM field is set toUNKNOWN_DIRECTION. | 
| connection_info.protocol_num | network.ip_protocol | If the connection_info.protocol_numlog field value is equal to1then, thenetwork.ip_protocolUDM field is set toICMP.Else, if connection_info.protocol_numlog field value is equal to2then, thenetwork.ip_protocolUDM field is set toIGMP.Else, if connection_info.protocol_numlog field value is equal to6then, thenetwork.ip_protocolUDM field is set toTCP.Else, if connection_info.protocol_numlog field value is equal to17then, thenetwork.ip_protocolUDM field is set toUDP.Else, if connection_info.protocol_numlog field value is equal to41then, thenetwork.ip_protocolUDM field is set toIP6IN4.Else, if connection_info.protocol_numlog field value is equal to47then, thenetwork.ip_protocolUDM field is set toGRE.Else, if connection_info.protocol_numlog field value is equal to50then, thenetwork.ip_protocolUDM field is set toESP.Else, if connection_info.protocol_numlog field value is equal to58then, thenetwork.ip_protocolUDM field is set toICMP6.Else, if connection_info.protocol_numlog field value is equal to88then, thenetwork.ip_protocolUDM field is set toEIGRP.Else, if connection_info.protocol_numlog field value is equal to97then, thenetwork.ip_protocolUDM field is set toETHERIP.Else, if connection_info.protocol_numlog field value is equal to103then, thenetwork.ip_protocolUDM field is set toPIM.Else, if connection_info.protocol_numlog field value is equal to112then, thenetwork.ip_protocolUDM field is set toVRRP.Else, if connection_info.protocol_numlog field value is equal to132then, thenetwork.ip_protocolUDM field is set toSCTP.Else, the network.ip_protocolUDM field is set toUNKNOWN_IP_PROTOCOL. | 
| connection_info.protocol_ver_id | network.application_protocol_version | If the connection_info.protocol_ver_idlog field value is equal to4then, thenetwork.application_protocol_versionUDM field is set toInternet Protocol version 4 (IPv4).Else, if connection_info.protocol_ver_idlog field value is equal to6then, thenetwork.application_protocol_versionUDM field is set toInternet Protocol version 6 (IPv6). | 
| dst_endpoint.svc_name | target.application | If the dst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field.Else, if pi.s service.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| dst_endpoint.domain | target.domain.name | |
| dst_endpoint.hostname | target.hostname | |
| dst_endpoint.ip | target.ip | |
| dst_endpoint.location.city | target.location.city | |
| dst_endpoint.location.country | target.location.country_or_region | |
| dst_endpoint.location.region | target.location.name | |
| dst_endpoint.location.coordinates | target.location.region_coordinates.longitude/latitude | |
| dst_endpoint.mac | target.mac | |
| dst_endpoint.port | target.port | |
| dst_endpoint.uid | target.asset_id | |
| dst_endpoint.intermediate_ips | intermediary.ip | |
| device.created_time | principal.asset.attribute.creation_time | |
| device.domain | principal.asset.network_domain | |
| device.first_seen_time | principal.asset.first_seen_time | |
| device.hostname | principal.asset.hostname | |
| device.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| device.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| device.hw_info.cpu_speed | principal.asset.hardware.cpu_clock_speed | |
| device.hw_info.cpu_type | principal.asset.hardware.cpu_model | |
| device.hw_info.ram_size | principal.asset.hardware.ram | |
| device.hw_info.serial_number | principal.asset.hardware.serial_number | |
| device.ip | principal.asset.ip | |
| device.location.city | principal.asset.location.city | |
| device.location.coordinates | principal.asset.location.region_coordinates.longitude/latitude | |
| device.location.country | principal.asset.location.country_or_region | |
| device.location.region | principal.asset.loction.name | If the device.regionlog field value is empty then,device.location.regionlog field is mapped to theprincipal.asset.location.nameUDM field. | 
| device.mac | principal.asset.mac | |
| device.modified_time | principal.asset.attribute.last_update_time | |
| device.os.type_id | principal.asset.platform_software.platform | If the device.os.type_idlog field value is equal to100orthe device.os.type_idlog field value is equal to101then, theprincipal.asset.platform_software.platformUDM field is set toWINDOWS.Else, if device.os.type_idlog field value is equal to200then, theprincipal.asset.platform_software.platformUDM field is set toLINUX.Else, if device.os.type_idlog field value is equal to201then, theprincipal.asset.platform_software.platformUDM field is set toANDROID.Else, if device.os.type_idlog field value is equal to300then, theprincipal.asset.platform_software.platformUDM field is set toMAC.Else, if device.os.type_idlog field value is equal to301then, theprincipal.asset.platform_software.platformUDM field is set toIOS.Else, the principal.asset.platform_software.platformUDM field is set toUNKNOWN_PLATFORM. | 
| device.os.version | principal.asset.platform_software.platform_version | |
| device.region | principal.asset.location.name | |
| device.type_id | principal.asset.type | |
| device.uid | principal.asset.product_object_id | |
| disposition | security_result.action_details | |
| disposition_id | security_result.action | If the class_namelog field value contain one of the following values
 disposition_idlog field value is equal to1then, thesecurity_result.actionUDM field is set toALLOW. Else, ifdisposition_idlog field value is equal to2then, thesecurity_result.actionUDM field is set toBLOCK. Else, ifdisposition_idlog field value is equal to3then, thesecurity_result.actionUDM field is set toQUARANTINE. | 
| time | metadata.event_timestamp | |
| malware.cves.created_time | extensions.vulns.vulnerabilities.first_found | |
| malware.cves.cvss.base_score | extensions.vulns.vulnerabilities.cvss_base_score | |
| malware.cves.cvss.severity | extensions.vulns.vulnerabilities.severity | If the malware.cves.cvss.severitylog field value matches the regular expression patternLowthen, theextensions.vulns.vulnerabilities.severityUDM field is set toLOW.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternMediumthen, theextensions.vulns.vulnerabilities.severityUDM field is set toMEDIUM.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternHighthen, theextensions.vulns.vulnerabilities.severityUDM field is set toHIGH.Else, if malware.cves.cvss.severitylog field value matches the regular expression patternCriticalthen, theextensions.vulns.vulnerabilities.severityUDM field is set toCRITICAL.Else, the extensions.vulns.vulnerabilities.severityUDM field is set toUNKNOWN_SEVERITY. | 
| malware.cves.cvss.vector_string | extensions.vulns.vulnerabilities.cvss_vector | |
| malware.cves.cvss.version | extensions.vulns.vulnerabilities.cvss_version | |
| malware.cves.product.name | extensions.vulns.vulnerabilities.about.application' | |
| malware.cves.product.uid | extensions.vulns.vulnerabilities.about.asset_id | |
| malware.cves.product.vendor_name | extensions.vulns.vulnerabilities.vendor | |
| malware.cves.type | extensions.vulns.vulnerabilities.name | |
| malware.cves.uid | extensions.vulns.vulnerabilities.cve_id | |
| malware.name | security_result.threat_name | |
| malware.uid | security_result.threat_id | |
| message | metadata.description | |
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.product.name | metadata.product_name | |
| metadata.uid | metadata.product_log_id | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| proxy.svc_name | intermediary.application | |
| proxy.domain | intermediary.domain.name | |
| proxy.hostname | intermediary.hostname | |
| proxy.ip | intermediary.ip | |
| proxy.location.city | intermediary.location.city | |
| proxy.location.country | intermediary.location.country_or_region | |
| proxy.location.region | intermediary.location.name | |
| proxy.location.coordinates | intermediary.location.region_coordinates.longitude/latitude | |
| proxy.mac | intermediary.mac | |
| proxy.port | intermediary.port | |
| proxy.uid | intermediary.asset_id | |
| proxy.intermediate_ips | intermediary.ip | |
| severity | security_result.severity_details | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| src_endpoint.domain | principal.domain.name | |
| src_endpoint.hostname | principal.hostname | |
| src_endpoint.ip | principal.ip | |
| src_endpoint.intermediate_ips | intermediary.ip | |
| src_endpoint.mac | principal.mac | |
| src_endpoint.port | principal.port | |
| src_endpoint.svc_name | principal.application | |
| src_endpoint.uid | principal.asset_id | |
| src_endpoint.location.city | principal.location.city | |
| src_endpoint.location.coordinates | principal.location.region_coordinates.longitude/latitude | |
| src_endpoint.location.country | principal.location.country_or_region | |
| src_endpoint.location.region | principal.location.name | |
| tls.cipher | network.tls.cipher | |
| tls.certificate.issuer | network.tls.client.certificate.issuer | |
| tls.certificate.expiration_time | network.tls.client.certificate.not_after | |
| tls.certificate.created_time | network.tls.client.certificate.not_before | |
| tls.certificate.serial_number | network.tls.client.certificate.serial | |
| tls.certificate.subject | network.tls.client.certificate.subject | |
| tls.certificate.version | network.tls.client.certificate.version | |
| tls.ja3_hash.value | network.tls.client.ja3 | |
| tls.ja3s_hash.value | network.tls.client.ja3s | |
| tls.sni | network.tls.client.server_name | |
| tls.client_ciphers | network.tls.client.supported_ciphers | |
| tls.version | network.tls.version_protocol | |
| traffic.bytes_out | network.received_bytes | |
| traffic.packets_out | network.received_packets | |
| traffic.bytes_in | network.sent_bytes | |
| traffic.packets_in | network.sent_packets | |
| file.accessed_time | target.file.last_seen_time | |
| file.created_time | target.file.first_seen_time | |
| file.mime_type | target.file.mime_type | |
| file.modified_time | target.file.last_modification_time | |
| file.name | target.file.names | |
| file.path | target.file.full_path | |
| file.size | target.file.size | |
| cloud.account_uid | about.resource.attribute.labels [cloud_account_uid] | |
| class_uid | about.labels [class_uid] | |
| connection_info.boundary | about.labels [connection_info_boundary] | |
| connection_info.boundary_id | about.labels [connection_info_boundary_id] | |
| connection_info.protocol_ver | about.labels [connection_info_protocol_ver] | |
| connection_info.tcp_flags | about.labels [connection_info_tcp_flags] | |
| dst_endpoint.instance_uid | target.labels [dst_endpoint_instance_uid] | |
| dst_endpoint.interface_uid | target.labels [dst_endpoint_interface_uid] | |
| dst_endpoint.subnet_uid | target.labels [dst_endpoint_subnet_uid] | |
| dst_endpoint.vpc_uid | target.labels [dst_endpoint_vpc_uid] | |
| end_time | about.labels [end_time] | |
| metadata.product.feature.name | about.labels [metadata_product_feature_name] | |
| metadata.profiles | about.labels [metadata_profiles] | |
| metadata.version | about.labels [metadata_version] | |
| traffic.bytes | about.labels [traffic_bytes] | |
| traffic.packets | about.labels [traffic_packets] | |
| start_time | about.labels [start_time] | |
| class_uid | additional.fields [class_uid] | |
| connection_info.boundary | additional.fields [connection_info_boundary] | |
| connection_info.boundary_id | additional.fields [connection_info_boundary_id] | |
| connection_info.protocol_ver | additional.fields [connection_info_protocol_ver] | |
| connection_info.tcp_flags | additional.fields [connection_info_tcp_flags] | |
| dst_endpoint.instance_uid | additional.fields [dst_endpoint_instance_uid] | |
| dst_endpoint.interface_uid | additional.fields [dst_endpoint_interface_uid] | |
| dst_endpoint.subnet_uid | additional.fields [dst_endpoint_subnet_uid] | |
| dst_endpoint.vpc_uid | additional.fields [dst_endpoint_vpc_uid] | |
| end_time | additional.fields [end_time] | |
| metadata.product.feature.name | additional.fields [metadata_product_feature_name] | |
| metadata.profiles | additional.fields [metadata_profiles] | |
| metadata.version | additional.fields [metadata_version] | |
| traffic.bytes | additional.fields [traffic_bytes] | |
| traffic.packets | additional.fields [traffic_packets] | |
| start_time | additional.fields [start_time] | |
| url.query_string | about.security_result.detection_fields[url_query_string] | |
| url.path | about.security_result.detection_fields[url_path] | |
| url.scheme | about.security_result.detection_fields[url_scheme] | |
| url.category_ids | about.security_result.detection_fields[url_category_ids] | Iterate through log field url.category_ids, thenurl.category_idslog field is mapped to theabout.security_result.detection_fields[url_category_ids]UDM field. | 
| url.hostname | about.hostname | |
| url.port | about.port | |
| url.resource_type | about.resource.resource_subtype | |
| url.subdomain | about.administrative_domain | |
| url.url_string | about.url | |
| url.categories | about.url_metadata.categories | Iterate through log field url.categories, thenurl.categorieslog field is mapped to theabout.url_metadata.categoriesUDM field. | 
| connection_info.session.uid_alt | additional.fields[connection_info_session_uid_alt] | |
| connection_info.session.count | additional.fields[connection_info_session_count] | |
| connection_info.session.expiration_reason | additional.fields[connection_info_session_expiration_reason] | |
| connection_info.session.is_mfa | additional.fields[connection_info_session_is_mfa] | |
| connection_info.session.terminal | additional.fields[connection_info_session_terminal] | |
| connection_info.session.is_vpn | additional.fields[connection_info_session_is_vpn] | |
| dst_endpoint.hw_info.bios_date | target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] | |
| dst_endpoint.hw_info.bios_manufacturer | target.asset.hardware.manufacturer | |
| dst_endpoint.hw_info.bios_ver | target.asset.hardware.model | |
| dst_endpoint.hw_info.cpu_bits | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.hw_info.cpu_cores | target.asset.hardware.cpu_number_cores | |
| dst_endpoint.hw_info.cpu_count | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] | |
| dst_endpoint.hw_info.chassis | target.asset.attribute.labels[dst_endpoint_hw_info_chassis] | |
| dst_endpoint.hw_info.desktop_display.color_depth | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.hw_info.desktop_display.physical_height | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.hw_info.desktop_display.physical_orientation | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.hw_info.desktop_display.physical_width | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.hw_info.desktop_display.scale_factor | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.hw_info.keyboard_info.function_keys | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.hw_info.keyboard_info.ime | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_layout | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_subtype | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_type | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.hw_info.cpu_speed | target.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.hw_info.cpu_type | target.asset.hardware.cpu_platform | |
| dst_endpoint.hw_info.ram_size | target.asset.hardware.ram | |
| dst_endpoint.hw_info.serial_number | target.asset.hardware.serial_number | |
| dst_endpoint.zone | target.asset.attribute.labels[dst_endpoint_zone] | |
| dst_endpoint.type | additional.fields[dst_endpoint_type] | |
| dst_endpoint.type_id | additional.fields[dst_endpoint_type_id] | |
| dst_endpoint.os.cpe_name | target.asset.attribute.labels[dst_endpoint_os_cpe_name] | |
| dst_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| dst_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| dst_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| dst_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| dst_endpoint.proxy_endpoint.ip | intermediary.ip | |
| dst_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| dst_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| dst_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| dst_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| dst_endpoint.proxy_endpoint.mac | intermediary.mac | |
| dst_endpoint.proxy_endpoint.port | intermediary.port | |
| dst_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| dst_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] | |
| dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| dst_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| dst_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| dst_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| dst_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| dst_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] | |
| dst_endpoint.proxy_endpoint.type | additional.fields[dst_endpoint_proxy_endpoint_type] | |
| dst_endpoint.proxy_endpoint.type_id | additional.fields[dst_endpoint_proxy_endpoint_type_id] | |
| dst_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
| src_endpoint.hw_info.bios_date | principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] | |
| src_endpoint.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| src_endpoint.hw_info.bios_ver | principal.asset.hardware.model | |
| src_endpoint.hw_info.cpu_bits | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] | |
| src_endpoint.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| src_endpoint.hw_info.cpu_count | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] | |
| src_endpoint.hw_info.chassis | principal.asset.attribute.labels[src_endpoint_hw_info_chassis] | |
| src_endpoint.hw_info.desktop_display.color_depth | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.hw_info.desktop_display.physical_height | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.hw_info.desktop_display.physical_orientation | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.hw_info.desktop_display.physical_width | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.hw_info.desktop_display.scale_factor | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.hw_info.keyboard_info.function_keys | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.hw_info.keyboard_info.ime | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.hw_info.keyboard_info.keyboard_layout | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.hw_info.keyboard_info.keyboard_subtype | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.hw_info.keyboard_info.keyboard_type | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.hw_info.cpu_speed | principal.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.hw_info.cpu_type | principal.asset.hardware.cpu_platform | |
| src_endpoint.hw_info.ram_size | principal.asset.hardware.ram | |
| src_endpoint.hw_info.serial_number | principal.asset.hardware.serial_number | |
| src_endpoint.zone | principal.asset.attribute.labels[src_endpoint_zone] | |
| src_endpoint.type | additional.fields[src_endpoint_type] | |
| src_endpoint.type_id | additional.fields[src_endpoint_type_id] | |
| src_endpoint.os.cpe_name | principal.asset.attribute.labels[src_endpoint_os_cpe_name] | |
| src_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| src_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| src_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| src_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| src_endpoint.proxy_endpoint.ip | intermediary.ip | |
| src_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| src_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| src_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| src_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| src_endpoint.proxy_endpoint.mac | intermediary.mac | |
| src_endpoint.proxy_endpoint.port | intermediary.port | |
| src_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| src_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] | |
| src_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| src_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| src_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| src_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| src_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| src_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| src_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| src_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] | |
| src_endpoint.proxy_endpoint.type | additional.fields[src_endpoint_proxy_endpoint_type] | |
| src_endpoint.proxy_endpoint.type_id | additional.fields[src_endpoint_proxy_endpoint_type_id] | |
| src_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] | |
| tls.certificate.uid | additional.fields[tls_certificate_uid] | |
| traffic.chunks | additional.fields[traffic_chunks] | |
| traffic.chunks_in | additional.fields[traffic_chunks_in] | |
| traffic.chunks_out | additional.fields[traffic_chunks_out] | 
Field mapping reference: OCSF Network File Activity
The following table lists the log fields for theNetwork File Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| activity_id | metadata.event_type | If the class_namelog field value is equal to Network File Activityand if theactivity_idlog field value is equal to4then, themetadata.event_typeUDM field is set toFILE_DELETION. Else, ifactivity_idlog field value is equal to3then, themetadata.event_typeUDM field is set toFILE_MODIFICATION. Else, ifactivity_idlog field value is equal to14then, themetadata.event_typeUDM field is set toFILE_OPEN. Else, themetadata.event_typeUDM field is set toFILE_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| actor.process.cmd_line | principal.process.command_line | If the actor.process.cmd_linelog field value is not empty then,actor.process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field.Else, if process.cmd_linelog field value is not empty then,process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field. | 
| actor.process.file.accessed_time | principal.process.file.last_seen_time | If the actor.process.file.accessed_timelog field value is not empty then,actor.process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field.Else, if process.file.accessed_timelog field value is not empty then,process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field. | 
| actor.process.file.created_time | principal.process.file.first_seen_time | If the actor.process.file.created_timelog field value is not empty then,actor.process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field.Else, if process.file.created_timelog field value is not empty then,process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field. | 
| actor.process.file.mime_type | principal.process.file.mime_type | If the actor.process.file.mime_typelog field value is not empty then,actor.process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field.Else, if process.file.mime_typelog field value is not empty then,process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field. | 
| actor.process.file.modified_time | principal.process.file.last_modification_time | If the actor.process.file.modified_timelog field value is not empty then,actor.process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field.Else, if process.file.modified_timelog field value is not empty then,process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field. | 
| actor.process.file.name | principal.process.file.names | If the actor.process.file.namelog field value is not empty then,actor.process.file.namelog field is mapped to theprincipal.process.file.namesUDM field.Else, if process.file.namelog field value is not empty then,process.file.namelog field is mapped to theprincipal.process.file.namesUDM field. | 
| actor.process.file.path | principal.process.file.full_path | If the actor.process.file.pathlog field value is not empty then,actor.process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field.Else, if process.file.pathlog field value is not empty then,process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| actor.process.file.size | principal.process.file.size | If the actor.process.file.sizelog field value is not empty then,actor.process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field.Else, if process.file.sizelog field value is not empty then,process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field. | 
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | If the actor.process.parent_process.cmd_linelog field value is not empty then,actor.process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field.Else, if process.parent_process.cmd_linelog field value is not empty then,process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field. | 
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | If the actor.process.parent_process.file.accessed_timelog field value is not empty then,actor.process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field.Else, if process.parent_process.file.accessed_timelog field value is not empty then,process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field. | 
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | If the actor.process.parent_process.file.created_timelog field value is not empty then,actor.process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field.Else, if process.parent_process.file.created_timelog field value is not empty then,process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field. | 
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | If the actor.process.parent_process.file.mime_typelog field value is not empty then,actor.process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field.Else, if process.parent_process.file.mime_typelog field value is not empty then,process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field. | 
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | If the actor.process.parent_process.file.modified_timelog field value is not empty then,actor.process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field.Else, if process.parent_process.file.modified_timelog field value is not empty then,process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field. | 
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | If the actor.process.parent_process.file.namelog field value is not empty then,actor.process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field.Else, if process.parent_process.file.namelog field value is not empty then,process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field. | 
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | If the actor.process.parent_process.file.pathlog field value is not empty then,actor.process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field.Else, if process.parent_process.file.pathlog field value is not empty then,process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field. | 
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | If the actor.process.parent_process.file.sizelog field value is not empty then,actor.process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field.Else, if process.parent_process.file.sizelog field value is not empty then,process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field. | 
| actor.process.parent_process.pid | principal.process.parent_process.pid | If the actor.process.parent_process.pidlog field value is not empty then,actor.process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field.Else, if process.parent_process.pidlog field value is not empty then,process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field. | 
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | If the actor.process.parent_process.uidlog field value is not empty then,actor.process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field.Else, if process.parent_process.uidlog field value is not empty then,process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field. | 
| actor.process.pid | principal.process.pid | If the actor.process.pidlog field value is not empty then,actor.process.pidlog field is mapped to theprincipal.process.pidUDM field.Else, if process.pidlog field value is not empty then,process.pidlog field is mapped to theprincipal.process.pidUDM field. | 
| actor.process.uid | principal.process.product_specific_process_id | If the actor.process.uidlog field value is not empty then,actor.process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field.Else, if process.uidlog field value is not empty then,process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field. | 
| actor.process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| actor.process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.process.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is empty and if theactor.process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| actor.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if actor.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if actor.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if actor.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| api.response.code | network.http.response_code | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.service.name | target.application | |
| attacks.tactics.name | security_result.attack_details.tactics.name | |
| attacks.tactics.uid | security_result.attack_details.tactics.id | |
| attacks.technique.name | security_result.attack_details.technique.name | |
| attacks.technique.uid | security_result.attack_details.technique.id | |
| attacks.version | security_result.attack_details.version | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| class_name | metadata.log_type | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| file.accessed_time | target.file.last_seen_time | |
| file.created_time | target.file.first_seen_time | |
| file.mime_type | target.file.mime_type | |
| file.modified_time | target.file.last_modification_time | |
| file.name | target.file.names | |
| file.path | target.file.full_path | |
| file.size | target.file.size | |
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.product.name | metadata.product_name | |
| metadata.uid | metadata.product_log_id | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| severity | security_result.severity_details | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| src_endpoint.domain | principal.domain.name | |
| src_endpoint.hostname | principal.hostname | |
| src_endpoint.intermediate_ips | intermediary.ip | |
| src_endpoint.ip | principal.ip | |
| src_endpoint.location.city | principal.location.city | |
| src_endpoint.location.coordinates | principal.location.region_coordinates.longitude/latitude | |
| src_endpoint.location.country | principal.location.country_or_region | |
| src_endpoint.location.region | principal.location.name | |
| src_endpoint.mac | principal.mac | |
| src_endpoint.port | principal.port | |
| src_endpoint.svc_name | principal.application | |
| src_endpoint.uid | principal.asset_id | |
| time | metadata.event_timestamp | 
Field mapping reference: OCSF File Hosting Activity
The following table lists the log fields for theFile Hosting Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| activity_id | metadata.event_type | If the class_namelog field value is equal to Network File Activityand if theactivity_idlog field value is equal to4then, themetadata.event_typeUDM field is set toFILE_DELETION. Else, ifactivity_idlog field value is equal to3then, themetadata.event_typeUDM field is set toFILE_MODIFICATION. Else, ifactivity_idlog field value is equal to14then, themetadata.event_typeUDM field is set toFILE_OPEN. Else, themetadata.event_typeUDM field is set toFILE_UNCATEGORIZED. | 
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| actor.process.cmd_line | principal.process.command_line | If the actor.process.cmd_linelog field value is not empty then,actor.process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field.Else, if process.cmd_linelog field value is not empty then,process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field. | 
| actor.process.file.accessed_time | principal.process.file.last_seen_time | If the actor.process.file.accessed_timelog field value is not empty then,actor.process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field.Else, if process.file.accessed_timelog field value is not empty then,process.file.accessed_timelog field is mapped to theprincipal.process.file.last_seen_timeUDM field. | 
| actor.process.file.created_time | principal.process.file.first_seen_time | If the actor.process.file.created_timelog field value is not empty then,actor.process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field.Else, if process.file.created_timelog field value is not empty then,process.file.created_timelog field is mapped to theprincipal.process.file.first_seen_timeUDM field. | 
| actor.process.file.mime_type | principal.process.file.mime_type | If the actor.process.file.mime_typelog field value is not empty then,actor.process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field.Else, if process.file.mime_typelog field value is not empty then,process.file.mime_typelog field is mapped to theprincipal.process.file.mime_typeUDM field. | 
| actor.process.file.modified_time | principal.process.file.last_modification_time | If the actor.process.file.modified_timelog field value is not empty then,actor.process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field.Else, if process.file.modified_timelog field value is not empty then,process.file.modified_timelog field is mapped to theprincipal.process.file.last_modification_timeUDM field. | 
| actor.process.file.name | principal.process.file.names | If the actor.process.file.namelog field value is not empty then,actor.process.file.namelog field is mapped to theprincipal.process.file.namesUDM field.Else, if process.file.namelog field value is not empty then,process.file.namelog field is mapped to theprincipal.process.file.namesUDM field. | 
| actor.process.file.path | principal.process.file.full_path | If the actor.process.file.pathlog field value is not empty then,actor.process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field.Else, if process.file.pathlog field value is not empty then,process.file.pathlog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| actor.process.file.size | principal.process.file.size | If the actor.process.file.sizelog field value is not empty then,actor.process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field.Else, if process.file.sizelog field value is not empty then,process.file.sizelog field is mapped to theprincipal.process.file.sizeUDM field. | 
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | If the actor.process.parent_process.cmd_linelog field value is not empty then,actor.process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field.Else, if process.parent_process.cmd_linelog field value is not empty then,process.parent_process.cmd_linelog field is mapped to theprincipal.process.parent_process.command_lineUDM field. | 
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | If the actor.process.parent_process.file.accessed_timelog field value is not empty then,actor.process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field.Else, if process.parent_process.file.accessed_timelog field value is not empty then,process.parent_process.file.accessed_timelog field is mapped to theprincipal.process.parent_process.file.last_seen_timeUDM field. | 
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | If the actor.process.parent_process.file.created_timelog field value is not empty then,actor.process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field.Else, if process.parent_process.file.created_timelog field value is not empty then,process.parent_process.file.created_timelog field is mapped to theprincipal.process.parent_process.file.first_seen_timeUDM field. | 
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | If the actor.process.parent_process.file.mime_typelog field value is not empty then,actor.process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field.Else, if process.parent_process.file.mime_typelog field value is not empty then,process.parent_process.file.mime_typelog field is mapped to theprincipal.process.parent_process.file.mime_typeUDM field. | 
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | If the actor.process.parent_process.file.modified_timelog field value is not empty then,actor.process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field.Else, if process.parent_process.file.modified_timelog field value is not empty then,process.parent_process.file.modified_timelog field is mapped to theprincipal.process.parent_process.file.last_modification_timeUDM field. | 
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | If the actor.process.parent_process.file.namelog field value is not empty then,actor.process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field.Else, if process.parent_process.file.namelog field value is not empty then,process.parent_process.file.namelog field is mapped to theprincipal.process.parent_process.file.namesUDM field. | 
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | If the actor.process.parent_process.file.pathlog field value is not empty then,actor.process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field.Else, if process.parent_process.file.pathlog field value is not empty then,process.parent_process.file.pathlog field is mapped to theprincipal.process.parent_process.file.full_pathUDM field. | 
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | If the actor.process.parent_process.file.sizelog field value is not empty then,actor.process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field.Else, if process.parent_process.file.sizelog field value is not empty then,process.parent_process.file.sizelog field is mapped to theprincipal.process.parent_process.file.sizeUDM field. | 
| actor.process.parent_process.pid | principal.process.parent_process.pid | If the actor.process.parent_process.pidlog field value is not empty then,actor.process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field.Else, if process.parent_process.pidlog field value is not empty then,process.parent_process.pidlog field is mapped to theprincipal.process.parent_process.pidUDM field. | 
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | If the actor.process.parent_process.uidlog field value is not empty then,actor.process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field.Else, if process.parent_process.uidlog field value is not empty then,process.parent_process.uidlog field is mapped to theprincipal.process.parent_process.product_specific_process_idUDM field. | 
| actor.process.pid | principal.process.pid | If the actor.process.pidlog field value is not empty then,actor.process.pidlog field is mapped to theprincipal.process.pidUDM field.Else, if process.pidlog field value is not empty then,process.pidlog field is mapped to theprincipal.process.pidUDM field. | 
| actor.process.uid | principal.process.product_specific_process_id | If the actor.process.uidlog field value is not empty then,actor.process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field.Else, if process.uidlog field value is not empty then,process.uidlog field is mapped to theprincipal.process.product_specific_process_idUDM field. | 
| actor.process.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.process.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.process.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.process.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| actor.process.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.process.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.process.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is empty and if theactor.process.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown. Else, ifactor.process.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser. Else, ifactor.process.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin. Else, ifactor.process.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem. Else, theprincipal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| actor.user.domain | principal.administrative_domain | If the actor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field.Else, if actor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| actor.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.user.groups.name | principal.group.group_display_name | If the actor.user.groups.namelog field value is not empty then,actor.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Else, if actor.process.user.groups.namelog field value is not empty then,actor.process.user.groups.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| actor.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.user.groups.uid | principal.user.group_identifiers | If the actor.user.groups.uidlog field value is not empty then,actor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.groups.uidlog field value is not empty then,actor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| actor.user.org.name | principal.user.company_name | If the actor.user.org.namelog field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if actor.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if actor.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if actor.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.user.uid | principal.user.product_object_id | If the actor.user.uidlog field value is not empty then,actor.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field.Else, if actor.process.user.uidlog field value is not empty then,actor.process.user.uidlog field is mapped to theprincipal.user.product_object_idUDM field. | 
| api.response.code | network.http.response_code | |
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.service.name | target.application | |
| attacks.tactics.name | security_result.attack_details.tactics.name | |
| attacks.tactics.uid | security_result.attack_details.tactics.id | |
| attacks.technique.name | security_result.attack_details.technique.name | |
| attacks.technique.uid | security_result.attack_details.technique.id | |
| attacks.version | security_result.attack_details.version | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| class_name | metadata.log_type | |
| cloud.org.uid | about.resource.product_object_id | |
| cloud.project_uid | principal.resource.product_object_id | |
| cloud.provider | about.resource.attribute.cloud.environment | If the cloud.providerlog field value matches the regular expression patternAWSthen, theabout.resource.attribute.cloud.environmentUDM field is set toAMAZON_WEB_SERVICES.Else, if cloud.providerlog field value matches the regular expression patternMS Azurethen, theabout.resource.attribute.cloud.environmentUDM field is set toMICROSOFT_AZURE.Else, if cloud.providerlog field value matches the regular expression patternGCPthen, theabout.resource.attribute.cloud.environmentUDM field is set toGOOGLE_CLOUD_PLATFORM. | 
| cloud.region | about.location.name | |
| cloud.zone | about.resource.attribute.cloud.availability_zone | |
| file.accessed_time | target.file.last_seen_time | |
| file.created_time | target.file.first_seen_time | |
| file.mime_type | target.file.mime_type | |
| file.modified_time | target.file.last_modification_time | |
| file.name | target.file.names | |
| file.path | target.file.full_path | |
| file.size | target.file.size | |
| metadata.logged_time | metadata.collected_timestamp | |
| metadata.product.name | metadata.product_name | |
| metadata.uid | metadata.product_log_id | |
| metadata.product.vendor_name | metadata.vendor_name | |
| metadata.product.version | metadata.product_version | |
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| severity | security_result.severity_details | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| src_endpoint.domain | principal.domain.name | |
| src_endpoint.hostname | principal.hostname | |
| src_endpoint.intermediate_ips | intermediary.ip | |
| src_endpoint.ip | principal.ip | |
| src_endpoint.location.city | principal.location.city | |
| src_endpoint.location.coordinates | principal.location.region_coordinates.longitude/latitude | |
| src_endpoint.location.country | principal.location.country_or_region | |
| src_endpoint.location.region | principal.location.name | |
| src_endpoint.mac | principal.mac | |
| src_endpoint.port | principal.port | |
| src_endpoint.svc_name | principal.application | |
| src_endpoint.uid | principal.asset_id | |
| time | metadata.event_timestamp | |
| connection_info.session.uid_alt | additional.fields[connection_info_session_uid_alt] | |
| connection_info.session.count | additional.fields[connection_info_session_count] | |
| connection_info.session.expiration_reason | additional.fields[connection_info_session_expiration_reason] | |
| connection_info.session.is_mfa | additional.fields[connection_info_session_is_mfa] | |
| connection_info.session.terminal | additional.fields[connection_info_session_terminal] | |
| connection_info.session.is_vpn | additional.fields[connection_info_session_is_vpn] | |
| dst_endpoint.hw_info.bios_date | target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] | |
| dst_endpoint.hw_info.bios_manufacturer | target.asset.hardware.manufacturer | |
| dst_endpoint.hw_info.bios_ver | target.asset.hardware.model | |
| dst_endpoint.hw_info.cpu_bits | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.hw_info.cpu_cores | target.asset.hardware.cpu_number_cores | |
| dst_endpoint.hw_info.cpu_count | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] | |
| dst_endpoint.hw_info.chassis | target.asset.attribute.labels[dst_endpoint_hw_info_chassis] | |
| dst_endpoint.hw_info.desktop_display.color_depth | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.hw_info.desktop_display.physical_height | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.hw_info.desktop_display.physical_orientation | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.hw_info.desktop_display.physical_width | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.hw_info.desktop_display.scale_factor | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.hw_info.keyboard_info.function_keys | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.hw_info.keyboard_info.ime | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_layout | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_subtype | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_type | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.hw_info.cpu_speed | target.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.hw_info.cpu_type | target.asset.hardware.cpu_platform | |
| dst_endpoint.hw_info.ram_size | target.asset.hardware.ram | |
| dst_endpoint.hw_info.serial_number | target.asset.hardware.serial_number | |
| dst_endpoint.zone | target.asset.attribute.labels[dst_endpoint_zone] | |
| dst_endpoint.type | additional.fields[dst_endpoint_type] | |
| dst_endpoint.type_id | additional.fields[dst_endpoint_type_id] | |
| dst_endpoint.os.cpe_name | target.asset.attribute.labels[dst_endpoint_os_cpe_name] | |
| dst_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| dst_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| dst_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| dst_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| dst_endpoint.proxy_endpoint.ip | intermediary.ip | |
| dst_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| dst_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| dst_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| dst_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| dst_endpoint.proxy_endpoint.mac | intermediary.mac | |
| dst_endpoint.proxy_endpoint.port | intermediary.port | |
| dst_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| dst_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] | |
| dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| dst_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| dst_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| dst_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| dst_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| dst_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] | |
| dst_endpoint.proxy_endpoint.type | additional.fields[dst_endpoint_proxy_endpoint_type] | |
| dst_endpoint.proxy_endpoint.type_id | additional.fields[dst_endpoint_proxy_endpoint_type_id] | |
| dst_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
| src_endpoint.hw_info.bios_date | principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] | |
| src_endpoint.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| src_endpoint.hw_info.bios_ver | principal.asset.hardware.model | |
| src_endpoint.hw_info.cpu_bits | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] | |
| src_endpoint.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| src_endpoint.hw_info.cpu_count | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] | |
| src_endpoint.hw_info.chassis | principal.asset.attribute.labels[src_endpoint_hw_info_chassis] | |
| src_endpoint.hw_info.desktop_display.color_depth | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.hw_info.desktop_display.physical_height | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.hw_info.desktop_display.physical_orientation | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.hw_info.desktop_display.physical_width | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.hw_info.desktop_display.scale_factor | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.hw_info.keyboard_info.function_keys | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.hw_info.keyboard_info.ime | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.hw_info.keyboard_info.keyboard_layout | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.hw_info.keyboard_info.keyboard_subtype | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.hw_info.keyboard_info.keyboard_type | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.hw_info.cpu_speed | principal.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.hw_info.cpu_type | principal.asset.hardware.cpu_platform | |
| src_endpoint.hw_info.ram_size | principal.asset.hardware.ram | |
| src_endpoint.hw_info.serial_number | principal.asset.hardware.serial_number | |
| src_endpoint.zone | principal.asset.attribute.labels[src_endpoint_zone] | |
| src_endpoint.type | additional.fields[src_endpoint_type] | |
| src_endpoint.type_id | additional.fields[src_endpoint_type_id] | |
| src_endpoint.os.cpe_name | principal.asset.attribute.labels[src_endpoint_os_cpe_name] | |
| src_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| src_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| src_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| src_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| src_endpoint.proxy_endpoint.ip | intermediary.ip | |
| src_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| src_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| src_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| src_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| src_endpoint.proxy_endpoint.mac | intermediary.mac | |
| src_endpoint.proxy_endpoint.port | intermediary.port | |
| src_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| src_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] | |
| src_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| src_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| src_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| src_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| src_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| src_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| src_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| src_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] | |
| src_endpoint.proxy_endpoint.type | additional.fields[src_endpoint_proxy_endpoint_type] | |
| src_endpoint.proxy_endpoint.type_id | additional.fields[src_endpoint_proxy_endpoint_type_id] | |
| src_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] | |
| actor.user.ldap_person.cost_center | principal.user.attribute.labels[user_ldap_person_cost_center] | If the actor.user.ldap_person.cost_centerlog field value is not empty then,actor.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.user.ldap_person.created_time | principal.user.attribute.labels[user_ldap_person_created_time] | If the actor.user.ldap_person.created_timelog field value is not empty then,actor.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.user.ldap_person.deleted_time | principal.user.attribute.labels[user_ldap_person_deleted_time] | If the actor.user.ldap_person.deleted_timelog field value is not empty then,actor.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.user.ldap_person.email_addrs | principal.user.email_addresses | If the actor.user.ldap_person.email_addrslog field value is not empty then,actor.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.ldap_person.employee_uid | principal.user.employee_uid | If the actor.user.ldap_person.employee_uidlog field value is not empty then,. | 
| actor.user.ldap_person.location | principal.user.attribute.labels[user_ldap_person_location] | If the actor.user.ldap_person.locationlog field value is not empty then,actor.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.user.ldap_person.given_name | principal.user.first_name | If the actor.user.ldap_person.given_namelog field value is not empty then,actor.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field. | 
| actor.user.ldap_person.hire_time | principal.user.hire_date | If the actor.user.ldap_person.hire_timelog field value is not empty then,actor.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field. | 
| actor.user.ldap_person.job_title | principal.user.title | If the actor.user.ldap_person.job_titlelog field value is not empty then,actor.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field. | 
| actor.user.ldap_person.ldap_cn | principal.user.attribute.labels[user_ldap_person_ldap_cn] | If the actor.user.ldap_person.ldap_cnlog field value is not empty then,actor.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.user.ldap_person.ldap_dn | principal.user.attribute.labels[user_ldap_person_ldap_dn] | If the actor.user.ldap_person.ldap_dnlog field value is not empty then,actor.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.user.ldap_person.labels | principal.user.attribute.labels[user_ldap_person_labels] | If the actor.user.ldap_person.labelslog field value is not empty then,actor.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.user.ldap_person.last_login_time | principal.user.last_login_time | If the actor.user.ldap_person.last_login_timelog field value is not empty then,actor.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field. | 
| actor.user.ldap_person.leave_time | principal.user.attribute.labels[user_ldap_person_leave_time] | If the actor.user.ldap_person.leave_timelog field value is not empty then,actor.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.user.ldap_person.modified_time | principal.user.attribute.labels[user_ldap_person_modified_time] | If the actor.user.ldap_person.modified_timelog field value is not empty then,actor.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.user.ldap_person.office_location | principal.user.office_address.name | If the actor.user.ldap_person.office_locationlog field value is not empty then,actor.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field. | 
| actor.user.ldap_person.surname | principal.user.last_name | If the actor.user.ldap_person.surnamelog field value is not empty then,actor.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field. | 
| actor.user.ldap_person.manager.cost_center | principal.user.managers.attribute.labels[user_manager_ldap_person_cost_center] | If the actor.user.ldap_person.manager.cost_centerlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.user.ldap_person.manager.created_time | principal.user.managers.attribute.labels[user_manager_ldap_person_created_time] | If the actor.user.ldap_person.manager.created_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.user.ldap_person.manager.deleted_time | principal.user.managers.attribute.labels[user_manager_ldap_person_deleted_time] | If the actor.user.ldap_person.manager.deleted_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.user.ldap_person.manager.email_addrs | principal.user.managers.email_addresses | If the actor.user.ldap_person.manager.email_addrslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field. | 
| actor.user.ldap_person.manager.employee_uid | principal.user.managers.employee_uid | If the actor.user.ldap_person.manager.employee_uidlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uidlog field is mapped to theprincipal.user.managers.employee_uidUDM field. | 
| actor.user.ldap_person.manager.location | principal.user.managers.attribute.labels[user_manager_ldap_person_location] | If the actor.user.ldap_person.manager.locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.user.ldap_person.manager.given_name | principal.user.managers.first_name | If the actor.user.ldap_person.manager.given_namelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field. | 
| actor.user.ldap_person.manager.hire_time | principal.user.managers.hire_date | If the actor.user.ldap_person.manager.hire_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field. | 
| actor.user.ldap_person.manager.job_title | principal.user.managers.title | If the actor.user.ldap_person.manager.job_titlelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field. | 
| actor.user.ldap_person.manager.ldap_cn | principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_cn] | If the actor.user.ldap_person.manager.ldap_cnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.user.ldap_person.manager.ldap_dn | principal.user.managers.attribute.labels[user_manager_ldap_person_ldap_dn] | If the actor.user.ldap_person.manager.ldap_dnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.user.ldap_person.manager.labels | principal.user.managers.attribute.labels[user_manager_ldap_person_labels] | If the actor.user.ldap_person.manager.labelslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.user.ldap_person.manager.last_login_timelast_login_time | principal.user.managers.last_login_time | If the actor.user.ldap_person.manager.last_login_timelast_login_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.last_login_timelast_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field. | 
| actor.user.ldap_person.manager.leave_time | principal.user.managers.attribute.labels[user_manager_ldap_person_leave_time] | If the actor.user.ldap_person.manager.leave_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.user.ldap_person.manager.modified_time | principal.user.managers.attribute.labels[user_manager_ldap_person_modified_time] | If the actor.user.ldap_person.manager.modified_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.user.ldap_person.manager.office_locationoffice_location | principal.user.managers.office_address.name | If the actor.user.ldap_person.manager.office_locationoffice_locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.office_locationoffice_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field. | 
| actor.user.ldap_person.manager.surname | principal.user.managers.last_name | If the actor.user.ldap_person.manager.surnamelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field. | 
| actor.user.groups.domain | principal.user.group_identifiers | If the actor.user.ldap_person.groups.domainlog field value is not empty then,iterate through log field actor.user.ldap_person.groups, thenactor.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
Field mapping reference: OCSF API Activity
The following table lists the log fields for theAPI Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| actor.idp.name | about.user.user_display_name | |
| actor.idp.uid | about.user.userid | |
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| dst_endpoint.intermediate_ips | intermediary.ip | |
| src_endpoint.intermediate_ips | intermediary.ip | Iterate through log field src_endpoint.intermediate_ips, thensrc_endpoint.intermediate_ipslog field is mapped to theintermediary.ipUDM field. | 
| metadata.logged_time | metadata.collected_timestamp | |
| message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field.Else, messagelog field is mapped to themetadata.descriptionUDM field. | 
| api.response.message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field.Else, messagelog field is mapped to themetadata.descriptionUDM field. | 
| time | metadata.event_timestamp | |
| activity_id | metadata.event_type | If the class_namelog field value is equal toAPI Activityand if theactivity_idlog field value is equal to1then, themetadata.event_typeUDM field is set toRESOURCE_CREATION. Else, ifactivity_idlog field value is equal to2then, themetadata.event_typeUDM field is set toRESOURCE_READ. Else, ifactivity_idlog field value is equal to3then, themetadata.event_typeUDM field is set toRESOURCE_WRITTEN. Else, ifactivity_idlog field value is equal to4then, themetadata.event_typeUDM field is set toRESOURCE_DELETION. Else, themetadata.event_typeUDM field is set toUSER_RESOURCE_ACCESS. | 
| class_name | metadata.log_type | |
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| metadata.uid | metadata.product_log_id | |
| metadata.product.name | metadata.product_name | |
| metadata.product.version | metadata.product_version | |
| metadata.product.vendor_name | metadata.vendor_name | |
| http_request.version | network.application_protocol_version | |
| http_request.http_method | network.http.method | |
| http_request.referrer | network.http.referral_url | |
| api.response.code | network.http.response_code | |
| http_request.user_agent | network.http.user_agent | |
| actor.session.uid | network.session_id | If the class_namelog field value contain one of the following values
 session.uidlog field value is empty then,actor.session.uidlog field is mapped to thenetwork.session_idUDM field. Else,actor.session.uidlog field is mapped to thenetwork.session_idUDM field.If the class_namelog field value contain one of the following values
 actor.session.uidlog field value is empty then,actor.session.uuidlog field is mapped to thenetwork.session_idUDM field. Else,actor.process.session.uidlog field is mapped to thenetwork.session_idUDM field. | 
| actor.process.user.domain | principal.administrative_domain | |
| actor.user.domain | principal.administrative_domain | If the class_namelog field value is equal toAPI Activityand if theactor.user.domainlog field value is not empty then,actor.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. Else, ifactor.process.user.domainlog field value is not empty then,actor.process.user.domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| src_endpoint.svc_name | principal.application | If the class_namelog field value contain one of the following values
 src_endpoint.svc_namelog field is mapped to theprincipal.applicationUDM field. | 
| src_endpoint.uid | principal.asset_id | If the class_namelog field value contain one of the following values
 ASSET ID: %{src_endpoint.uid}log field is mapped to theprincipal.asset_idUDM field. | 
| src_endpoint.domain | principal.domain.name | If the class_namelog field value contain one of the following values
 src_endpoint.domainlog field is mapped to theprincipal.domain.nameUDM field. | 
| actor.process.user.groups.privileges | principal.group.attribute.permissions.name | |
| actor.user.groups.privileges | principal.group.attribute.permissions.name | If the actor.user.groups.privilegeslog field value is not empty then,actor.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if actor.process.user.groups.privilegeslog field value is not empty then,actor.process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.user.groups.privilegeslog field value is not empty then,process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field.Else, if process.parent_process.user.groups.privilegeslog field value is not empty then,process.parent_process.user.groups.privilegeslog field is mapped to theprincipal.group.attribute.permissions.nameUDM field. | 
| actor.process.user.groups.name | principal.group.group_display_name | |
| actor.user.groups.name | principal.group.group_display_name | Iterate through log field actor.user.groups.array.name, thenif the indexvalue is equal to0then,actor.user.groups.array.namelog field is mapped to theprincipal.group.group_display_nameUDM field.Iterate through log field actor.process.user.groups.array.name, thenif the indexvalue is equal to0then,actor.process.user.groups.array.namelog field is mapped to theprincipal.group.group_display_nameUDM field. | 
| src_endpoint.hostname | principal.hostname | If the class_namelog field value contain one of the following values
 src_endpoint.hostnamelog field is mapped to theprincipal.hostnameUDM field. | 
| http_request.x_forwarded_for | principal.ip | |
| src_endpoint.ip | principal.ip | If the class_namelog field value contain one of the following values
 src_endpoint.iplog field is mapped to theprincipal.ipUDM field. | 
| src_endpoint.location.city | principal.location.city | If the class_namelog field value contain one of the following values
 src_endpoint.location.citylog field is mapped to theprincipal.location.cityUDM field. | 
| src_endpoint.location.country | principal.location.country_or_region | If the class_namelog field value contain one of the following values
 src_endpoint.location.countrylog field is mapped to theprincipal.location.country_or_regionUDM field. | 
| src_endpoint.location.region | principal.location.name | If the class_namelog field value contain one of the following values
 src_endpoint.location.regionlog field is mapped to theprincipal.location.nameUDM field. | 
| src_endpoint.location.coordinates.1 | principal.location.region_coordinates.latitude | If the class_namelog field value contain one of the following values
 src_endpoint.location.coordinates.1log field is mapped to theprincipal.location.region_coordinates.latitudeUDM field. | 
| src_endpoint.location.coordinates.0 | principal.location.region_coordinates.longitude | If the class_namelog field value contain one of the following values
 src_endpoint.location.coordinates.0log field is mapped to theprincipal.location.region_coordinates.longitudeUDM field. | 
| src_endpoint.mac | principal.mac | If the class_namelog field value contain one of the following values
 src_endpoint.maclog field is mapped to theprincipal.macUDM field. | 
| src_endpoint.port | principal.port | If the class_namelog field value contain one of the following values
 src_endpoint.portlog field is mapped to theprincipal.portUDM field. | 
| actor.process.cmd_line | principal.process.command_line | If the actor.process.cmd_linelog field value is not empty then,actor.process.cmd_linelog field is mapped to theprincipal.process.command_lineUDM field. | 
| actor.process.file.created_time | principal.process.file.first_seen_time | |
| actor.process.file.path | principal.process.file.full_path | |
| actor.process.file.modified_time | principal.process.file.last_modification_time | |
| actor.process.file.accessed_time | principal.process.file.last_seen_time | |
| actor.process.file.hashes.value | principal.process.file.md5 | If the actor.process.file.hashes.algorithm_idlog field value is equal to1then,actor.process.file.hashes.valuelog field is mapped to theprincipal.process.file.md5UDM field. | 
| actor.process.file.mime_type | principal.process.file.mime_type | |
| actor.process.file.name | principal.process.file.names | |
| actor.process.file.hashes.value | principal.process.file.sha1 | If the actor.process.file.hashes.algorithm_idlog field value is equal to2then,actor.process.file.hashes.valuelog field is mapped to theprincipal.process.file.sha1UDM field. | 
| actor.process.file.hashes.value | principal.process.file.sha256 | If the actor.process.file.hashes.algorithm_idlog field value is equal to3then,actor.process.file.hashes.valuelog field is mapped to theprincipal.process.file.sha256UDM field. | 
| actor.process.file.size | principal.process.file.size | |
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | |
| actor.process.parent_process.cmd_line | principal.process.parent_process.command_line | |
| actor.process.parent_process.file.created_time | principal.process.parent_process.file.first_seen_time | |
| actor.process.parent_process.file.path | principal.process.parent_process.file.full_path | |
| actor.process.parent_process.file.modified_time | principal.process.parent_process.file.last_modification_time | |
| actor.process.parent_process.file.accessed_time | principal.process.parent_process.file.last_seen_time | |
| actor.process.parent_process.file.mime_type | principal.process.parent_process.file.mime_type | |
| actor.process.parent_process.file.name | principal.process.parent_process.file.names | |
| actor.process.parent_process.file.size | principal.process.parent_process.file.size | |
| actor.process.parent_process.pid | principal.process.parent_process.pid | |
| actor.process.parent_process.uid | principal.process.parent_process.product_specific_process_id | If the actor.process.parent_process.uidlog field value is not empty then, principal.process.product_specific_process_id => PRODUCT_SPECIFIC_PROCESS_ID: %actor.process.parent_process.uid. | 
| actor.process.pid | principal.process.pid | |
| actor.process.uid | principal.process.product_specific_process_id | If the actor.process.uidlog field value is not empty then, principal.process.product_specific_process_id => PRODUCT_SPECIFIC_PROCESS_ID: %actor.process.uid. | 
| actor.user.type_id | principal.user.attribute.roles.name | If the actor.user.type_idlog field value is equal to0then, theprincipal.user.attribute.roles.nameUDM field is set toUnknown.Else, if actor.user.type_idlog field value is equal to1then, theprincipal.user.attribute.roles.nameUDM field is set toUser.Else, if actor.user.type_idlog field value is equal to2then, theprincipal.user.attribute.roles.nameUDM field is set toAdmin.Else, if actor.user.type_idlog field value is equal to3then, theprincipal.user.attribute.roles.nameUDM field is set toSystem.Else, the principal.user.attribute.roles.nameUDM field is set toOther. | 
| actor.process.user.org.name | principal.user.company_name | |
| actor.user.org.name | principal.user.company_name | If the actor.user.or log field value is not empty then,actor.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field.Else, if actor.process.user.org.namelog field value is not empty then,actor.process.user.org.namelog field is mapped to theprincipal.user.company_nameUDM field. | 
| actor.process.user.org.ou_name | principal.user.department | |
| actor.user.org.ou_name | principal.user.department | If the actor.user.org.ou_namelog field value is not empty then,actor.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field.Else, if actor.process.user.org.ou_namelog field value is not empty then,actor.process.user.org.ou_namelog field is mapped to theprincipal.user.departmentUDM field. | 
| actor.process.user.email_addr | principal.user.email_addresses | |
| actor.user.email_addr | principal.user.email_addresses | If the actor.user.email_addrlog field value is not empty then,actor.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.email_addrlog field value is not empty then,actor.process.user.email_addrlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.groups.uid | principal.user.group_identifiers | |
| actor.user.groups.uid | principal.user.group_identifiers | Iterate through log field actor.user.groups.array.uid, thenactor.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field.Iterate through log field actor.process.user.groups.uid, thenactor.process.user.groups.uidlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.user.uid | principal.user.product_object_id | Else, if the user.uidlog field value is not empty then, principal.user.product_object_id => %actor.user.uid  else, if theactor.process.user.uidlog field value is not empty then, principal.user.product_object_id => %actor.process.user.uid. | 
| actor.process.user.full_name | principal.user.user_display_name | |
| actor.user.full_name | principal.user.user_display_name | If the actor.user.full_namelog field value is not empty then,actor.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field.Else, if actor.process.user.full_namelog field value is not empty then,actor.process.user.full_namelog field is mapped to theprincipal.user.user_display_nameUDM field. | 
| actor.process.user.name | principal.user.userid | |
| actor.user.name | principal.user.userid | If the actor.user.namelog field value is not empty then,actor.user.namelog field is mapped to theprincipal.user.useridUDM field.Else, if actor.process.user.namelog field value is not empty then,actor.process.user.namelog field is mapped to theprincipal.user.useridUDM field. | 
| status_id | security_result.action | If the status_idlog field value is equal to1then, thesecurity_result.actionUDM field is set toALLOW.Else, if status_idlog field value is equal to2then, thesecurity_result.actionUDM field is set toFAIL. | 
| status | security_result.action_details | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| enrichments.name | security_result.detection_fields [enrichments_name] | Iterate through log field enrichments.name, thenenrichments.namelog field is mapped to thesecurity_result.detection_fields [enrichments_name]UDM field. | 
| enrichments.provider | security_result.detection_fields [enrichments_provider] | Iterate through log field enrichments.provider, thenenrichments.providerlog field is mapped to thesecurity_result.detection_fields [enrichments_provider]UDM field. | 
| enrichments.type | security_result.detection_fields [enrichments_type] | Iterate through log field enrichments.type, thenenrichments.typelog field is mapped to thesecurity_result.detection_fields [enrichments_type]UDM field. | 
| enrichments.value | security_result.detection_fields [enrichments_value] | Iterate through log field enrichments.value, thenenrichments.valuelog field is mapped to thesecurity_result.detection_fields [enrichments_value]UDM field. | 
| type_name | security_result.detection_fields [type_name] | |
| type_uid | security_result.detection_fields [type_uid] | |
| actor.process.file.security_descriptor | security_result.detection_fields[actor_process_file_security_descriptor] | |
| http_request.url.categories [] | security_result.detection_fields[url_categories] | Iterate through log field http_request.url.categories, thenhttp_request.url.categorieslog field is mapped to thesecurity_result.detection_fields[url_categories]UDM field. | 
| status_detail | security_result.detection_fields [status_detail] | |
| status_code | security_result.detection_fields [status_code] | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| severity | security_result.severity_details | |
| dst_endpoint.svc_name | target.application | If the class_namelog field value contain one of the following values
 class_namelog field value is equal toAuthenticationand if thedst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field. Else, ifservice.namelog field value is not empty then,%{service.name}log field is mapped to thetarget.applicationUDM field. Else, if pi.sservice.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. Else, if thedst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field. Else, if pi.sservice.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| api.service.name | target.application | If the class_namelog field value contain one of the following values
 class_namelog field value is equal toAuthenticationand if thedst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field. Else, ifservice.namelog field value is not empty then,%{service.name}log field is mapped to thetarget.applicationUDM field. Else, if pi.sservice.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. Else, if thedst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field. Else, if pi.sservice.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| dst_endpoint.uid | target.asset_id | If the class_namelog field value contain one of the following values
 ASSET ID: %{dst_endpoint.uid}log field is mapped to thetarget.asset_idUDM field. | 
| dst_endpoint.domain | target.domain.name | If the class_namelog field value contain one of the following values
 dst_endpoint.domainlog field is mapped to thetarget.domain.nameUDM field. | 
| dst_endpoint.hostname | target.hostname | If the class_namelog field value contain one of the following values
 dst_endpoint.hostnamelog field is mapped to thetarget.hostnameUDM field. | 
| http_request.url.hostname | target.hostname | |
| dst_endpoint.ip | target.ip | If the class_namelog field value contain one of the following values
 dst_endpoint.iplog field is mapped to thetarget.ipUDM field. | 
| dst_endpoint.location.city | target.location.city | If the class_namelog field value contain one of the following values
 dst_endpoint.location.citylog field is mapped to thetarget.location.cityUDM field. | 
| dst_endpoint.location.region | target.location.name | If the class_namelog field value contain one of the following values
 dst_endpoint.location.regionlog field is mapped to thetarget.location.nameUDM field. | 
| dst_endpoint.location.country | target.location.country_or_region | If the class_namelog field value contain one of the following values
 dst_endpoint.location.countrylog field is mapped to thetarget.location.country_or_regionUDM field. | 
| dst_endpoint.location.coordinates.1 | target.location.region_coordinates.latitude | If the class_namelog field value contain one of the following values
 dst_endpoint.location.coordinates.1log field is mapped to thetarget.location.region_coordinates.latitudeUDM field. | 
| dst_endpoint.location.coordinates.0 | target.location.region_coordinates.longitude | If the class_namelog field value contain one of the following values
 dst_endpoint.location.coordinates.0log field is mapped to thetarget.location.region_coordinates.longitudeUDM field. | 
| dst_endpoint.mac | target.mac | If the class_namelog field value contain one of the following values
 dst_endpoint.maclog field is mapped to thetarget.macUDM field. | 
| dst_endpoint.port | target.port | If the class_namelog field value contain one of the following values
 dst_endpoint.portlog field is mapped to thetarget.portUDM field. | 
| http_request.url.port | target.port | |
| resources.name | target.resource.name | Iterate through log field resources.name, thenif the indexvalue is equal to0then,resources.namelog field is mapped to thetarget.resource.nameUDM field. | 
| resources.uid | target.resource.product_object_id | Iterate through log field resources.uid, thenif the indexvalue is equal to0then,resources.uidlog field is mapped to thetarget.resource.product_object_idUDM field. | 
| resources.type | target.resource.resource_subtype | Iterate through log field resources.type, thenif the indexvalue is equal to0then,resources.typelog field is mapped to thetarget.resource.resource_subtypeUDM field. | 
| http_request.url.url_string | target.url | |
| class_uid | security_result.detection_fields [class_uid] | |
| actor.process.session.uid_alt | additional.fields[actor_process_session_uid_alt] | |
| actor.process.session.count | additional.fields[actor_process_session_count] | |
| actor.process.session.expiration_reason | additional.fields[actor_process_session_expiration_reason] | |
| actor.process.session.is_mfa | additional.fields[actor_process_session_is_mfa] | |
| actor.process.session.terminal | additional.fields[actor_process_session_terminal] | |
| actor.process.session.is_vpn | additional.fields[actor_process_session_is_vpn] | |
| actor.session.uid_alt | additional.fields[actor_session_uid_alt] | |
| actor.session.count | additional.fields[actor_session_count] | |
| actor.session.expiration_reason | additional.fields[actor_session_expiration_reason] | |
| actor.session.is_mfa | additional.fields[actor_session_is_mfa] | |
| actor.session.terminal | additional.fields[actor_session_terminal] | |
| actor.session.is_vpn | additional.fields[actor_session_is_vpn] | |
| actor.user.ldap_person.cost_center | principal.user.attribute.labels[user_ldap_person_cost_center] | If the actor.user.ldap_person.cost_centerlog field value is not empty then,actor.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_cost_center]UDM field.Else, if actor.process.user.ldap_person.cost_centerlog field value then,actor.process.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.process.user.ldap_person.cost_center | principal.user.attribute.labels[user_ldap_person_cost_center] | If the actor.user.ldap_person.cost_centerlog field value is not empty then,actor.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_cost_center]UDM field.Else, if actor.process.user.ldap_person.cost_centerlog field value then,actor.process.user.ldap_person.cost_centerlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.user.ldap_person.created_time | principal.user.attribute.labels[user_ldap_person_created_time] | If the actor.user.ldap_person.created_timelog field value is not empty then,actor.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_created_time]UDM field.Else, if actor.process.user.ldap_person.created_timelog field value then,actor.process.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.process.user.ldap_person.created_time | principal.user.attribute.labels[user_ldap_person_created_time] | If the actor.user.ldap_person.created_timelog field value is not empty then,actor.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_created_time]UDM field.Else, if actor.process.user.ldap_person.created_timelog field value then,actor.process.user.ldap_person.created_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.user.ldap_person.deleted_time | principal.user.attribute.labels[user_ldap_person_deleted_time] | If the actor.user.ldap_person.deleted_timelog field value is not empty then,actor.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_deleted_time]UDM field.Else, if actor.process.user.ldap_person.deleted_timelog field value then,actor.process.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.process.user.ldap_person.deleted_time | principal.user.attribute.labels[user_ldap_person_deleted_time] | If the actor.user.ldap_person.deleted_timelog field value is not empty then,actor.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_deleted_time]UDM field.Else, if actor.process.user.ldap_person.deleted_timelog field value then,actor.process.user.ldap_person.deleted_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.user.ldap_person.email_addrs | principal.user.email_addresses | If the actor.user.ldap_person.email_addrslog field value is not empty then,actor.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.ldap_person.email_addrslog field value then,actor.process.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.process.user.ldap_person.email_addrs | principal.user.email_addresses | If the actor.user.ldap_person.email_addrslog field value is not empty then,actor.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field.Else, if actor.process.user.ldap_person.email_addrslog field value then,actor.process.user.ldap_person.email_addrslog field is mapped to theprincipal.user.email_addressesUDM field. | 
| actor.user.ldap_person.employee_uid | principal.user.employee_uid | If the actor.user.ldap_person.employee_uidlog field value is not empty then,Else, if actor.process.user.ldap_person.employee_uidlog field value then,. | 
| actor.process.user.ldap_person.employee_uid | principal.user.employee_uid | If the actor.user.ldap_person.employee_uidlog field value is not empty then,Else, if actor.process.user.ldap_person.employee_uidlog field value then,. | 
| actor.user.ldap_person.location | principal.user.attribute.labels[user_ldap_person_location] | If the actor.user.ldap_person.locationlog field value is not empty then,actor.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_location]UDM field.Else, if actor.process.user.ldap_person.locationlog field value then,actor.process.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.process.user.ldap_person.location | principal.user.attribute.labels[user_ldap_person_location] | If the actor.user.ldap_person.locationlog field value is not empty then,actor.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_location]UDM field.Else, if actor.process.user.ldap_person.locationlog field value then,actor.process.user.ldap_person.locationlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.user.ldap_person.given_name | principal.user.first_name | If the actor.user.ldap_person.given_namelog field value is not empty then,actor.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if actor.process.user.ldap_person.given_namelog field value then,actor.process.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field. | 
| actor.process.user.ldap_person.given_name | principal.user.first_name | If the actor.user.ldap_person.given_namelog field value is not empty then,actor.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field.Else, if actor.process.user.ldap_person.given_namelog field value then,actor.process.user.ldap_person.given_namelog field is mapped to theprincipal.user.first_nameUDM field. | 
| actor.user.ldap_person.hire_time | principal.user.hire_date | If the actor.user.ldap_person.hire_timelog field value is not empty then,actor.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if actor.process.user.ldap_person.hire_timelog field value then,actor.process.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field. | 
| actor.process.user.ldap_person.hire_time | principal.user.hire_date | If the actor.user.ldap_person.hire_timelog field value is not empty then,actor.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field.Else, if actor.process.user.ldap_person.hire_timelog field value then,actor.process.user.ldap_person.hire_timelog field is mapped to theprincipal.user.hire_dateUDM field. | 
| actor.user.ldap_person.job_title | principal.user.title | If the actor.user.ldap_person.job_titlelog field value is not empty then,actor.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if actor.process.user.ldap_person.job_titlelog field value then,actor.process.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field. | 
| actor.process.user.ldap_person.job_title | principal.user.title | If the actor.user.ldap_person.job_titlelog field value is not empty then,actor.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field.Else, if actor.process.user.ldap_person.job_titlelog field value then,actor.process.user.ldap_person.job_titlelog field is mapped to theprincipal.user.titleUDM field. | 
| actor.user.ldap_person.ldap_cn | principal.user.attribute.labels[user_ldap_person_ldap_cn] | If the actor.user.ldap_person.ldap_cnlog field value is not empty then,actor.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_cn]UDM field.Else, if actor.process.user.ldap_person.ldap_cnlog field value then,actor.process.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.process.user.ldap_person.ldap_cn | principal.user.attribute.labels[user_ldap_person_ldap_cn] | If the actor.user.ldap_person.ldap_cnlog field value is not empty then,actor.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_cn]UDM field.Else, if actor.process.user.ldap_person.ldap_cnlog field value then,actor.process.user.ldap_person.ldap_cnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.user.ldap_person.ldap_dn | principal.user.attribute.labels[user_ldap_person_ldap_dn] | If the actor.user.ldap_person.ldap_dnlog field value is not empty then,actor.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_dn]UDM field.Else, if actor.process.user.ldap_person.ldap_dnlog field value then,actor.process.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.process.user.ldap_person.ldap_dn | principal.user.attribute.labels[user_ldap_person_ldap_dn] | If the actor.user.ldap_person.ldap_dnlog field value is not empty then,actor.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_dn]UDM field.Else, if actor.process.user.ldap_person.ldap_dnlog field value then,actor.process.user.ldap_person.ldap_dnlog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.user.ldap_person.labels | principal.user.attribute.labels[user_ldap_person_labels] | If the actor.user.ldap_person.labelslog field value is not empty then,actor.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_labels]UDM field.Else, if actor.process.user.ldap_person.labelslog field value then,actor.process.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.process.user.ldap_person.labels | principal.user.attribute.labels[user_ldap_person_labels] | If the actor.user.ldap_person.labelslog field value is not empty then,actor.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_labels]UDM field.Else, if actor.process.user.ldap_person.labelslog field value then,actor.process.user.ldap_person.labelslog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.user.ldap_person.last_login_time | principal.user.last_login_time | If the actor.user.ldap_person.last_login_timelog field value is not empty then,actor.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if actor.process.user.ldap_person.last_login_timelog field value then,actor.process.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field. | 
| actor.process.user.ldap_person.last_login_time | principal.user.last_login_time | If the actor.user.ldap_person.last_login_timelog field value is not empty then,actor.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field.Else, if actor.process.user.ldap_person.last_login_timelog field value then,actor.process.user.ldap_person.last_login_timelog field is mapped to theprincipal.user.last_login_timeUDM field. | 
| actor.user.ldap_person.leave_time | principal.user.attribute.labels[user_ldap_person_leave_time] | If the actor.user.ldap_person.leave_timelog field value is not empty then,actor.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_leave_time]UDM field.Else, if actor.process.user.ldap_person.leave_timelog field value then,actor.process.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.process.user.ldap_person.leave_time | principal.user.attribute.labels[user_ldap_person_leave_time] | If the actor.user.ldap_person.leave_timelog field value is not empty then,actor.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_leave_time]UDM field.Else, if actor.process.user.ldap_person.leave_timelog field value then,actor.process.user.ldap_person.leave_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.user.ldap_person.modified_time | principal.user.attribute.labels[user_ldap_person_modified_time] | If the actor.user.ldap_person.modified_timelog field value is not empty then,actor.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_modified_time]UDM field.Else, if actor.process.user.ldap_person.modified_timelog field value then,actor.process.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.process.user.ldap_person.modified_time | principal.user.attribute.labels[user_ldap_person_modified_time] | If the actor.user.ldap_person.modified_timelog field value is not empty then,actor.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_modified_time]UDM field.Else, if actor.process.user.ldap_person.modified_timelog field value then,actor.process.user.ldap_person.modified_timelog field is mapped to theprincipal.user.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.user.ldap_person.office_location | principal.user.office_address.name | If the actor.user.ldap_person.office_locationlog field value is not empty then,actor.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if actor.process.user.ldap_person.office_locationlog field value then,actor.process.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field. | 
| actor.process.user.ldap_person.office_location | principal.user.office_address.name | If the actor.user.ldap_person.office_locationlog field value is not empty then,actor.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field.Else, if actor.process.user.ldap_person.office_locationlog field value then,actor.process.user.ldap_person.office_locationlog field is mapped to theprincipal.user.office_address.nameUDM field. | 
| actor.user.ldap_person.surname | principal.user.last_name | If the actor.user.ldap_person.surnamelog field value is not empty then,actor.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if actor.process.user.ldap_person.surnamelog field value then,actor.process.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field. | 
| actor.process.user.ldap_person.surname | principal.user.last_name | If the actor.user.ldap_person.surnamelog field value is not empty then,actor.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field.Else, if actor.process.user.ldap_person.surnamelog field value then,actor.process.user.ldap_person.surnamelog field is mapped to theprincipal.user.last_nameUDM field. | 
| actor.user.ldap_person.manager.cost_center | principal.user.managers.attribute.labels[user_ldap_person_cost_center] | If the actor.user.ldap_person.manager.cost_centerlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_cost_center]UDM field.Else, if actor.process.user.ldap_person.manager.cost_centerlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.process.user.ldap_person.manager.cost_center | principal.user.managers.attribute.labels[user_ldap_person_cost_center] | If the actor.user.ldap_person.manager.cost_centerlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_cost_center]UDM field.Else, if actor.process.user.ldap_person.manager.cost_centerlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.cost_centerlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_cost_center]UDM field. | 
| actor.user.ldap_person.manager.created_time | principal.user.managers.attribute.labels[user_ldap_person_created_time] | If the actor.user.ldap_person.manager.created_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_created_time]UDM field.Else, if actor.process.user.ldap_person.manager.created_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.process.user.ldap_person.manager.created_time | principal.user.managers.attribute.labels[user_ldap_person_created_time] | If the actor.user.ldap_person.manager.created_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_created_time]UDM field.Else, if actor.process.user.ldap_person.manager.created_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.created_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_created_time]UDM field. | 
| actor.user.ldap_person.manager.deleted_time | principal.user.managers.attribute.labels[user_ldap_person_deleted_time] | If the actor.user.ldap_person.manager.deleted_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_deleted_time]UDM field.Else, if actor.process.user.ldap_person.manager.deleted_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.process.user.ldap_person.manager.deleted_time | principal.user.managers.attribute.labels[user_ldap_person_deleted_time] | If the actor.user.ldap_person.manager.deleted_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_deleted_time]UDM field.Else, if actor.process.user.ldap_person.manager.deleted_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.deleted_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_deleted_time]UDM field. | 
| actor.user.ldap_person.manager.email_addrs | principal.user.managers.email_addresses | If the actor.user.ldap_person.manager.email_addrslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if actor.process.user.ldap_person.manager.email_addrslog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field. | 
| actor.process.user.ldap_person.manager.email_addrs | principal.user.managers.email_addresses | If the actor.user.ldap_person.manager.email_addrslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field.Else, if actor.process.user.ldap_person.manager.email_addrslog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.email_addrslog field is mapped to theprincipal.user.managers.email_addressesUDM field. | 
| actor.user.ldap_person.manager.employee_uid | principal.user.managers.employee_uid | If the actor.user.ldap_person.manager.employee_uidlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uidlog field is mapped to theprincipal.user.managers.employee_uidUDM field.Else, if actor.process.user.ldap_person.manager.employee_uidlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.employee_uidlog field is mapped to theprincipal.user.managers.employee_uidUDM field. | 
| actor.process.user.ldap_person.manager.employee_uid | principal.user.managers.employee_uid | If the actor.user.ldap_person.manager.employee_uidlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.employee_uidlog field is mapped to theprincipal.user.managers.employee_uidUDM field.Else, if actor.process.user.ldap_person.manager.employee_uidlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.employee_uidlog field is mapped to theprincipal.user.managers.employee_uidUDM field. | 
| actor.user.ldap_person.manager.location | principal.user.managers.attribute.labels[user_ldap_person_location] | If the actor.user.ldap_person.manager.locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_location]UDM field.Else, if actor.process.user.ldap_person.manager.locationlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.process.user.ldap_person.manager.location | principal.user.managers.attribute.labels[user_ldap_person_location] | If the actor.user.ldap_person.manager.locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_location]UDM field.Else, if actor.process.user.ldap_person.manager.locationlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.locationlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_location]UDM field. | 
| actor.user.ldap_person.manager.given_name | principal.user.managers.first_name | If the actor.user.ldap_person.manager.given_namelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if actor.process.user.ldap_person.manager.given_namelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field. | 
| actor.process.user.ldap_person.manager.given_name | principal.user.managers.first_name | If the actor.user.ldap_person.manager.given_namelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field.Else, if actor.process.user.ldap_person.manager.given_namelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.given_namelog field is mapped to theprincipal.user.managers.first_nameUDM field. | 
| actor.user.ldap_person.manager.hire_time | principal.user.managers.hire_date | If the actor.user.ldap_person.manager.hire_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if actor.process.user.ldap_person.manager.hire_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field. | 
| actor.process.user.ldap_person.manager.hire_time | principal.user.managers.hire_date | If the actor.user.ldap_person.manager.hire_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field.Else, if actor.process.user.ldap_person.manager.hire_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.hire_timelog field is mapped to theprincipal.user.managers.hire_dateUDM field. | 
| actor.user.ldap_person.manager.job_title | principal.user.managers.title | If the actor.user.ldap_person.manager.job_titlelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if actor.process.user.ldap_person.manager.job_titlelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field. | 
| actor.process.user.ldap_person.manager.job_title | principal.user.managers.title | If the actor.user.ldap_person.manager.job_titlelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field.Else, if actor.process.user.ldap_person.manager.job_titlelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.job_titlelog field is mapped to theprincipal.user.managers.titleUDM field. | 
| actor.user.ldap_person.manager.ldap_cn | principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] | If the actor.user.ldap_person.manager.ldap_cnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_cn]UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cnlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.process.user.ldap_person.manager.ldap_cn | principal.user.managers.attribute.labels[user_ldap_person_ldap_cn] | If the actor.user.ldap_person.manager.ldap_cnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_cn]UDM field.Else, if actor.process.user.ldap_person.manager.ldap_cnlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.ldap_cnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_cn]UDM field. | 
| actor.user.ldap_person.manager.ldap_dn | principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] | If the actor.user.ldap_person.manager.ldap_dnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_dn]UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dnlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.process.user.ldap_person.manager.ldap_dn | principal.user.managers.attribute.labels[user_ldap_person_ldap_dn] | If the actor.user.ldap_person.manager.ldap_dnlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_dn]UDM field.Else, if actor.process.user.ldap_person.manager.ldap_dnlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.ldap_dnlog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_ldap_dn]UDM field. | 
| actor.user.ldap_person.manager.labels | principal.user.managers.attribute.labels[user_ldap_person_labels] | If the actor.user.ldap_person.manager.labelslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_labels]UDM field.Else, if actor.process.user.ldap_person.manager.labelslog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.process.user.ldap_person.manager.labels | principal.user.managers.attribute.labels[user_ldap_person_labels] | If the actor.user.ldap_person.manager.labelslog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_labels]UDM field.Else, if actor.process.user.ldap_person.manager.labelslog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.labelslog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_labels]UDM field. | 
| actor.user.ldap_person.manager.last_login_timelast_login_time | principal.user.managers.last_login_time | If the actor.user.ldap_person.manager.last_login_timelast_login_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.last_login_timelast_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.last_login_timelast_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field. | 
| actor.process.user.ldap_person.manager.last_login_timelast_login_time | principal.user.managers.last_login_time | If the actor.user.ldap_person.manager.last_login_timelast_login_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.last_login_timelast_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field.Else, if actor.process.user.ldap_person.manager.last_login_timelast_login_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.last_login_timelast_login_timelog field is mapped to theprincipal.user.managers.last_login_timeUDM field. | 
| actor.user.ldap_person.manager.leave_time | principal.user.managers.attribute.labels[user_ldap_person_leave_time] | If the actor.user.ldap_person.manager.leave_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_leave_time]UDM field.Else, if actor.process.user.ldap_person.manager.leave_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.process.user.ldap_person.manager.leave_time | principal.user.managers.attribute.labels[user_ldap_person_leave_time] | If the actor.user.ldap_person.manager.leave_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_leave_time]UDM field.Else, if actor.process.user.ldap_person.manager.leave_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.leave_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_leave_time]UDM field. | 
| actor.user.ldap_person.manager.modified_time | principal.user.managers.attribute.labels[user_ldap_person_modified_time] | If the actor.user.ldap_person.manager.modified_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_modified_time]UDM field.Else, if actor.process.user.ldap_person.manager.modified_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, then%{actor.process.user.ldap_person.manager.modified_time}log field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.process.user.ldap_person.manager.modified_time | principal.user.managers.attribute.labels[user_ldap_person_modified_time] | If the actor.user.ldap_person.manager.modified_timelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.modified_timelog field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_modified_time]UDM field.Else, if actor.process.user.ldap_person.manager.modified_timelog field value then,iterate through log field actor.process.user.ldap_person.manager, then%{actor.process.user.ldap_person.manager.modified_time}log field is mapped to theprincipal.user.managers.attribute.labels[user_ldap_person_modified_time]UDM field. | 
| actor.user.ldap_person.manager.office_locationoffice_location | principal.user.managers.office_address.name | If the actor.user.ldap_person.manager.office_locationoffice_locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.office_locationoffice_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_locationlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.office_locationoffice_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field. | 
| actor.process.user.ldap_person.manager.office_locationoffice_location | principal.user.managers.office_address.name | If the actor.user.ldap_person.manager.office_locationoffice_locationlog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.office_locationoffice_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field.Else, if actor.process.user.ldap_person.manager.office_locationoffice_locationlog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.office_locationoffice_locationlog field is mapped to theprincipal.user.managers.office_address.nameUDM field. | 
| actor.user.ldap_person.manager.surname | principal.user.managers.last_name | If the actor.user.ldap_person.manager.surnamelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if actor.process.user.ldap_person.manager.surnamelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field. | 
| actor.process.user.ldap_person.manager.surname | principal.user.managers.last_name | If the actor.user.ldap_person.manager.surnamelog field value is not empty then,iterate through log field actor.user.ldap_person.manager, thenactor.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field.Else, if actor.process.user.ldap_person.manager.surnamelog field value then,iterate through log field actor.process.user.ldap_person.manager, thenactor.process.user.ldap_person.manager.surnamelog field is mapped to theprincipal.user.managers.last_nameUDM field. | 
| actor.user.groups.domain | principal.user.group_identifiers | If the actor.user.ldap_person.groups.domainlog field value is not empty then,iterate through log field actor.user.ldap_person.groups, thenactor.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.ldap_person.groups.domainlog field value then,iterate through log field actor.user.ldap_person.groups, thenactor.process.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| actor.process.user.groups.domain | principal.user.group_identifiers | If the actor.user.ldap_person.groups.domainlog field value is not empty then,iterate through log field actor.user.ldap_person.groups, thenactor.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field.Else, if actor.process.user.ldap_person.groups.domainlog field value then,iterate through log field actor.user.ldap_person.groups, thenactor.process.user.groups.domainlog field is mapped to theprincipal.user.group_identifiersUDM field. | 
| dst_endpoint.hw_info.bios_date | target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] | |
| dst_endpoint.hw_info.bios_manufacturer | target.asset.hardware.manufacturer | |
| dst_endpoint.hw_info.bios_ver | target.asset.hardware.model | |
| dst_endpoint.hw_info.cpu_bits | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.hw_info.cpu_cores | target.asset.hardware.cpu_number_cores | |
| dst_endpoint.hw_info.cpu_count | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] | |
| dst_endpoint.hw_info.chassis | target.asset.attribute.labels[dst_endpoint_hw_info_chassis] | |
| dst_endpoint.hw_info.desktop_display.color_depth | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.hw_info.desktop_display.physical_height | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.hw_info.desktop_display.physical_orientation | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.hw_info.desktop_display.physical_width | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.hw_info.desktop_display.scale_factor | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.hw_info.keyboard_info.function_keys | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.hw_info.keyboard_info.ime | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_layout | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_subtype | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_type | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.hw_info.cpu_speed | target.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.hw_info.cpu_type | target.asset.hardware.cpu_platform | |
| dst_endpoint.hw_info.ram_size | target.asset.hardware.ram | |
| dst_endpoint.hw_info.serial_number | target.asset.hardware.serial_number | |
| dst_endpoint.zone | target.asset.attribute.labels[dst_endpoint_zone] | |
| dst_endpoint.type | additional.fields[dst_endpoint_type] | |
| dst_endpoint.type_id | additional.fields[dst_endpoint_type_id] | |
| dst_endpoint.os.cpe_name | target.asset.attribute.labels[dst_endpoint_os_cpe_name] | |
| dst_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| dst_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| dst_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| dst_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| dst_endpoint.proxy_endpoint.ip | intermediary.ip | |
| dst_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| dst_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| dst_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| dst_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| dst_endpoint.proxy_endpoint.mac | intermediary.mac | |
| dst_endpoint.proxy_endpoint.port | intermediary.port | |
| dst_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| dst_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] | |
| dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| dst_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| dst_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| dst_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| dst_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| dst_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] | |
| dst_endpoint.proxy_endpoint.type | additional.fields[dst_endpoint_proxy_endpoint_type] | |
| dst_endpoint.proxy_endpoint.type_id | additional.fields[dst_endpoint_proxy_endpoint_type_id] | |
| dst_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] | |
| http_request.length | additional.fields[http_request_length] | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
| src_endpoint.hw_info.bios_date | principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] | |
| src_endpoint.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| src_endpoint.hw_info.bios_ver | principal.asset.hardware.model | |
| src_endpoint.hw_info.cpu_bits | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] | |
| src_endpoint.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| src_endpoint.hw_info.cpu_count | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] | |
| src_endpoint.hw_info.chassis | principal.asset.attribute.labels[src_endpoint_hw_info_chassis] | |
| src_endpoint.hw_info.desktop_display.color_depth | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.hw_info.desktop_display.physical_height | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.hw_info.desktop_display.physical_orientation | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.hw_info.desktop_display.physical_width | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.hw_info.desktop_display.scale_factor | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.hw_info.keyboard_info.function_keys | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.hw_info.keyboard_info.ime | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.hw_info.keyboard_info.keyboard_layout | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.hw_info.keyboard_info.keyboard_subtype | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.hw_info.keyboard_info.keyboard_type | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.hw_info.cpu_speed | principal.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.hw_info.cpu_type | principal.asset.hardware.cpu_platform | |
| src_endpoint.hw_info.ram_size | principal.asset.hardware.ram | |
| src_endpoint.hw_info.serial_number | principal.asset.hardware.serial_number | |
| src_endpoint.zone | principal.asset.attribute.labels[src_endpoint_zone] | |
| src_endpoint.type | additional.fields[src_endpoint_type] | |
| src_endpoint.type_id | additional.fields[src_endpoint_type_id] | |
| src_endpoint.os.cpe_name | principal.asset.attribute.labels[src_endpoint_os_cpe_name] | |
| src_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| src_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| src_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| src_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| src_endpoint.proxy_endpoint.ip | intermediary.ip | |
| src_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| src_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| src_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| src_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| src_endpoint.proxy_endpoint.mac | intermediary.mac | |
| src_endpoint.proxy_endpoint.port | intermediary.port | |
| src_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| src_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] | |
| src_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| src_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| src_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| src_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| src_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| src_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| src_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| src_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] | |
| src_endpoint.proxy_endpoint.type | additional.fields[src_endpoint_proxy_endpoint_type] | |
| src_endpoint.proxy_endpoint.type_id | additional.fields[src_endpoint_proxy_endpoint_type_id] | |
| src_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] | |
| api.response.data | additional.fields[api_response_data] | |
| api.response.containers.name | about.resource.name | Iterate through log field api.response.containers, thenapi.response.containers.namelog field is mapped to theabout.resource.nameUDM field. | 
| api.response.containers.uid | about.resource.product_object_id | Iterate through log field api.response.containers, thenapi.response.containers.uidlog field is mapped to theabout.resource.product_object_idUDM field. | 
| api.response.containers.hash.algorithm | about.resource.attribute.labels[api_response_containers_hash_algorithm] | Iterate through log field api.response.containers, thenapi.response.containers.hash.algorithmlog field is mapped to theabout.resource.attribute.labels[api_response_containers_hash_algorithm]UDM field. | 
| api.response.containers.hash.algorithm_id | about.resource.attribute.labels[api_response_containers_hash_algorithm_id] | Iterate through log field api.response.containers, thenapi.response.containers.hash.algorithm_idlog field is mapped to theabout.resource.attribute.labels[api_response_containers_hash_algorithm_id]UDM field. | 
| api.response.containers.hash.value | about.resource.attribute.labels[api_response_containers_hash_value] | Iterate through log field api.response.containers, thenapi.response.containers.hash.valuelog field is mapped to theabout.resource.attribute.labels[api_response_containers_hash_value]UDM field. | 
| api.response.containers.image.tag | about.resource.attribute.labels[api_response_containers_image_tag] | Iterate through log field api.response.containers, thenapi.response.containers.image.taglog field is mapped to theabout.resource.attribute.labels[api_response_containers_image_tag]UDM field. | 
| api.response.containers.image.labels | about.resource.attribute.labels[api_response_containers_image_labels] | Iterate through log field api.response.containers, thenapi.response.containers.image.labelslog field is mapped to theabout.resource.attribute.labels[api_response_containers_image_labels]UDM field. | 
| api.response.containers.image.name | about.resource.attribute.labels[api_response_containers_image_name] | Iterate through log field api.response.containers, thenapi.response.containers.image.namelog field is mapped to theabout.resource.attribute.labels[api_response_containers_image_name]UDM field. | 
| api.response.containers.image.path | about.resource.attribute.labels[api_response_containers_image_path] | Iterate through log field api.response.containers, thenapi.response.containers.image.pathlog field is mapped to theabout.resource.attribute.labels[api_response_containers_image_path]UDM field. | 
| api.response.containers.image.uid | about.resource.attribute.labels[api_response_containers_image_uid] | Iterate through log field api.response.containers, thenapi.response.containers.image.uidlog field is mapped to theabout.resource.attribute.labels[api_response_containers_image_uid]UDM field. | 
| api.response.containers.tag | about.resource.attribute.labels[api_response_containers_tag] | Iterate through log field api.response.containers, thenapi.response.containers.taglog field is mapped to theabout.resource.attribute.labels[api_response_containers_tag]UDM field. | 
| api.response.containers.network_driver | about.resource.attribute.labels[api_response_containers_network_driver] | Iterate through log field api.response.containers, thenapi.response.containers.network_driverlog field is mapped to theabout.resource.attribute.labels[api_response_containers_network_driver]UDM field. | 
| api.response.containers.orchestrator | about.resource.attribute.labels[api_response_containers_orchestrator] | Iterate through log field api.response.containers, thenapi.response.containers.orchestratorlog field is mapped to theabout.resource.attribute.labels[api_response_containers_orchestrator]UDM field. | 
| api.response.containers.pod_uuid | about.resource.attribute.labels[api_response_containers_pod_uuid] | Iterate through log field api.response.containers, thenapi.response.containers.pod_uuidlog field is mapped to theabout.resource.attribute.labels[api_response_containers_pod_uuid]UDM field. | 
| api.response.containers.runtime | about.resource.attribute.labels[api_response_containers_runtime] | Iterate through log field api.response.containers, thenapi.response.containers.runtimelog field is mapped to theabout.resource.attribute.labels[api_response_containers_runtime]UDM field. | 
| api.response.containers.size | about.resource.attribute.labels[api_response_containers_size] | Iterate through log field api.response.containers, thenapi.response.containers.sizelog field is mapped to theabout.resource.attribute.labels[api_response_containers_size]UDM field. | 
| resources.namespace | target.resource.attribute.labels[resources_namespace] | Iterate through log field resources, thenresources.namespacelog field is mapped to thetarget.resource.attribute.labels[resources_namespace]UDM field. | 
Field mapping reference: OCSF DNS Activity
The following table lists the log fields for theDNS Activity log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| metadata.logged_time | metadata.collected_timestamp | |
| message | metadata.description | If the messagelog field value is empty then,api.response.messagelog field is mapped to themetadata.descriptionUDM field.Else, messagelog field is mapped to themetadata.descriptionUDM field. | 
| time | metadata.event_timestamp | |
| activity_id | metadata.event_type | If the class_namelog field value is equal toDNS Activitythen, themetadata.event_typeUDM field is set toNETWORK_DNS. | 
| class_name | metadata.log_type | |
| activity_name | metadata.product_event_type | %{activity_id} - %{activity_name}log field is mapped to themetadata.product_event_typeUDM field. | 
| metadata.uid | metadata.product_log_id | |
| metadata.product.name | metadata.product_name | |
| metadata.product.version | metadata.product_version | |
| metadata.product.vendor_name | metadata.vendor_name | |
|  | network.application_protocol | If the class_namelog field value is equal toDNS Activitythen, thenetwork.application_protocolUDM field is set toDNS. | 
| connection_info.protocol_ver_id | network.application_protocol_version | If the connection_info.protocol_ver_idlog field value is equal to4then, thenetwork.application_protocol_versionUDM field is set toInternet Protocol version 4 (IPv4).Else, if the connection_info.protocol_ver_idlog field value is equal to6then, thenetwork.application_protocol_versionUDM field is set toInternet Protocol version 6 (IPv6). | 
| connection_info.direction_id | network.direction | If the connection_info.direction_idlog field value is equal to1then, thenetwork.directionUDM field is set toINBOUND.Else, if connection_info.direction_idlog field value is equal to2then, thenetwork.directionUDM field is set toOUTBOUND. | 
| answers.class | network.dns.answers.class | Iterate through log field answers.class, thenif the answers.classlog field value is equal toINthen,Else, if answers.classlog field value is equal toCSthen,Else, if answers.classlog field value is equal toCHthen,Else, if answers.classlog field value is equal toHSthen,. | 
| answers.rdata | network.dns.answers.data | Iterate through log field answers.rdata, thenanswers.rdatalog field is mapped to thenetwork.dns.answers.dataUDM field. | 
| answers.ttl | network.dns.answers.ttl | Iterate through log field answers.ttl, thenanswers.ttllog field is mapped to thenetwork.dns.answers.ttlUDM field. | 
| answers.type | network.dns.answers.type | |
| answers.flag_ids | network.dns.authoritative | Iterate through log field answers.flag_ids, thenif the answers.flag_idslog field value is equal to1then, thenetwork.dns.authoritativeUDM field is set totrue. | 
| answers.flag_ids | network.dns.recursion_available | Iterate through log field answers.flag_ids, thenif the answers.flag_idslog field value is equal to4then, thenetwork.dns.recursion_availableUDM field is set totrue. | 
| answers.flag_ids | network.dns.recursion_desired | Iterate through log field answers.flag_id, thenif the answers.flag_idslog field value is equal to3then, thenetwork.dns.recursion_desiredUDM field is set totrue. | 
| answers.flag_ids | network.dns.truncated | Iterate through log field answers.flag_ids, thenif the answers.flag_idslog field value is equal to2then, thenetwork.dns.truncatedUDM field is set totrue. | 
| query.opcode_id | network.dns.opcode | |
| query.class | network.dns.questions.class | If the query.classlog field value is equal toINthen,Else, if query.classlog field value is equal toCSthen,Else, if query.classlog field value is equal toCHthen,Else, if query.classlog field value is equal toHSthen,. | 
| query.hostname | network.dns.questions.name | |
| query.type | network.dns.questions.type | |
| rcode_id | network.dns.response_code | |
| connection_info.protocol_num | network.ip_protocol | If the connection_info.protocol_numlog field value is equal to1then, thenetwork.ip_protocolUDM field is set toICMP.Else, if connection_info.protocol_numlog field value is equal to2then, thenetwork.ip_protocolUDM field is set toIGMP.Else, if connection_info.protocol_numlog field value is equal to6then, thenetwork.ip_protocolUDM field is set toTCP.Else, if connection_info.protocol_numlog field value is equal to17then, thenetwork.ip_protocolUDM field is set toUDP.Else, if connection_info.protocol_numlog field value is equal to41then, thenetwork.ip_protocolUDM field is set toIP6IN4.Else, if connection_info.protocol_numlog field value is equal to47then, thenetwork.ip_protocolUDM field is set toGRE.Else, if connection_info.protocol_numlog field value is equal to50then, thenetwork.ip_protocolUDM field is set toESP.Else, if connection_info.protocol_numlog field value is equal to58then, thenetwork.ip_protocolUDM field is set toICMP6.Else, if connection_info.protocol_numlog field value is equal to88then, thenetwork.ip_protocolUDM field is set toEIGRP.Else, if connection_info.protocol_numlog field value is equal to97then, thenetwork.ip_protocolUDM field is set toETHERIP.Else, if connection_info.protocol_numlog field value is equal to103then, thenetwork.ip_protocolUDM field is set toPIM.Else, if connection_info.protocol_numlog field value is equal to112then, thenetwork.ip_protocolUDM field is set toVRRP.Else, if connection_info.protocol_numlog field value is equal to132then, thenetwork.ip_protocolUDM field is set toSCTP. | 
| traffic.bytes_in | network.received_bytes | |
| traffic.packets_in | network.received_packets | |
| traffic.bytes_out | network.sent_bytes | |
| traffic.packets_out | network.sent_packets | |
| tls.cipher | network.tls.cipher | |
| tls.certificate.issuer | network.tls.client.certificate.issuer | |
| tls.certificate.expiration_time | network.tls.client.certificate.not_after | |
| tls.certificate.created_time | network.tls.client.certificate.not_before | |
| tls.certificate.serial_number | network.tls.client.certificate.serial | |
| tls.certificate.subject | network.tls.client.certificate.subject | |
| tls.certificate.version | network.tls.client.certificate.version | |
| tls.certificate.fingerprints.value | network.tls.client.certificate.sha256 | Iterate through log field tls.certificate.fingerprints, thenif the tls.certificate.fingerprints.algorithm_idlog field value is equal to3then,tls.certificate.fingerprints.valuelog field is mapped to thenetwork.tls.client.certificate.sha256UDM field. | 
| tls.certificate.fingerprints.value | network.tls.client.certificate.sha1 | Iterate through log field tls.certificate.fingerprints, thenif the tls.certificate.fingerprints.algorithm_idlog field value is equal to2then,tls.certificate.fingerprints.valuelog field is mapped to thenetwork.tls.client.certificate.sha1UDM field. | 
| tls.certificate.fingerprints.value | network.tls.client.certificate.md5 | Iterate through log field tls.certificate.fingerprints, thenif the tls.certificate.fingerprints.algorithm_idlog field value is equal to1then,tls.certificate.fingerprints.valuelog field is mapped to thenetwork.tls.client.certificate.md5UDM field. | 
| tls.ja3_hash.value | network.tls.client.ja3 | |
| tls.ja3s_hash.value | network.tls.server.ja3s | |
| tls.sni | network.tls.client.server_name | |
| tls.client_ciphers | network.tls.client.supported_ciphers | |
| tls.version | network.tls.version_protocol | |
| src_endpoint.svc_name | principal.application | If the class_namelog field value contain one of the following values
 src_endpoint.svc_namelog field is mapped to theprincipal.applicationUDM field. | 
| src_endpoint.uid | principal.asset_id | If the class_namelog field value contain one of the following values
 ASSET ID: %{src_endpoint.uid}log field is mapped to theprincipal.asset_idUDM field. | 
| src_endpoint.domain | principal.domain.name | If the class_namelog field value contain one of the following values
 src_endpoint.domainlog field is mapped to theprincipal.domain.nameUDM field. | 
| src_endpoint.hostname | principal.hostname | If the class_namelog field value contain one of the following values
 src_endpoint.hostnamelog field is mapped to theprincipal.hostnameUDM field. | 
| src_endpoint.ip | principal.ip | If the class_namelog field value contain one of the following values
 src_endpoint.iplog field is mapped to theprincipal.ipUDM field. | 
| src_endpoint.location.city | principal.location.city | If the class_namelog field value contain one of the following values
 src_endpoint.location.citylog field is mapped to theprincipal.location.cityUDM field. | 
| src_endpoint.location.country | principal.location.country_or_region | If the class_namelog field value contain one of the following values
 src_endpoint.location.countrylog field is mapped to theprincipal.location.country_or_regionUDM field. | 
| src_endpoint.location.region | principal.location.name | If the class_namelog field value contain one of the following values
 src_endpoint.location.regionlog field is mapped to theprincipal.location.nameUDM field. | 
| src_endpoint.location.coordinates.1 | principal.location.region_coordinates.latitude | If the class_namelog field value contain one of the following values
 src_endpoint.location.coordinates.1log field is mapped to theprincipal.location.region_coordinates.latitudeUDM field. | 
| src_endpoint.location.coordinates.0 | principal.location.region_coordinates.longitude | If the class_namelog field value contain one of the following values
 src_endpoint.location.coordinates.0log field is mapped to theprincipal.location.region_coordinates.longitudeUDM field. | 
| src_endpoint.mac | principal.mac | If the class_namelog field value contain one of the following values
 src_endpoint.maclog field is mapped to theprincipal.macUDM field. | 
| src_endpoint.port | principal.port | If the class_namelog field value contain one of the following values
 src_endpoint.portlog field is mapped to theprincipal.portUDM field. | 
| proxy.svc_name | intermediary.application | |
| proxy.uid | intermediary.asset_id | |
| proxy.domain | intermediary.domain.name | |
| proxy.hostname | intermediary.hostname | |
| dst_endpoint.intermediate_ips | intermediary.ip | |
| proxy.intermediate_ips | intermediary.ip | |
| proxy.ip | intermediary.ip | |
| src_endpoint.intermediate_ips | intermediary.ip | Iterate through log field src_endpoint.intermediate_ips, thensrc_endpoint.intermediate_ipslog field is mapped to theintermediary.ipUDM field. | 
| proxy.location.city | intermediary.location.city | |
| proxy.location.country | intermediary.location.country_or_region | |
| proxy.location.region | intermediary.location.name | |
| proxy.location.coordinates.1 | intermediary.location.region_coordinates.latitude | |
| proxy.port | intermediary.port | |
| proxy.location.coordinates.0 | intermediary.location.region_coordinates.longitude | |
| proxy.mac | intermediary.mac | |
| dst_endpoint.svc_name | target.application | If the class_namelog field value contain one of the following values
 class_namelog field value is equal toAuthenticationand if thedst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field. Else, ifservice.namelog field value is not empty then,%{service.name}log field is mapped to thetarget.applicationUDM field. Else, if pi.sservice.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. Else, if thedst_endpoint.svc_namelog field value is not empty then,dst_endpoint.svc_namelog field is mapped to thetarget.applicationUDM field. Else, if pi.sservice.namelog field value is not empty then,%{api.service.name}log field is mapped to thetarget.applicationUDM field. | 
| dst_endpoint.uid | target.asset_id | If the class_namelog field value contain one of the following values
 ASSET ID: %{dst_endpoint.uid}log field is mapped to thetarget.asset_idUDM field. | 
| dst_endpoint.domain | target.domain.name | If the class_namelog field value contain one of the following values
 dst_endpoint.domainlog field is mapped to thetarget.domain.nameUDM field. | 
| dst_endpoint.hostname | target.hostname | If the class_namelog field value contain one of the following values
 dst_endpoint.hostnamelog field is mapped to thetarget.hostnameUDM field. | 
| dst_endpoint.ip | target.ip | If the class_namelog field value contain one of the following values
 dst_endpoint.iplog field is mapped to thetarget.ipUDM field. | 
| dst_endpoint.location.city | target.location.city | If the class_namelog field value contain one of the following values
 dst_endpoint.location.citylog field is mapped to thetarget.location.cityUDM field. | 
| dst_endpoint.location.country | target.location.country_or_region | If the class_namelog field value contain one of the following values
 dst_endpoint.location.countrylog field is mapped to thetarget.location.country_or_regionUDM field. | 
| dst_endpoint.location.region | target.location.name | If the class_namelog field value contain one of the following values
 dst_endpoint.location.regionlog field is mapped to thetarget.location.nameUDM field. | 
| dst_endpoint.location.coordinates.1 | target.location.region_coordinates.latitude | If the class_namelog field value contain one of the following values
 dst_endpoint.location.coordinates.1log field is mapped to thetarget.location.region_coordinates.latitudeUDM field. | 
| dst_endpoint.location.coordinates.0 | target.location.region_coordinates.longitude | If the class_namelog field value contain one of the following values
 dst_endpoint.location.coordinates.0log field is mapped to thetarget.location.region_coordinates.longitudeUDM field. | 
| dst_endpoint.mac | target.mac | If the class_namelog field value contain one of the following values
 dst_endpoint.maclog field is mapped to thetarget.macUDM field. | 
| dst_endpoint.port | target.port | If the class_namelog field value contain one of the following values
 dst_endpoint.portlog field is mapped to thetarget.portUDM field. | 
| status_id | security_result.action | If the status_idlog field value is equal to1then, thesecurity_result.actionUDM field is set toALLOW.Else, if status_idlog field value is equal to2then, thesecurity_result.actionUDM field is set toFAIL. | 
| status | security_result.action_details | |
| category_name | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| category_uid | security_result.category_details | %{category_uid} - %{category_name}log field is mapped to thesecurity_result.category_detailsUDM field. | 
| enrichments.name | security_result.detection_fields [enrichments_name] | Iterate through log field enrichments.name, thenenrichments.namelog field is mapped to thesecurity_result.detection_fields [enrichments_name]UDM field. | 
| enrichments.provider | security_result.detection_fields [enrichments_provider] | Iterate through log field enrichments.provider, thenenrichments.providerlog field is mapped to thesecurity_result.detection_fields [enrichments_provider]UDM field. | 
| enrichments.type | security_result.detection_fields [enrichments_type] | Iterate through log field enrichments.type, thenenrichments.typelog field is mapped to thesecurity_result.detection_fields [enrichments_type]UDM field. | 
| enrichments.value | security_result.detection_fields [enrichments_value] | Iterate through log field enrichments.value, thenenrichments.valuelog field is mapped to thesecurity_result.detection_fields [enrichments_value]UDM field. | 
| type_name | security_result.detection_fields [type_name] | |
| type_uid | security_result.detection_fields [type_uid] | |
| start_time | security_result.detection_fields [start_time] | |
| class_uid | security_result.detection_fields [class_uid] | |
| rcode | security_result.detection_fields [rcode] | |
| response_time | security_result.detection_fields [response_time] | |
| status_detail | security_result.detection_fields [status_detail] | |
| status_code | security_result.detection_fields [status_code] | |
| severity_id | security_result.severity | If the severity_idlog field value is equal to1then, thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if severity_idlog field value is equal to2then, thesecurity_result.severityUDM field is set toLOW.Else, if severity_idlog field value is equal to3then, thesecurity_result.severityUDM field is set toMEDIUM.Else, if severity_idlog field value is equal to4then, thesecurity_result.severityUDM field is set toHIGH.Else, if severity_idlog field value is equal to5then, thesecurity_result.severityUDM field is set toCRITICAL.Else, the security_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| severity | security_result.severity_details | |
| observables.value | observer.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.file.vhash | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.hostname | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.ip | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.mac | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.process.file.names | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.resource.product_object_id | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.url | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.email_addresses | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| observables.value | observer.user.userid | Iterate through log field observables.value, thenif the indexvalue is equal to0and if theobservables.type_idlog field value is equal to1then,observables.valuelog field is mapped to theobserver.hostnameUDM field. Else, ifobservables.type_idlog field value is equal to2then,observables.valuelog field is mapped to theobserver.ipUDM field. Else, ifobservables.type_idlog field value is equal to3then,observables.valuelog field is mapped to theobserver.macUDM field. Else, ifobservables.type_idlog field value is equal to4then,observables.valuelog field is mapped to theobserver.user.useridUDM field. Else, ifobservables.type_idlog field value is equal to5then,observables.valuelog field is mapped to theobserver.user.email_addressesUDM field. Else, ifobservables.type_idlog field value is equal to6then,observables.valuelog field is mapped to theobserver.urlUDM field. Else, ifobservables.type_idlog field value is equal to7then,observables.valuelog field is mapped to theobserver.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to8then,observables.valuelog field is mapped to theobserver.file.vhashUDM field. Else, ifobservables.type_idlog field value is equal to9then,observables.valuelog field is mapped to theobserver.process.file.namesUDM field. Else, ifobservables.type_idlog field value is equal to10then,observables.valuelog field is mapped to theobserver.resource.product_object_idUDM field. | 
| connection_info.session.uid_alt | additional.fields[connection_info_session_uid_alt] | |
| connection_info.session.count | additional.fields[connection_info_session_count] | |
| connection_info.session.expiration_reason | additional.fields[connection_info_session_expiration_reason] | |
| connection_info.session.is_mfa | additional.fields[connection_info_session_is_mfa] | |
| connection_info.session.terminal | additional.fields[connection_info_session_terminal] | |
| connection_info.session.is_vpn | additional.fields[connection_info_session_is_vpn] | |
| dst_endpoint.hw_info.bios_date | target.asset.attribute.labels[dst_endpoint_hw_info_bios_date] | |
| dst_endpoint.hw_info.bios_manufacturer | target.asset.hardware.manufacturer | |
| dst_endpoint.hw_info.bios_ver | target.asset.hardware.model | |
| dst_endpoint.hw_info.cpu_bits | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.hw_info.cpu_cores | target.asset.hardware.cpu_number_cores | |
| dst_endpoint.hw_info.cpu_count | target.asset.attribute.labels[dst_endpoint_hw_info_cpu_count] | |
| dst_endpoint.hw_info.chassis | target.asset.attribute.labels[dst_endpoint_hw_info_chassis] | |
| dst_endpoint.hw_info.desktop_display.color_depth | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.hw_info.desktop_display.physical_height | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.hw_info.desktop_display.physical_orientation | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.hw_info.desktop_display.physical_width | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.hw_info.desktop_display.scale_factor | target.asset.attribute.labels[dst_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.hw_info.keyboard_info.function_keys | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.hw_info.keyboard_info.ime | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_layout | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_subtype | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.hw_info.keyboard_info.keyboard_type | target.asset.attribute.labels[dst_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.hw_info.cpu_speed | target.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.hw_info.cpu_type | target.asset.hardware.cpu_platform | |
| dst_endpoint.hw_info.ram_size | target.asset.hardware.ram | |
| dst_endpoint.hw_info.serial_number | target.asset.hardware.serial_number | |
| dst_endpoint.zone | target.asset.attribute.labels[dst_endpoint_zone] | |
| dst_endpoint.type | additional.fields[dst_endpoint_type] | |
| dst_endpoint.type_id | additional.fields[dst_endpoint_type_id] | |
| dst_endpoint.os.cpe_name | target.asset.attribute.labels[dst_endpoint_os_cpe_name] | |
| dst_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| dst_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| dst_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| dst_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| dst_endpoint.proxy_endpoint.ip | intermediary.ip | |
| dst_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| dst_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| dst_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| dst_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| dst_endpoint.proxy_endpoint.mac | intermediary.mac | |
| dst_endpoint.proxy_endpoint.port | intermediary.port | |
| dst_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| dst_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_bios_date] | |
| dst_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| dst_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| dst_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_chassis] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| dst_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| dst_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| dst_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| dst_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| dst_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| dst_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_zone] | |
| dst_endpoint.proxy_endpoint.type | additional.fields[dst_endpoint_proxy_endpoint_type] | |
| dst_endpoint.proxy_endpoint.type_id | additional.fields[dst_endpoint_proxy_endpoint_type_id] | |
| dst_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[dst_endpoint_proxy_endpoint_os_cpe_name] | |
| metadata.log_level | additional.fields[metadata_log_level] | |
| metadata.tenant_uid | additional.fields[metadata_tenant_uid] | |
| metadata.product.cpe_name | about.asset.attribute.labels[metadata_product_cpe_name] | |
| metadata.loggers.device.hostname | about.asset.hostname | Iterate through log field metadata.loggers, thenmetadata.loggers.device.hostnamelog field is mapped to theabout.asset.hostnameUDM field. | 
| metadata.loggers.device.ip | about.asset.ip | Iterate through log field metadata.loggers, thenmetadata.loggers.device.iplog field is mapped to theabout.asset.ipUDM field. | 
| metadata.loggers.device.instance_uid | about.asset.attribute.labels[metadata_device_instance_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.instance_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_instance_uid]UDM field. | 
| metadata.loggers.device.name | about.asset.attribute.labels[metadata_device_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.namelog field is mapped to theabout.asset.attribute.labels[metadata_device_name]UDM field. | 
| metadata.loggers.device.interface_uid | about.asset.attribute.labels[metadata_device_interface_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_uidlog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_uid]UDM field. | 
| metadata.loggers.device.interface_name | about.asset.attribute.labels[metadata_device_interface_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.interface_namelog field is mapped to theabout.asset.attribute.labels[metadata_device_interface_name]UDM field. | 
| metadata.loggers.device.region | about.asset.attribute.labels[metadata_device_region] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.regionlog field is mapped to theabout.asset.attribute.labels[metadata_device_region]UDM field. | 
| metadata.loggers.device.type_id | about.asset.attribute.labels[metadata_device_type_id] | Iterate through log field metadata.loggers, thenmetadata.loggers.device.type_idlog field is mapped to theabout.asset.attribute.labels[metadata_device_type_id]UDM field. | 
| metadata.loggers.device.uid | about.asset.asset_id | Iterate through log field metadata.loggers, thenmetadata.loggers.device.uidlog field is mapped to theabout.asset.asset_idUDM field. | 
| metadata.loggers.product.name | additional.fields[metadata_product_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.namelog field is mapped to theadditional.fields[metadata_product_name]UDM field. | 
| metadata.loggers.product.vendor_name | additional.fields[metadata_product_vendor_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.vendor_namelog field is mapped to theadditional.fields[metadata_product_vendor_name]UDM field. | 
| metadata.loggers.product.version | additional.fields[metadata_product_version] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.versionlog field is mapped to theadditional.fields[metadata_product_version]UDM field. | 
| metadata.loggers.product.uid | additional.fields[metadata_product_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.product.uidlog field is mapped to theadditional.fields[metadata_product_uid]UDM field. | 
| metadata.loggers.uid | additional.fields[metadata_loggers_uid] | Iterate through log field metadata.loggers, thenmetadata.loggers.uidlog field is mapped to theadditional.fields[metadata_loggers_uid]UDM field. | 
| metadata.loggers.name | additional.fields[metadata_loggers_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.namelog field is mapped to theadditional.fields[metadata_loggers_name]UDM field. | 
| metadata.loggers.log_provider | additional.fields[metadata_loggers_log_provider] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_providerlog field is mapped to theadditional.fields[metadata_loggers_log_provider]UDM field. | 
| metadata.loggers.log_name | additional.fields[metadata_loggers_log_name] | Iterate through log field metadata.loggers, thenmetadata.loggers.log_namelog field is mapped to theadditional.fields[metadata_loggers_log_name]UDM field. | 
| src_endpoint.hw_info.bios_date | principal.asset.attribute.labels[src_endpoint_hw_info_bios_date] | |
| src_endpoint.hw_info.bios_manufacturer | principal.asset.hardware.manufacturer | |
| src_endpoint.hw_info.bios_ver | principal.asset.hardware.model | |
| src_endpoint.hw_info.cpu_bits | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_bits] | |
| src_endpoint.hw_info.cpu_cores | principal.asset.hardware.cpu_number_cores | |
| src_endpoint.hw_info.cpu_count | principal.asset.attribute.labels[src_endpoint_hw_info_cpu_count] | |
| src_endpoint.hw_info.chassis | principal.asset.attribute.labels[src_endpoint_hw_info_chassis] | |
| src_endpoint.hw_info.desktop_display.color_depth | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.hw_info.desktop_display.physical_height | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.hw_info.desktop_display.physical_orientation | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.hw_info.desktop_display.physical_width | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.hw_info.desktop_display.scale_factor | principal.asset.attribute.labels[src_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.hw_info.keyboard_info.function_keys | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.hw_info.keyboard_info.ime | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.hw_info.keyboard_info.keyboard_layout | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.hw_info.keyboard_info.keyboard_subtype | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.hw_info.keyboard_info.keyboard_type | principal.asset.attribute.labels[src_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.hw_info.cpu_speed | principal.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.hw_info.cpu_type | principal.asset.hardware.cpu_platform | |
| src_endpoint.hw_info.ram_size | principal.asset.hardware.ram | |
| src_endpoint.hw_info.serial_number | principal.asset.hardware.serial_number | |
| src_endpoint.zone | principal.asset.attribute.labels[src_endpoint_zone] | |
| src_endpoint.type | additional.fields[src_endpoint_type] | |
| src_endpoint.type_id | additional.fields[src_endpoint_type_id] | |
| src_endpoint.os.cpe_name | principal.asset.attribute.labels[src_endpoint_os_cpe_name] | |
| src_endpoint.proxy_endpoint.svc_name | intermediary.application | |
| src_endpoint.proxy_endpoint.intermediate_ips.array | intermediary.ip | |
| src_endpoint.proxy_endpoint.domain | intermediary.domain.name | |
| src_endpoint.proxy_endpoint.hostname | intermediary.hostname | |
| src_endpoint.proxy_endpoint.ip | intermediary.ip | |
| src_endpoint.proxy_endpoint.location.city | intermediary.location.city | |
| src_endpoint.proxy_endpoint.location.country | intermediary.location.country_or_region | |
| src_endpoint.proxy_endpoint.location.region | intermediary.location.name | |
| src_endpoint.proxy_endpoint.location.coordinates | intermediary.location.region_coordinates | |
| src_endpoint.proxy_endpoint.mac | intermediary.mac | |
| src_endpoint.proxy_endpoint.port | intermediary.port | |
| src_endpoint.proxy_endpoint.uid | intermediary.asset_id | |
| src_endpoint.proxy_endpoint.hw_info.bios_date | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_bios_date] | |
| src_endpoint.proxy_endpoint.hw_info.bios_manufacturer | intermediary.asset.hardware.manufacturer | |
| src_endpoint.proxy_endpoint.hw_info.bios_ver | intermediary.asset.hardware.model | |
| src_endpoint.proxy_endpoint.hw_info.cpu_bits | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_bits] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_cores | intermediary.asset.hardware.cpu_number_cores | |
| src_endpoint.proxy_endpoint.hw_info.cpu_count | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_cpu_count] | |
| src_endpoint.proxy_endpoint.hw_info.chassis | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_chassis] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.color_depth | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_color_depth] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_height | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_height] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_orientation | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_orientation] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.physical_width | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_physical_width] | |
| src_endpoint.proxy_endpoint.hw_info.desktop_display.scale_factor | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_desktop_display_scale_factor] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.function_keys | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_function_keys] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.ime | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_ime] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_layout | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_layout] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_subtype | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_subtype] | |
| src_endpoint.proxy_endpoint.hw_info.keyboard_info.keyboard_type | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_hw_info_keyboard_info_keyboard_type] | |
| src_endpoint.proxy_endpoint.hw_info.cpu_speed | intermediary.asset.hardware.cpu_max_clock_speed | |
| src_endpoint.proxy_endpoint.hw_info.cpu_type | intermediary.asset.hardware.cpu_platform | |
| src_endpoint.proxy_endpoint.hw_info.ram_size | intermediary.asset.hardware.ram | |
| src_endpoint.proxy_endpoint.hw_info.serial_number | intermediary.asset.hardware.serial_number | |
| src_endpoint.proxy_endpoint.zone | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_zone] | |
| src_endpoint.proxy_endpoint.type | additional.fields[src_endpoint_proxy_endpoint_type] | |
| src_endpoint.proxy_endpoint.type_id | additional.fields[src_endpoint_proxy_endpoint_type_id] | |
| src_endpoint.proxy_endpoint.os.cpe_name | intermediary.asset.attribute.labels[src_endpoint_proxy_endpoint_os_cpe_name] | |
| tls.certificate.uid | additional.fields[tls_certificate_uid] | |
| traffic.chunks | additional.fields[traffic_chunks] | |
| traffic.chunks_in | additional.fields[traffic_chunks_in] | |
| traffic.chunks_out | additional.fields[traffic_chunks_out] | 
Need more help? Get answers from Community members and Google SecOps professionals.