Jump To¶
About¶
Logs processes launched on devices.
Product Details¶
Vendor URL: n/a
Product Type: Audit Logs
Product Tier: Tier III
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: JUMPTO
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field | UDM Event Type |
|---|---|---|
| Defined | metadata.product_name | All |
| observer | observer.hostname | All |
| observer | observer.ip | All |
| Defined | metadata.event_type | All |
| inc | metadata.description | If Available |
| userid | principal.user.userid | If Available |
| src | principal.hostname | If Available |
| dst | target.hostname | If Available |
| domain | target.administrative_domain | If Available |
| srcpid | principal.process.pid | If Available |
| targetpid | target.process.pid | If Available |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| A process was launched on the device | PROCESS_LAUNCH |
Log Sample¶
<0>Sep 2 14:46:12 hostname1.domain1.com john.doe|fsroot|fsroot|computername|hostname2.domain2.com|20210902|144613|(null)|(null)
Sample Parsing¶
metadata.event_timestamp = "2021-09-02T14:46:12Z"
metadata.event_type = "PROCESS_LAUNCH"
metadata.product_name = "Jump To"
principal.hostname = "hostname1"
principal.user.userid = "john.doe"
principal.process.pid = "fsroot"
principal.namespace = "companyname"
target.hostname = "hostname2"
target.process.pid = "fsroot"
target.administrative_domain = "domain2.com"
target.namespace = "domain2"
observer.hostname = "hostname1.domain1.com"
observer.namespace = domain1
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming soon