Mappings: Jamf Audit User - Authentication
| Input | Value |
|---|---|
| Vendor | Jamf |
| Product | Jamf |
| Log Format | JSON |
| Event ID Regex Pattern | AUE_LOGOUT|AUE_LW_LOGIN|AUE_AUTH_USER|AUE_SSAUTHINT|AUE_SSAUTHMECH|AUE_SSAUTHORIZE|AUE_logout|AUE_lw_login|AUE_auth_user|AUE_ssauthint|AUE_ssauthmech|AUE_ssauthorize |
| Output | Value |
|---|---|
| Vendor | Jamf |
| Product | Jamf |
| Record Type | Authentication |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | return.description | |
| baseImage | subject.process_name | |
| changeType | header.event_name | |
| commandLine | exec_args.args_compiled | |
| description | texts | |
| device_hostname | event.computer.deviceName | |
| device_ip | subject.terminal_id.ip_address | |
| device_mac | host_info.primary_mac_address | |
| device_osName | event.computer.osBuild | |
| device_uniqueId | event.computer.udid | |
| dstDevice_ip | socket_inet.ip_address | |
| dstPort | socket_inet.port | |
| errorCode | return.error | |
| file_hash_sha1 | subject.process_hash | |
| file_path | subject.process_name | |
| normalizedAction | header.event_name | This is a lookup field. More info to come in the catalog later... |
| parentBaseImage | exec_chain_child.parent_path | |
| parentCommandLine | subject.responsible_process_name | |
| parentPid | exec_chain_child.parent_pid | |
| processUid | subject.responsible_process_id | |
| sessionId | subject.session_id | |
| srcDevice_ip | event.computer.ipAddress | |
| srcPort | subject.terminal_id.port | |
| success | return.description | This is a lookup field. More info to come in the catalog later... |
| timestamp | header.time_seconds_epoch | We expect the orginal record value of header.time_seconds_epoch is in the format epoch |
| user_username | subject.effective_user_name |