Collect Chrome Enterprise data

Supported in:

Google secops SIEM

This document describes how to collect Google Chrome logs into Google SecOps using the Enterprise reporting connector. It details the data ingestion process for both Google Chrome Enterprise Core and Chrome Enterprise Premium deployments, while noting that some advanced log data requires a Chrome Enterprise Premium license.

Typical deployment

A typical deployment consists of a combination of the following components:

Chrome: The Chrome browser and ChromeOS management events that you want to collect.
ChromeOS: You can configure ChromeOS managed devices to send logs to Google SecOps. ChromeOS devices are optional.
Chrome Enterprise reporting connector: The Chrome Enterprise reporting connector forwards Chrome logs to Google SecOps.
Google SecOps: Retains and analyzes Chrome logs.

Before you begin

A Google Workspace Administrator account.
Google Chrome 137 or later. Earlier versions don't provide complete referer URL data.
Chrome Enterprise Premium licenses for advanced features.
Optional: A Google SecOps ingestion token. If using this option, you also need your Google Workspace Customer ID from the Google Workspace Admin console.
Optional: A Chronicle Ingestion API key provided by your Google SecOps representative.

Set up Chrome browser cloud management

Enroll the target devices to enable cloud management of Chrome browsers. For details, see Enroll cloud-managed Chrome browsers.
Optional: Configure Evidence Locker for investigation of suspicious files. (Chrome Enterprise Premium only)
Optional: If you use Identity-Aware Proxy, perform the steps in Collect Chrome Enterprise Premium Context Access Aware Data to integrate this data into Google SecOps.

Connect Chrome data to your Google SecOps instance

Configure the Chrome Management parser and the Chrome Enterprise reporting connector.

Configure the Chrome Management parser

You may need to update to a new version of the Chrome Management parser to support recent Chrome logs.

In your Google SecOps instance, go to Menu > Settings > Parsers.
Find the Chrome Management prebuilt entry and verify that you are using a version date 2025-08-14 or newer by applying any pending updates.

Configure Chrome Enterprise Premium

This section describes how to set up logging for Chrome Enterprise Premium.

You can configure log forwarding for Chrome Enterprise Premium that includes context from Safe Browsing. The Chrome Enterprise reporting connector for Chrome Enterprise Premium can configure, and optionally forward the following log types:

Browser crashes
Content transfers
Data access controls
Extension installations
Extension telemetry
Google login activity
Malware transfer
Password breach
Password changed
Password reuse
Sensitive data transfer
Suspicious URL
Unsafe site visits
URL filtering interstitial
URL navigations

Set up the Chrome Enterprise Premium data for export

To configure the Chrome Enterprise reporting connector for Chrome Enterprise Premium logging using the recommended security settings:

In the Google Admin console, go to Menu > Chrome browser > Connectors.
In the Introducing Google SecOps for Chrome Enterprise Data banner, click View Details & Enable.
On the Enable Google SecOps for Chrome Enterprise Premium page, enter a Configuration name.
Select a forwarding option, as described in Configure the Chrome Enterprise reporting connector.

Configure the Chrome Enterprise reporting connector

The Chrome Enterprise reporting connector sends log data to Google SecOps for both Chrome Enterprise Premium and Chrome Enterprise Core.

Configure the Chrome Enterprise reporting connector to send Chrome data to Google SecOps using one of the following options:

If you've previously configured Google Cloud Audit Logs to forward to a Google SecOps, you may have an option to send Chrome Enterprise Premium logs. For details, see
Configure Chrome Forwarding to a Google SecOps instance in the same organization.
You can use a temporary token code generated from Google SecOps to configure forwarding to a Chrome Enterprise Premium instance. For details, see
Configure Chrome Forwarding to Google SecOps using an integration token.
Alternatively, you can use a Chronicle Ingestion API key. For details, see
Configure Chrome Forwarding to Google SecOps using the Chronicle Ingestion API.

Configure Chrome Forwarding to a Google SecOps instance in the same organization

You may have an option to select an existing Google SecOps instance in the connector configuration if all of the following prerequisites are satisfied:

The Google SecOps instance is connected to a Google Cloud project.
The Google Cloud project is within the same organization as the Google Workspace managing your Chrome Enterprise Premium.
You previously configured a Cloud Audit Logs integration from that organization to Google SecOps.

If these prerequisites are satisfied, the Google SecOps instance should appear in the selection list under Use instance in associated GCP account.

To configure Chrome forwarding to a Google SecOps instance in the same organization, do the following:

Type a name for the configuration.
From the Use instance in associated GCP account option, select the Google SecOps instance.
Select the log types to forward from the Log export settings.
Click Test connection.
Click Enable after successfully testing the connection.
Click Done when the configuration has completed.

Configure Chrome Forwarding to Google SecOps using an integration token

If the destination Google SecOps instance doesn't appear in the selection list or you need to forward Chrome logs to a Google SecOps instance in a different Google Cloud, do the following:

Provide your Google Workspace Customer ID to the Google SecOps administrator of the destination instance and have them obtain your Google SecOps instance ID and token. This token is valid for 24 hours.
Type a name for the configuration.
Select Use instance outside of your organization.
Enter the token code provided by the Google SecOps administrator.
Select the log types to forward from the Log export settings.
Click Test Connection.
Click Enable after successfully testing the connection.
Click Done when the configuration has completed.

Configure Chrome Forwarding to Google SecOps using the Chronicle Ingestion API

You can configure the Google Chrome reporting connector using a Chronicle Ingestion API key. You should only use this method if no other integration method is available.

In the Admin console, go to Menu > Devices > Chrome > Connectors.
Click + New provider configuration.
On the side panel, find the Google SecOps setup and click Set up.
Enter the Configuration ID, API key, and Host Name:
- Configuration ID: The ID is shown on the User & browsers settings page and the Connectors page.
- API key: The API key to specify when calling the Chronicle ingestion API to identify the customer.
- Host Name: The Ingestion API endpoint. For US customers, this must be malachiteingestion-pa.googleapis.com. For other regions, see regional endpoints documentation.
Click Add Configuration to add the new provider configuration.

Collect Chrome Enterprise Premium context access-aware data

Set up feeds to ingest Chrome Enterprise Premium content specific to Identity-Aware Proxy (IAP) and context access aware data.

Who should enable the Identity-Aware Proxy API?

Chrome Enterprise Premium customers who use Identity-Aware Proxy (IAP) data should enable it.
For Chrome Enterprise Premium customers who don't use Identity-Aware Proxy data, enabling the Identity-Aware Proxy API is optional (but recommended). Doing so adds additional context-access aware data fields to your log data.

To enable the Identity-Aware Proxy API, perform the steps in Collect Chrome Enterprise Premium Context Access Aware Data.

Verify the data flow

To verify the data flow:

Open your Google SecOps instance.
Go to Menu > Search.
Run the following search query to look for raw, unparsed events: metadata.log_type = "CHROME_MANAGEMENT"

Supported log types

The following sections are applicable to the CHROME_MANAGEMENT parser.

Supported log events

Security category	Event type
`Audit Activity`	`CONTENT_TRANSFER` `CONTENT_UNSCANNED` `EXTENSION_REQUEST` `LOGIN_EVENT` `MALWARE_TRANSFER` `PASSWORD_BREACH` `SENSITIVE_DATA_TRANSFER` `UNSAFE_SITE_VISIT` `browserExtensionInstallEvent` `browserCrashEvent` `extensionTelemetryEvent` `loginEvent` `passwordChangedEvent`
`ChromeOS`	ChromeOS login failure `(CHROME_OS_LOGIN_FAILURE_EVENT)` ChromeOS login success `(CHROME_OS_LOGIN_EVENT)` ChromeOS logout `(CHROME_OS_LOGOUT_EVENT)` ChromeOS user added `(CHROME_OS_ADD_USER)` ChromeOS user removed `(CHROME_OS_REMOVE_USER)` ChromeOS lock success `(CHROMEOS_AFFILIATED_LOCK_SUCCESS)` ChromeOS unlock success `(CHROMEOS_AFFILIATED_UNLOCK_SUCCESS)` ChromeOS unlock failure `(CHROMEOS_AFFILIATED_UNLOCK_FAILURE)` ChromeOS device boot state change `(CHROMEOS_DEVICE_BOOT_STATE_CHANGE)` ChromeOS USB device added `(CHROMEOS_PERIPHERAL_ADDED)` ChromeOS USB device removed `(CHROMEOS_PERIPHERAL_REMOVED)` ChromeOS USB status change `(CHROMEOS_PERIPHERAL_STATUS_UPDATED)` ChromeOS CRD host started `(CHROME_OS_CRD_HOST_STARTED)` ChromeOS CRD client connected `(CHROME_OS_CRD_CLIENT_CONNECTED)` ChromeOS CRD client disconnected `(CHROME_OS_CRD_CLIENT_DISCONNECTED)` ChromeOS CRD host stopped `(CHROME_OS_CRD_HOST_ENDED)`
`Credential Security`	`passwordReuseEvent` `passwordBreachEvent`
`Data Protection`	`dataAccessControlEvent` `sensitiveDataEvent` `sensitiveDataTransferEvent`
`File Transfer`	`contentTransferEvent` `dangerousDownloadEvent` `unscannedFileEvent`
`Malicious Activity`	`badNavigationEvent` `dangerousDownloadEvent` `malwareTransferEvent`
`Navigation`	`interstitialEvent` `urlFilteringInterstitialEvent` `urlNavigationEvent` `SafeBrowsingInterstitialEvent` `suspiciousUrlEvent`

Supported Chrome log formats

The CHROME_MANAGEMENT parser supports logs in JSON format.

Supported Chrome sample log

Sample of a raw log for ingestion by the Chrome Management parser, in JSON format:

JSON:

{
  "event": "badNavigationEvent",
  "time": "1622093983.104",
  "reason": "SOCIAL_ENGINEERING",
  "result": "EVENT_RESULT_WARNED",
  "device_name": "",
  "device_user": "",
  "profile_user": "sample@domain.io",
  "url": "https://test.domain.com/s/phishing.html",
  "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f",
  "os_platform": "",
  "os_version": "",
  "browser_version": "109.0.5414.120",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
  "client_type": "CHROME_BROWSER_PROFILE"
}

Field mapping reference

The following field mapping tables are relevant to the CHROME_MANAGEMENT parser (log type).

All fields are applicable to Chrome Enterprise Core customers and Chrome Enterprise Premium customers. Fields that are only applicable to Chrome Enterprise Premium customers are labeled "[CEP Only]".

Field mapping reference: Event Identifier to Event Type

The following table lists the CHROME_MANAGEMENT log types and their corresponding UDM event types.

Event Identifier	Event Type	Security Category
`badNavigationEvent - SOCIAL_ENGINEERING`	`USER_RESOURCE_ACCESS`	`SOCIAL_ENGINEERING`
`badNavigationEvent - SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`badNavigationEvent - MALWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`badNavigationEvent - UNWANTED_SOFTWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_PUA`
`badNavigationEvent - THREAT_TYPE_UNSPECIFIED`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`browserCrashEvent`	`STATUS_UPDATE`
`browserExtensionInstallEvent`	`USER_RESOURCE_UPDATE_CONTENT`
`Extension install - BROWSER_EXTENSION_INSTALL`	`USER_RESOURCE_UPDATE_CONTENT`
`EXTENSION_REQUEST`	`USER_UNCATEGORIZED`
`CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED`	`USER_CREATION`
`CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED`	`USER_CREATION`
`ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED`	`USER_CREATION`
`ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED`	`USER_DELETION`
`CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED`	`USER_DELETION`
`CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED`	`USER_DELETION`
`Login events`	`USER_LOGIN`
`LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`loginEvent`	`USER_LOGIN`
`ChromeOS login success`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN`	`USER_LOGIN`
`ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT`	`USER_LOGOUT`
`ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_REPORTING_DATA_LOST`	`STATUS_UPDATE`
`ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED`	`USER_LOGIN`
`ChromeOS CRD client disconnected`	`USER_LOGOUT`
`CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED`	`STATUS_STARTUP`
`ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED`	`STATUS_STARTUP`
`ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED`	`STATUS_STARTUP`
`ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE`	`SETTING_MODIFICATION`
`ChromeOS device boot state change - CHROME_OS_DEV_MODE`	`SETTING_MODIFICATION`
`DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE`	`SETTING_MODIFICATION`
`ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS`	`USER_LOGOUT`
`ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS`	`USER_LOGIN`
`ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED`	`USER_RESOURCE_ACCESS`
`ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED`	`USER_RESOURCE_DELETION`
`ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED`	`USER_RESOURCE_UPDATE_CONTENT`
`CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED`	`USER_RESOURCE_UPDATE_CONTENT`
`Client Side Detection`	`USER_UNCATEGORIZED`
`Content transfer`	`SCAN_FILE`
`CONTENT_TRANSFER`	`SCAN_FILE`
`contentTransferEvent`	`SCAN_FILE`
`Content unscanned`	`SCAN_UNCATEGORIZED`
`CONTENT_UNSCANNED`	`SCAN_UNCATEGORIZED`
`dataAccessControlEvent`	`USER_RESOURCE_ACCESS`
`dangerousDownloadEvent - Dangerous`	`SCAN_FILE`	`SOFTWARE_PUA`
`dangerousDownloadEvent - DANGEROUS_HOST`	`SCAN_HOST`
`dangerousDownloadEvent - UNCOMMON`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - POTENTIALLY_UNWANTED`	`SCAN_UNCATEGORIZED`	`SOFTWARE_PUA`
`dangerousDownloadEvent - UNKNOWN`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - DANGEROUS_URL`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - UNWANTED_SOFTWARE`	`SCAN_FILE`	`SOFTWARE_PUA`
`dangerousDownloadEvent - DANGEROUS_FILE_TYPE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`Desktop DLP Warnings`	`USER_UNCATEGORIZED`
`DLP_EVENT`	`USER_UNCATEGORIZED`
`interstitialEvent - Malware`	`NETWORK_HTTP`	`NETWORK_SUSPICIOUS`
`IOS/OSX Warnings`	`SCAN_UNCATEGORIZED`
`Malware transfer - MALWARE_TRANSFER_DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`malwareTransferEvent - DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`malwareTransferEvent - UNSPECIFIED`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`Password breach`	`USER_RESOURCE_ACCESS`
`PASSWORD_BREACH`	`USER_RESOURCE_ACCESS`
`passwordBreachEvent - PASSWORD_ENTRY`	`USER_RESOURCE_ACCESS`
`Password changed`	`USER_CHANGE_PASSWORD`
`PASSWORD_CHANGED`	`USER_CHANGE_PASSWORD`
`passwordChangedEvent`	`USER_CHANGE_PASSWORD`
`Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`Password reuse - PASSWORD_REUSED_PHISHING_URL`	`USER_UNCATEGORIZED`	`PHISHING`
`PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`passwordReuseEvent - Unauthorized site`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL`	`USER_UNCATEGORIZED`	`PHISHING`
`passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`Permissions Blacklisting`	`RESOURCE_PERMISSIONS_CHANGE`
`Sensitive data transfer`	`SCAN_FILE`	`DATA_EXFILTRATION`
`SENSITIVE_DATA_TRANSFER`	`SCAN_FILE`	`DATA_EXFILTRATION`
`sensitiveDataEvent - [test_user_5] warn`	`SCAN_FILE`	`DATA_EXFILTRATION`
`sensitiveDataTransferEvent`	`SCAN_FILE`	`DATA_EXFILTRATION`
`Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_SUSPICIOUS`
`UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED`	`USER_RESOURCE_ACCESS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING`	`USER_RESOURCE_ACCESS`	`SOCIAL_ENGINEERING`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`unscannedFileEvent - FILE_PASSWORD_PROTECTED`	`SCAN_FILE`
`unscannedFileEvent - FILE_TOO_LARGE`	`SCAN_FILE`
`urlFilteringInterstitialEvent`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION`
`extensionTelemetryEvent`	If the `telemetry_event_signals.signal_name` log field value is equal to the `COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO`, then the `event_type` set to `USER_RESOURCE_ACCESS`. Else, if the `telemetry_event_signals.signal_name` log field value is equal to `REMOTE_HOST_CONTACTED_INFO`, then if the `telemetry_event_signals.connection_protocol` log field value is equal to `HTTP_HTTPS`, then the `event_type` is set to `NETWORK_HTTP`. Else, the `event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.	If the `telemetry_event_signals.signal_name` log field value is equal to `REMOTE_HOST_CONTACTED_INFO`, then the `security category` is set to `NETWORK_SUSPICIOUS`. Else, if the `telemetry_event_signals.signal_name` log field value contain one of the following values, then the `security category` UDM field is set to `SOFTWARE_SUSPICIOUS`. `COOKIES_GET_INFO` `COOKIES_GET_ALL_INFO`

Field mapping reference: CHROME_MANAGEMENT preview version

The following table lists the log fields of the CHROME_MANAGEMENT log type and their corresponding UDM fields.

Log field	UDM mapping	Logic
`about.file.sha256`	`pehash_sha256`	[CEP Only] The SHA256 file hash (`pehash_sha256`) reported from a `dangerousDownloadEvent` or `contentTransferEvent`.
`about.domain.name`	`device_fqdn`	[CEP Only] The device's fully qualified domain name reported in a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`. Not reported for unmanaged devices with managed user profiles.
`principal.network.carrier_name`	`network_name`	[CEP Only] The network name (SSID) the device is connected to reported in a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`security_result.threat_name`	`content_risk.threat_type`	[CEP Only] The threat type of the content reported in a `dangerousDownloadEvent` or `contentTransferEvent`.
`security_result.severity`	`content_risk_level, content_risk.risk_level`	[CEP Only] The content risk level reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`security_result.rule_label`	`content_risk.risk_reasons`	[CEP Only] The content risk reason reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`security_result.detection_fields[content_risk_indicators]`	`content_risk.risk_indicators`	[CEP Only] The list of indicators from the Safe Browsing risk level in a `dangerousDownloadEvent` or `contentTransferEvent`.
`security_result.detection_fields[content_risk_source]`	`content_risk.risk_source`	[CEP Only] The risk source of the content reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`additional.fields[is_encrypted]`	`is_encrypted`	[CEP Only] Set to `true` if the content is encrypted in `dangerousDownloadEvent` or `contentTransferEvent`.
`additional.fields[server_scan_status]`	`server_scan_status`	[CEP Only] The status of whether the content in `dangerousDownloadEvent` or `contentTransferEvent` was successfully scanned by Safe Browsing.
`principal.url`	`url_info.url`	[CEP Only] The URL of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`principal.ip`	`url_info.ip`	[CEP Only] The IP address of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`principal.security_result.detection_fields[url_info_type]`	`url_info.type`	[CEP Only] The URL type (download, tab, or redirect) of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`principal.security_result.severity`	`url_info.risk_level`	[CEP Only] The risk level of the URL reported by Safe Browsing.
`principal.security_result.severity`	`url_info.risk_infos.risk_level`	[CEP Only] Additional risk information reported by Safe Browsing.
`principal.security_result.detection_fields[url_info_initiator_type]`	`url_info.navigation_initiator.initiator_type`	[CEP Only] This maps the `url_info_initiator_type` in a `dangerousDownloadEvent` or `contentTransferEvent`. In a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent` this maps the `url_navigation_initiator`.
`principal.security_result.detection_fields[url_info_entity]`	`url_info.navigation_initiator.entity`	[CEP Only] This maps the `url_info_entity` in a `dangerousDownloadEvent` or `contentTransferEvent`. In a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent` this maps the `url_infos_navigation_entity`.
`principal.security_result.detection_fields[url_info_request_http_method]`	`url_info.request_http_method`	[CEP Only] The HTTP method used to contact the URL.
`principal.url_metadata.categories`	`url_info.url_categories`	[CEP Only] The URL category reported by Safe Browsing of `urlNavigationEvent` or `suspiciousUrlEvent`.
`principal.security_result.detection_fields[url_info_risk_infos_risk_indicators_key]`	`url_info.risk_infos.risk_indicators`	[CEP Only] The URL risk indicators reported by Safe Browsing of `urlNavigationEvent` or `suspiciousUrlEvent`.
`principal.security_result.rule_label[risk_reason]`	`url_info.risk_infos.risk_reasons`	[CEP Only] The Safe Browsing reason for the URL risk classification of `urlNavigationEvent` or `suspiciousUrlEvent`.
`principal.security_result.detection_fields[content_risk_source]`	`url_info.risk_infos.risk_source`	[CEP Only] The risk source determination reported by Safe Browsing. This includes URL and file reputation and content scanning results for `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`security_result.threat_name`	`url_info.risk_infos.threat_type`	[CEP Only] The threat type reported by Safe Browsing of the URL for `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`about.url`	`tab_url_info.url, tab_url, referrers.url`	[CEP Only] Maps the `tab_url_info.url` of `dangerousDownloadEvent` or `contentTransferEvent`. Maps the `referrers.url` of a `urlNavigationEvent`, or `suspiciousUrlEvent`.
`about.ip`	`tab_url_info.ip, remote_ip, referrers.ip`	[CEP Only] Maps the `tab_url_info_ip` IP address associated with `dangerousDownloadEvent` or `contentTransferEvent`. Maps the IP address of `remote_ip` or `referrers.ip` in `urlNavigationEvent` or `suspiciousUrlEvent`.
`about.security_result.detection_fields[tab_url_info_type]`	`tab_url_info.type`	[CEP Only] The URL tab type for `dangerousDownloadEvent` or `contentTransferEvent`.
`about.security_result.severity`	`tab_url_info.risk_level`	[CEP Only] The Safe Browsing risk level associated with the URL from a tab event for `dangerousDownloadEvent` or `contentTransferEvent`.
`about.security_result.detection_fields[tab_url_info_initiator_type]`	`tab_url_info.navigation_initiator.initiator_type`	[CEP Only] The initiator type of the tab event for `dangerousDownloadEvent` or `contentTransferEvent`.
`about.security_result.detection_fields[tab_url_info_entity]`	`tab_url_info.navigation_initiator.entity`	[CEP Only] The `tab_url_info_entity` for `dangerousDownloadEvent` or `contentTransferEvent`.
`about.security_result.detection_fields[tab_url_info_request_http_method]`	`tab_url_info.request_http_method`	[CEP Only] The HTTP method a tab used to contact the URL of `dangerousDownloadEvent` or `contentTransferEvent`.
`about.security_result.detection_fields[referrers_navigation_initiator_entity]`	`referrers.navigation_initiator.entity`	[CEP Only] The referrer entity name that initiated the navigation event for `urlNavigationEvent` or `suspiciousUrlEvent`.
`about.security_result.detection_fields[referrers_navigation_initiator_initiator_type]`	`referrers.navigation_initiator.initiator_type`	[CEP Only] The referrer type that initiated `urlNavigationEvent` or `suspiciousUrlEvent`.
`about.security_result.detection_fields[referrers_request_http_method]`	`referrers.request_http_method`	[CEP Only] The HTTP method of `urlNavigationEvent` or `suspiciousUrlEvent`.
`about.security_result.detection_fields[referrers_risk_infos_risk_categories]`	`referrers.risk_infos.risk_categories`	[CEP Only] The URL category of the referrer, as provided by the Safe Browsing service, associated with `urlNavigationEvent` or `suspiciousUrlEvent`.
`about.security_result.severity`	`referrers.risk_infos.risk_level, referrers.risk_level`	[CEP Only] Maps the risk level provided by Safe Browsing `referrers.risk_level` for a `urlNavigationEvent` or `suspiciousUrlEvent` or `referrers.risk_infos.risk_level` for `urlNavigationEvent` or `suspiciousUrlEvent`.
`about.security_result.detection_fields[referrers_type]`	`referrers.type`	[CEP Only] The URL type provided by Safe Browsing of the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`about.security_result.detection_fields[referrers_risk_source]`	`referrers.risk_infos.risk_source`	[CEP Only] The risk source provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`about.security_result.threat_name`	`referrers.risk_infos.threat_type`	[CEP Only] The threat type provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`about.url_metadata.categories`	`referrers.url_categories`	[CEP Only] The URL category provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.

Need more help? Get answers from Community members and Google SecOps professionals.