Chrome 로그 수집
다음에서 지원:
Google SecOps
SIEM
이 문서에서는 Chrome Enterprise 보고 커넥터를 설정하여 Chrome 브라우저 및 ChromeOS 보안 이벤트 로그를 수집하는 방법과 로그 필드가 Chrome 통합 데이터 모델 (UDM) 필드에 매핑되는 방법을 설명합니다.
자세한 내용은 Google SecOps에 데이터 수집을 참조하세요.
개요
일반적인 배포는 로그를 Google SecOps에 전송하도록 구성된 Chrome 브라우저 및 ChromeOS 보안 이벤트로 구성됩니다. 고객 배포마다 다를 수 있으며 더 복잡할 수도 있습니다. 배포는 다음과 같은 구성요소로 구성됩니다.
Chrome: 수집하려는 Chrome 브라우저 및 ChromeOS 보안 이벤트입니다.
Chrome Enterprise 보고 커넥터: Chrome Enterprise 보고 커넥터는 Chrome 로그를 Google SecOps로 전달합니다.
Google SecOps: Chrome 로그를 보관하고 분석합니다.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다.
이 문서의 정보는 CHROME_MANAGEMENT 수집 라벨이 있는 파서에 적용됩니다.
시작하기 전에
Google Workspace 관리자 계정이 있어야 합니다.
배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
Chronicle Ingestion API 키가 있는지 확인합니다. API 키가 없는 경우 Google SecOps 지원팀 또는 Google SecOps 고객 담당자에게 문의하여 Chronicle 수집 API 키를 요청하세요.
자세한 내용은 Chrome 로그 이벤트를 참고하세요.
Chrome 브라우저 클라우드 관리 설정
Chrome 브라우저 클라우드 관리를 설정하는 대략적인 단계는 다음과 같습니다.
다음 단계에 따라 Chrome 브라우저 클라우드 관리를 설정하세요.
관리 콘솔에서 메뉴 > 기기 > Chrome > 관리 브라우저를 클릭합니다.
선택사항: 최상위 조직을 선택하거나 해당 조직 단위에 브라우저를 직접 등록할 토큰을 생성하려는 조직 단위를 선택합니다. 자세한 내용은 조직 단위 추가를 참조하세요.
등록을 클릭합니다. 첫 브라우저 등록인 경우 Chrome 브라우저 클라우드 관리(CBCM) 서비스 약관에 동의하라는 메시지가 표시됩니다.
등록 토큰을 클립보드로 복사를 클릭합니다.
클라우드 관리 Chrome 브라우저를 등록하려면 완료를 클릭합니다.
관리 콘솔에서 메뉴 > 기기 > Chrome > 설정 > 사용자 및 브라우저로 이동합니다. 모든 하위 조직에 정책이 상속되도록 최상위 조직 단위를 선택합니다. 브라우저 보고까지 아래로 스크롤합니다.
관리 브라우저 보고를 관리 브라우저 클라우드 보고 사용으로 설정합니다.
Chrome 브라우저 보고 기능을 사용 설정하려면 저장을 클릭합니다.
관리 콘솔에서 메뉴 > 기기 > Chrome > 커넥터로 이동합니다.
선택사항: Chrome Enterprise 커넥터 설정을 처음 구성하는 경우 표시되는 안내에 따라 Chrome Enterprise 커넥터를 사용 설정합니다.
상단에서 + 새 제공업체 구성 추가를 클릭합니다.
오른쪽에 표시되는 패널에서 Google SecOps 설정을 찾고 설정을 클릭합니다.
구성 ID, API 키, 호스트 이름을 입력합니다.
구성 ID: 사용자 및 브라우저 설정 페이지와 커넥터 페이지에 표시되는 ID입니다.
API 키: 고객을 식별하기 위해 Chronicle 수집 API를 호출할 때 지정할 API 키입니다.
호스트 이름: 수집 API 엔드포인트입니다. 미국 고객의 경우 항상 malachiteingestion-pa.googleapis.com입니다. 다른 지역의 경우 리전별 엔드포인트 문서를 참고하세요.
구성 추가를 클릭하여 새 제공업체 구성을 추가합니다.
지원되는 로그 유형 및 데이터 모델
다음은 Chrome 관리에 지원되는 로그 유형과 이벤트입니다. 지원되는 모든 로그 유형과 이벤트는 JSON 형식입니다.
| 로그 유형 | 이벤트 유형 |
|---|---|
| 악의적인 활동 |
|
| 활동 감사 |
|
| 데이터 보호 |
|
| Chrome OS |
|
지원되는 Google Chrome 로그 형식
Google Chrome 파서는 JSON 형식의 로그를 지원합니다.
지원되는 Google Chrome 샘플 로그
JSON:
{ "event": "badNavigationEvent", "time": "1622093983.104", "reason": "SOCIAL_ENGINEERING", "result": "EVENT_RESULT_WARNED", "device_name": "", "device_user": "", "profile_user": "sample@domain.io", "url": "https://test.domain.com/s/phishing.html", "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f", "os_platform": "", "os_version": "", "browser_version": "109.0.5414.120", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36", "client_type": "CHROME_BROWSER_PROFILE" }
필드 매핑 참조
이 섹션에서는 Google SecOps 파서가 Chrome 로그 필드를 데이터 세트의 Google SecOps 통합 데이터 모델(UDM) 필드에 매핑하는 방식을 설명합니다.
필드 매핑 참조: 이벤트 식별자에서 이벤트 유형으로
다음 표에는 CHROME_MANAGEMENT 로그 유형과 해당 UDM 이벤트 유형이 나와 있습니다.
| Event Identifier | Event Type | Security Category |
|---|---|---|
badNavigationEvent - SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
badNavigationEvent - SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
badNavigationEvent - MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
badNavigationEvent - UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_PUA |
badNavigationEvent - THREAT_TYPE_UNSPECIFIED |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
browserCrashEvent |
STATUS_UPDATE |
|
browserExtensionInstallEvent |
USER_RESOURCE_UPDATE_CONTENT |
|
Extension install - BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
|
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
|
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED |
USER_CREATION |
|
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
Login events |
USER_LOGIN |
|
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
loginEvent |
USER_LOGIN |
|
ChromeOS login success |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
|
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
|
ChromeOS CRD client disconnected |
USER_LOGOUT |
|
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED |
STATUS_STARTUP |
|
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS device boot state change - CHROME_OS_DEV_MODE |
SETTING_MODIFICATION |
|
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
|
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
|
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
|
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
|
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
Client Side Detection |
USER_UNCATEGORIZED |
|
Content transfer |
SCAN_FILE |
|
CONTENT_TRANSFER |
SCAN_FILE |
|
contentTransferEvent |
SCAN_FILE |
|
Content unscanned |
SCAN_UNCATEGORIZED |
|
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
|
dataAccessControlEvent |
USER_RESOURCE_ACCESS |
|
dangerousDownloadEvent - Dangerous |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_HOST |
SCAN_HOST |
|
dangerousDownloadEvent - UNCOMMON |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - POTENTIALLY_UNWANTED |
SCAN_UNCATEGORIZED |
SOFTWARE_PUA |
dangerousDownloadEvent - UNKNOWN |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - DANGEROUS_URL |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_FILE_TYPE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Desktop DLP Warnings |
USER_UNCATEGORIZED |
|
DLP_EVENT |
USER_UNCATEGORIZED |
|
interstitialEvent - Malware |
NETWORK_HTTP |
NETWORK_SUSPICIOUS |
IOS/OSX Warnings |
SCAN_UNCATEGORIZED |
|
Malware transfer - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - UNSPECIFIED |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Password breach |
USER_RESOURCE_ACCESS |
|
PASSWORD_BREACH |
USER_RESOURCE_ACCESS |
|
passwordBreachEvent - PASSWORD_ENTRY |
USER_RESOURCE_ACCESS |
|
Password changed |
USER_CHANGE_PASSWORD |
|
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
|
passwordChangedEvent |
USER_CHANGE_PASSWORD |
|
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Password reuse - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - Unauthorized site |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Permissions Blacklisting |
RESOURCE_PERMISSIONS_CHANGE |
|
Sensitive data transfer |
SCAN_FILE |
DATA_EXFILTRATION |
SENSITIVE_DATA_TRANSFER |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataEvent - [test_user_5] warn |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataTransferEvent |
SCAN_FILE |
DATA_EXFILTRATION |
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_SUSPICIOUS |
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED |
USER_RESOURCE_ACCESS |
|
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
unscannedFileEvent - FILE_PASSWORD_PROTECTED |
SCAN_FILE |
|
unscannedFileEvent - FILE_TOO_LARGE |
SCAN_FILE |
|
urlFilteringInterstitialEvent |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION |
extensionTelemetryEvent |
If the telemetry_event_signals.signal_name log field value is equal to the COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO, then the event_type set to USER_RESOURCE_ACCESS.Else, if the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then if the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the event_type is set to NETWORK_HTTP.Else, the event_type UDM field is set to NETWORK_UNCATEGORIZED. |
If the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then the security category is set to NETWORK_SUSPICIOUS.Else, if the telemetry_event_signals.signal_name log field value contain one of the following values, then the security category UDM field is set to SOFTWARE_SUSPICIOUS.
|
필드 매핑 참조: CHROME_MANAGEMENT
다음 표에는 CHROME_MANAGEMENT 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
| Log field | UDM mapping | Logic |
|---|---|---|
id.customerId |
about.resource.product_object_id |
|
event_detail |
metadata.description |
|
time |
metadata.event_timestamp |
|
events.parameters.name [TIMESTAMP] |
metadata.event_timestamp |
|
event |
metadata.product_event_type |
|
events.name |
metadata.product_event_type |
|
id.uniqueQualifier |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Chrome Management. |
id.applicationName |
|
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. |
user_agent |
network.http.user_agent |
|
userAgent |
network.http.user_agent |
|
events.parameters.name [USER_AGENT] |
network.http.user_agent |
|
events.parameters.name [SESSION_ID] |
network.session_id |
|
client_type |
principal.application |
|
clientType |
principal.application |
|
events.parameters.name [CLIENT_TYPE] |
principal.application |
|
device_id |
principal.asset.product_object_id |
|
deviceId |
principal.asset.product_object_id |
|
events.parameters.name [DEVICE_ID] |
principal.asset.product_object_id |
|
device_name |
principal.hostname |
|
deviceName |
principal.hostname |
|
events.parameters.name [DEVICE_NAME] |
principal.hostname |
|
os_plarform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_plarform log field value is not empty and osVersion log field value is not empty, then the os_plarform osVersion log field is mapped to the principal.platform_version UDM field. |
os_plarform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_platform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
os_platform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
osPlatform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field. |
osPlatform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform |
The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
events.parameters.name [DEVICE_PLATFORM] |
principal.asset.platform_software.platform |
The os_platform is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_version |
principal.platform_version |
|
osVersion |
principal.platform_version |
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform_version |
The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern. |
device_id |
principal.resource.id |
|
deviceId |
principal.resource.id |
|
events.parameters.name [DEVICE_ID] |
principal.resource.id |
|
directory_device_id |
principal.resource.product_object_id |
|
events.parameters.name [DIRECTORY_DEVICE_ID] |
principal.resource.product_object_id |
|
|
principal.resource.resource_subtype |
If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB.Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB. |
|
principal.resource.resource_type |
If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE. |
actor.email |
principal.user.email_addresses |
|
actor.profileId |
principal.user.userid |
|
result |
security_result.action_details |
|
events.parameters.name [EVENT_RESULT] |
security_result.action_details |
|
event_result |
security_result.action_details |
|
|
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
reason |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.summary |
|
events.parameters.name [LOGIN_FAILURE_REASON] |
security_result.description |
|
events.parameters.name [REMOVE_USER_REASON] |
security_result.description |
If the events.name log field value is equal to CHROME_OS_REMOVE_USER, then the events.parameters.namethe log field is mapped to the security_result.description UDM field. |
triggered_rules |
security_result.rule_name |
|
events.type |
security_result.category_details |
|
events.parameters.name [PRODUCT_NAME] |
target.application |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:
|
content_name |
target.file.full_path |
|
contentName |
target.file.full_path |
|
events.parameters.name [CONTENT_NAME] |
target.file.full_path |
|
content_type |
target.file.mime_type |
|
contentType |
target.file.mime_type |
|
events.parameters.name [CONTENT_TYPE] |
target.file.mime_type |
|
content_hash |
target.file.sha256 |
|
events.parameters.name [CONTENT_HASH] |
target.file.sha256 |
|
content_size |
target.file.size |
|
contentSize |
target.file.size |
|
events.parameters.name [CONTENT_SIZE] |
target.file.size |
|
|
target.file.file_type |
The fileType is extracted from the content_name log field usign Grok pattern, Then target.file.file_type UDM field is set to one of the following values:
|
extension_id |
target.resource.product_object_id |
|
events.parameters.name [APP_ID] |
target.resource.product_object_id |
|
extension_name |
target.resource.name |
If the event log field value is equal to badNavigationEvent or the events.name log field value is equal to badNavigationEvent, then the extension_name log field is mapped to the target.resource.name UDM field. |
telemetry_event_signals.signal_name |
target.resource.name |
If the event log field value is equal to extensionTelemetryEvent, then the telemetry_event_signals.signal_name log field is mapped to the target.resource.name UDM field. |
events.parameters.name [APP_NAME] |
target.resource.name |
|
url |
target.url |
|
events.parameters.name [URL] |
target.url |
|
telemetry_event_signals.url |
target.url |
If the telemetry_event_signals.url log field value matches the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.url UDM field. |
device_user |
target.user.userid |
|
deviceUser |
principal.user.userid |
If the event log field value is equal to passwordChangedEvent, then the deviceUser log field is mapped to the principal.user.userid UDM field.Else, the deviceUser log field is mapped to the principal.user.user_display_name UDM field. |
events.parameters.name [DEVICE_USER] |
If the event log field value is equal to passwordChangedEvent, then the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.userid UDM field.Else, the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.user_display_name UDM field. |
|
scan_id |
about.labels [scan_id] |
|
events.parameters.name [CONNECTION_TYPE] |
about.labels [connection_type] |
|
etag |
about.labels [etag] |
|
kind |
about.labels [kind] |
|
actor.key |
principal.user.attribute.labels [actor_key] |
|
actor.callerType |
principal.user.attribute.labels [actor_callerType] |
|
events.parameters.name [EVIDENCE_LOCKER_FILEPATH] |
security_result.about.labels [evidence_locker_filepath] |
|
federated_origin |
security_result.about.labels [federated_origin] |
|
is_federated |
security_result.about.labels [is_federated] |
|
destination |
security_result.about.labels [trigger_destination] |
|
events.parameters.name [TRIGGER_DESTINATION] |
security_result.about.labels [trigger_destination] |
|
source |
security_result.about.labels [trigger_source] |
|
events.parameters.name [TRIGGER_SOURCE] |
security_result.about.labels [trigger_source] |
|
trigger_type |
security_result.about.labels [trigger_type] |
|
trigger_type |
additional.fields [trigger_type] |
|
triggerType |
security_result.about.labels [trigger_type] |
|
triggerType |
additional.fields [trigger_type] |
|
events.parameters.name [TRIGGER_TYPE] |
security_result.about.labels [trigger_type] |
|
trigger_user |
security_result.about.labels [trigger_user] |
|
events.parameters.name [TRIGGER_USER] |
security_result.about.labels [trigger_user] |
|
events.parameters.name [MALWARE_CATEGORY] |
security_result.threat_name |
|
events.parameters.name [MALWARE_FAMILY] |
security_result.detection_fields [malware_family] |
|
events.parameters.name [VENDOR_ID] |
src.labels [vendor_id] |
|
events.parameters.name [VENDOR_NAME] |
src.labels [vendor_name] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
src.labels [virtual_device_id] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
additional.fields [virtual_device_id] |
|
events.parameters.name [NEW_BOOT_MODE] |
target.asset.attribute.labels [new_boot_mode] |
|
events.parameters.name [PREVIOUS_BOOT_MODE] |
target.asset.attribute.labels [previous_boot_mode] |
|
id.time |
target.asset.attribute.labels [timestamp] |
|
events.parameters.name [PRODUCT_ID] |
target.labels [product_id] |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:
Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field. |
|
extensions.auth.mechanism |
If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD:
|
events.parameters.name [UNLOCK_TYPE] |
target.labels [unlock_type] |
|
extension_description |
target.resource.attribute.labels [extension_description] |
|
extension_action |
target.resource.attribute.labels [extension_action] |
|
extension_version |
target.resource.attribute.labels [extension_version] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource.attribute.labels[extension_source] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource.attribute.labels[extension_source] UDM field. |
browser_version |
target.resource.attributes.labels [browser_version] |
|
browserVersion |
target.resource.attributes.labels [browser_version] |
|
events.parameters.name [BROWSER_VERSION] |
target.resource.attributes.labels [browser_version] |
|
profile_user |
target.user.email_addresses |
If the event log field value contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.email_addresses UDM field.
|
profile_user |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the profile_user, then the profile_user log field is mapped to the principal.user.email_addresses UDM field.
|
profile_user |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
profile_user |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the profile_user, then the profile_user log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.email_addresses |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
|
target.resource.resource_type |
If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE, then the target.resource.resource_type UDM field is set to SETTING. |
url_category |
target.labels [url_category] |
|
browser_channel |
target.resource.attribute.labels [browser_channel] |
|
report_id |
target.labels [report_id] |
|
clickedThrough |
target.labels [clickedThrough] |
|
threat_type |
security_result.detection_fields [threatType] |
|
triggered_rule_info.action |
security_result.action |
If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:
Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field. |
triggered_rule_info.rule_id |
security_result.rule_id |
|
triggered_rule_info.rule_name |
security_result.rule_name |
|
triggered_rule_info.url_category |
security_result.category_details |
|
transfer_method |
additional.fields [transfer_method] |
|
extension_name |
target.resource_ancestors.name |
If the event log field value is equal to extensionTelemetryEvent, then the extension_name log field is mapped to the target.resource_ancestors.name UDM field. |
extension_id |
target.resource_ancestors.product_object_id |
If the event log field value is equal to extensionTelemetryEvent, then the extension_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
extension_version |
target.resource_ancestors.attribute.labels[extension_version] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource_ancestors.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource_ancestors.attribute.labels[extension_source] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource_ancestors.attribute.labels[extension_source] UDM field. |
profile_identifier |
additional.fields[profile_identifier] |
|
extension_files_info.file_name |
target.resource_ancestors.file.names |
|
extension_files_info.file_hash.hash |
target.resource_ancestors.attribute.labels[file_hash] |
|
telemetry_event_signals.count |
target.resource.attribute.labels[count] |
|
telemetry_event_signals.tabs_api_method |
target.resource.attribute.labels[tabs_api_method] |
|
|
target.hostname |
If the telemetry_event_signals.url log field value does not match the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.hostname UDM field. |
telemetry_event_signals.destination |
target.resource.attribute.labels[destination] |
|
telemetry_event_signals.source |
target.resource.attribute.labels[source] |
|
telemetry_event_signals.domain |
target.domain.name |
|
telemetry_event_signals.cookie_name |
target.resource.attribute.labels[cookie_name] |
|
telemetry_event_signals.cookie_path |
target.resource.attribute.labels[cookie_path] |
|
telemetry_event_signals.cookie_is_secure |
target.resource.attribute.labels[cookie_is_secure] |
|
telemetry_event_signals.cookie_store_id |
target.resource.attribute.labels[cookie_store_id] |
|
telemetry_event_signals.cookie_is_session |
target.resource.attribute.labels[cookie_is_session] |
|
telemetry_event_signals.connection_protocol |
network.application_protocol |
If the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the network.application_protocol UDM field is set to HTTP Else, If the telemetry_event_signals.connection_protocol log field value is equal to UNSPECIFIED, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOLElse, the telemetry_event_signals.connection_protocol log field is mapped to the target.resource.attribute.labels UDM field. |
telemetry_event_signals.contacted_by |
target.resource.attribute.labels[contacted_by] |
다음 단계
Chrome 로그에 대한 커뮤니티 블로그는 다음을 참고하세요.
도움이 더 필요하신가요? 커뮤니티 회원 및 Google SecOps 전문가로부터 답변을 받으세요.