Collect Cloud Audit Logs

Supported in:

This document describes how you can export Cloud Audit Logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how Cloud Audit Logs fields map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview.

A typical deployment consists of Cloud Audit Logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.

The deployment contains the following components:

  • Google Cloud: The Google Cloud services and products from which you collect logs

  • Cloud Audit Logs: The Cloud Audit Logs that are enabled for ingestion to Google Security Operations

  • Google Workspace audit logs: The Google Workspace audit logs that are enabled for ingestion to Google Security Operations

  • Google Security Operations: Retains and analyzes Cloud Audit Logs and Google Workspace audit logs

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with GCP_CLOUDAUDIT ingestion label.

Before you begin

  • Ensure that you have set up a Google Cloud.
  • Ensure that you have set up access control for your organization and resources using Identity and Access Management (IAM). For more information about access control, see Access control for organizations with IAM.

  • Configure data access audit logs for your Google Cloud resources and services.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

  • Verify the log types that the Cloud Audit Logs parser supports. The following table lists the log sources and types supported by the Cloud Audit Logs parser:

Log sources Log source type
Cloud DNS NA
syslog NA
Google Workspace audit logs Login Audit
Google Workspace audit logs Admin Audit
Cloud Audit Logs Admin Activity
Cloud Audit Logs VPC Service Controls Audit
Cloud Audit Logs Google Kubernetes Engine Data Access
Cloud Audit Logs Resource Manager Data Access
Cloud Audit Logs BigQuery Audit Metadata data access
Cloud Audit Logs MySQL data access, admin activity
Cloud Audit Logs PostgreSQL data access, admin activity
Cloud Audit Logs SQL Server data access, admin activity
Cloud Load Balancing Cloud HTTP Load Balancer
Cloud DNS Admin Activity
Virtual Private Cloud Flow Virtual Private Cloud Flow
Firewall Rules Firewall Rules
Cloud NAT Cloud NAT

Configure ingestion of Cloud Audit Logs

To ingest Cloud Audit Logs to Google Security Operations, follow the steps on the Ingest Google Cloud logs to Google Security Operations page.

If you encounter issues when you ingest Cloud Audit Logs, contact Google Security Operations support.

Field mapping reference

This section explains how the Google Security Operations parser maps Cloud Audit Logs fields to Google Security Operations Unified Data Model (UDM) fields.

GCP_CLOUDAUDIT log types to UDM event type

The following table lists the GCP_CLOUDAUDIT event identifiers and their corresponding event types.

Event identifier Event type
AuthorizeUser USER_LOGIN
beta.compute.autoscalers.update RESOURCE_WRITTEN
beta.compute.images.setIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
beta.compute.instanceGroupManagers.patch RESOURCE_WRITTEN
beta.compute.instanceTemplates.insert RESOURCE_CREATION
cloudsql.backupRuns.create USER_RESOURCE_CREATION
cloudsql.backupRuns.delete RESOURCE_DELETION
cloudsql.backupRuns.get USER_RESOURCE_ACCESS
cloudsql.backupRuns.list USER_RESOURCE_ACCESS
cloudsql.databases.create USER_RESOURCE_CREATION
cloudsql.databases.delete RESOURCE_DELETION
cloudsql.databases.get USER_RESOURCE_ACCESS
cloudsql.databases.list USER_RESOURCE_ACCESS
cloudsql.databases.update RESOURCE_WRITTEN
cloudsql.instances.addServerCa USER_RESOURCE_CREATION
cloudsql.instances.clone USER_RESOURCE_CREATION
cloudsql.instances.connect USER_LOGIN
cloudsql.instances.create USER_RESOURCE_CREATION
cloudsql.instances.createTagBinding USER_RESOURCE_CREATION
cloudsql.instances.delete RESOURCE_DELETION
cloudsql.instances.deleteTagBinding RESOURCE_DELETION
cloudsql.instances.demoteMaster STATUS_UPDATE
cloudsql.instances.export USER_RESOURCE_ACCESS
cloudsql.instances.failover STATUS_UPDATE
cloudsql.instances.get USER_RESOURCE_ACCESS
cloudsql.instances.import STATUS_UNCATEGORIZED
cloudsql.instances.list USER_RESOURCE_ACCESS
cloudsql.instances.listEffectiveTags USER_RESOURCE_ACCESS
cloudsql.instances.listServerCas USER_RESOURCE_ACCESS
cloudsql.instances.listTagBindings USER_RESOURCE_ACCESS
cloudsql.instances.login USER_LOGIN
cloudsql.instances.promoteReplica STATUS_UPDATE
cloudsql.instances.query USER_RESOURCE_ACCESS
cloudsql.instances.resetSslConfig USER_RESOURCE_UPDATE_CONTENT
cloudsql.instances.restart STATUS_STARTUP
cloudsql.instances.restoreBackup STATUS_UPDATE
cloudsql.instances.rotateServerCa STATUS_UPDATE
cloudsql.instances.startReplica STATUS_STARTUP
cloudsql.instances.stopReplica STATUS_UPDATE
cloudsql.instances.truncateLog STATUS_UPDATE
cloudsql.instances.update RESOURCE_WRITTEN
cloudsql.sslCerts.create USER_RESOURCE_CREATION
cloudsql.sslCerts.createEphemeral USER_RESOURCE_CREATION
cloudsql.sslCerts.delete RESOURCE_DELETION
cloudsql.sslCerts.get USER_RESOURCE_ACCESS
cloudsql.sslCerts.list USER_RESOURCE_ACCESS
cloudsql.users.create USER_RESOURCE_CREATION
cloudsql.users.delete RESOURCE_DELETION
cloudsql.users.get USER_RESOURCE_ACCESS
cloudsql.users.list USER_RESOURCE_ACCESS
cloudsql.users.update RESOURCE_WRITTEN
cloudtrace.googleapis.com/ListInsights RESOURCE_READ
compute.images.get USER_RESOURCE_ACCESS
compute.instance.getSerialPortOutput USER_RESOURCE_ACCESS
compute.instanceGroupManagers.deleteInstances RESOURCE_DELETION
compute.instanceGroupManagers.resizeAdvanced USER_RESOURCE_UPDATE_CONTENT
compute.instanceGroups.removeInstances RESOURCE_DELETION
compute.instances.automaticRestart USER_RESOURCE_UPDATE_CONTENT
compute.instances.insert RESOURCE_CREATION
compute.instances.list USER_RESOURCE_ACCESS
compute.instances.migrateOnHostMaintenance RESOURCE_CREATION
compute.instances.repair.deleteInstance RESOURCE_DELETION
compute.instances.repair.recreateInstance RESOURCE_CREATION
compute.instances.setIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
compute.instances.setLabels USER_RESOURCE_CREATION
compute.instances.setMetadata USER_RESOURCE_UPDATE_CONTENT
compute.instances.setTags USER_RESOURCE_CREATION
compute.interconnectAttachments.aggregatedList USER_RESOURCE_ACCESS
compute.v1.InstancesService.Get USER_RESOURCE_ACCESS
compute.v1.ProjectsService.Get USER_RESOURCE_ACCESS
CreateCryptoKey RESOURCE_CREATION
CreateRole USER_RESOURCE_CREATION
CreateServiceAccount USER_CREATION
CreateServiceAccountKey USER_CHANGE_PASSWORD
CreateWorkforcePool USER_RESOURCE_CREATION
CreateWorkforcePoolProvider USER_RESOURCE_CREATION
CreateWorkloadIdentityPool USER_RESOURCE_CREATION
CreateWorkloadIdentityPoolProvider USER_RESOURCE_CREATION
datasetservice.delete USER_RESOURCE_DELETION
datasetservice.insert USER_RESOURCE_CREATION
DeleteRole RESOURCE_DELETION
DeleteServiceAccount RESOURCE_DELETION
DeleteServiceAccountKey USER_DELETION
DeleteWorkforcePool RESOURCE_DELETION
DeleteWorkforcePoolProvider RESOURCE_DELETION
DeleteWorkloadIdentityPool RESOURCE_DELETION
DeleteWorkloadIdentityPoolProvider RESOURCE_DELETION
DisableServiceAccount USER_CHANGE_PERMISSIONS
dns.activePeeringZones.deactivate USER_RESOURCE_UPDATE_CONTENT
dns.activePeeringZones.getpeeringzoneinfo USER_RESOURCE_ACCESS
dns.activePeeringZones.list USER_RESOURCE_ACCESS
dns.changes.create USER_RESOURCE_CREATION
dns.changes.delete RESOURCE_DELETION
dns.changes.get USER_RESOURCE_ACCESS
dns.changes.list USER_RESOURCE_ACCESS
dns.managedZones.create USER_RESOURCE_CREATION
dns.managedZones.delete RESOURCE_DELETION
dns.managedZones.get USER_RESOURCE_ACCESS
dns.managedZones.list USER_RESOURCE_ACCESS
dns.managedZones.patch USER_RESOURCE_UPDATE_CONTENT
dns.managedZones.update RESOURCE_WRITTEN
dns.policies.create USER_RESOURCE_CREATION
dns.policies.delete RESOURCE_DELETION
dns.policies.get USER_RESOURCE_ACCESS
dns.policies.list USER_RESOURCE_ACCESS
dns.policies.patch USER_RESOURCE_UPDATE_CONTENT
dns.policies.update RESOURCE_WRITTEN
dns.projects.get USER_RESOURCE_ACCESS
dns.resourceRecordSets.create USER_RESOURCE_CREATION
dns.resourceRecordSets.delete RESOURCE_DELETION
dns.resourceRecordSets.get USER_RESOURCE_ACCESS
dns.resourceRecordSets.list USER_RESOURCE_ACCESS
dns.resourceRecordSets.patch USER_RESOURCE_UPDATE_CONTENT
dns.resourceRecordSets.update RESOURCE_WRITTEN
dns.responsePolicies.create USER_RESOURCE_CREATION
dns.responsePolicies.delete RESOURCE_DELETION
dns.responsePolicies.get USER_RESOURCE_ACCESS
dns.responsePolicies.list USER_RESOURCE_ACCESS
dns.responsePolicies.patch USER_RESOURCE_UPDATE_CONTENT
dns.responsePolicies.update RESOURCE_WRITTEN
dns.responsePolicyRules.create USER_RESOURCE_CREATION
dns.responsePolicyRules.delete RESOURCE_DELETION
dns.responsePolicyRules.get USER_RESOURCE_ACCESS
dns.responsePolicyRules.list USER_RESOURCE_ACCESS
dns.responsePolicyRules.patch USER_RESOURCE_UPDATE_CONTENT
dns.responsePolicyRules.update RESOURCE_WRITTEN
EnableServiceAccount USER_CHANGE_PERMISSIONS
ExchangeToken USER_RESOURCE_ACCESS
firewalls.delete RESOURCE_DELETION
firewalls.get USER_RESOURCE_ACCESS
firewalls.insert RESOURCE_CREATION
firewalls.list USER_RESOURCE_ACCESS
firewalls.patch USER_RESOURCE_UPDATE_CONTENT
firewalls.update RESOURCE_WRITTEN
forwardingRules.aggregatedList USER_RESOURCE_ACCESS
forwardingRules.delete RESOURCE_DELETION
forwardingRules.get USER_RESOURCE_ACCESS
forwardingRules.insert RESOURCE_CREATION
forwardingRules.list USER_RESOURCE_ACCESS
forwardingRules.patch USER_RESOURCE_UPDATE_CONTENT
forwardingRules.setTarget STATUS_UPDATE
GenerateAccessToken USER_RESOURCE_UPDATE_CONTENT
GenerateIdToken USER_RESOURCE_UPDATE_CONTENT
GetEffectivePolicy1 USER_RESOURCE_ACCESS
GetRole USER_RESOURCE_ACCESS
GetServiceAccount USER_RESOURCE_ACCESS
GetServiceAccountKey USER_RESOURCE_ACCESS
GetWorkforcePool USER_RESOURCE_ACCESS
GetWorkforcePoolProvider USER_RESOURCE_ACCESS
GetWorkloadIdentityPool USER_RESOURCE_ACCESS
GetWorkloadIdentityPoolProvider USER_RESOURCE_ACCESS
Google Cloud console (federated) sign in USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.addApplication USER_RESOURCE_CREATION
google.admin.AdminService.addApplicationToWhitelist USER_RESOURCE_CREATION
google.admin.AdminService.addDomainAlias USER_RESOURCE_CREATION
google.admin.AdminService.addGroupMember GROUP_MODIFICATION
google.admin.AdminService.addNickname USER_RESOURCE_CREATION
google.admin.AdminService.addPrivilege USER_RESOURCE_CREATION
google.admin.AdminService.addRecoveryEmail USER_RESOURCE_CREATION
google.admin.AdminService.addRecoveryPhone USER_RESOURCE_CREATION
google.admin.AdminService.addSecondaryDomain USER_RESOURCE_CREATION
google.admin.AdminService.addToTrustedOauth2Apps USER_RESOURCE_CREATION
google.admin.AdminService.addTrustedDomains USER_RESOURCE_CREATION
google.admin.AdminService.alertCenterBatchDeleteAlerts RESOURCE_DELETION
google.admin.AdminService.alertCenterBatchUndeleteAlerts RESOURCE_DELETION
google.admin.AdminService.alertCenterCreateAlert USER_RESOURCE_CREATION
google.admin.AdminService.alertCenterCreateFeedback USER_RESOURCE_CREATION
google.admin.AdminService.alertCenterDeleteAlert RESOURCE_DELETION
google.admin.AdminService.alertCenterGetAlertMetadata USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterGetCustomerSettings USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterGetSitLink USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterListChange USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterListFeedback USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterListRelatedAlerts USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterUndeleteAlert RESOURCE_DELETION
google.admin.AdminService.alertCenterUpdateAlert RESOURCE_WRITTEN
google.admin.AdminService.alertCenterUpdateAlertMetadata RESOURCE_WRITTEN
google.admin.AdminService.alertCenterUpdateCustomerSettings RESOURCE_WRITTEN
google.admin.AdminService.alertCenterView USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.alertReceiversChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.alertStatusChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.allowAspWithout2Sv USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.allowServiceForOauth2Access USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.allowStrongAuthentication USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.archiveUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.assignRole USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.authorizeApiClientAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.blockOnDeviceAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.bulkUpload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.bulkUploadNotificationSent USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.cancelCalendarEvents USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.cancelUserInvite USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAccountAutoRenewal USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAdvertisementOption USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAlertCriteria USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAllowedTwoStepVerificationMethods USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAppAccessSettingsCollectionId USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeApplicationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCaaAppAssignments USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCaaDefaultAssignments USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCaaErrorMessage USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCalendarSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChatSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsAndroidApplicationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsApplicationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsDeviceAnnotation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsDeviceSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsDeviceState USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsPublicSessionSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsUserSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeConflictAccountAction USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeContactsSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCustomLogo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDataLocalizationForRussia USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDataLocalizationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDataProtectionOfficerContactInfo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDocsSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainDefaultLocale USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainDefaultTimezone USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainSupportMessage USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeEduType USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeEmailSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeEuRepresentativeContactInfo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeFirstName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGmailSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGroupDescription USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGroupName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGroupSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLastName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLoginActivityTrace USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLoginBackgroundColor USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLoginBorderColor USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeOrganizationName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changePassword USER_CHANGE_PASSWORD
google.admin.AdminService.changePassword USER_CHANGE_PASSWORD
google.admin.AdminService.changePasswordMaxLength USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changePasswordMinLength USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changePasswordOnNextLogin USER_CHANGE_PASSWORD
google.admin.AdminService.changePrimaryDomain USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeRecoveryEmail USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeRecoveryPhone USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeRenewDomainRegistration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeResellerAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeRuleCriteria USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeSessionLength USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeSsoSettings USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeTwoStepVerificationFrequency USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeTwoStepVerificationStartDate USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserAddress USER_RESOURCE_CREATION
google.admin.AdminService.changeUserCustomField USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserExternalId USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserGender USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserIm USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserKeyword USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserLanguage USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserLocation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserOrganization USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserPhoneNumber USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserRelation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeWhitelistSetting USER_RESOURCE_ACCESS
google.admin.AdminService.chromeLicensesRedeemed USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.communicationPreferencesSettingChange USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createAccessLevelV2 USER_RESOURCE_CREATION
google.admin.AdminService.createAlert USER_RESOURCE_CREATION
google.admin.AdminService.createApplicationSetting USER_RESOURCE_CREATION
google.admin.AdminService.createBuilding USER_RESOURCE_CREATION
google.admin.AdminService.createCalendarResource USER_RESOURCE_CREATION
google.admin.AdminService.createCalendarResourceFeature USER_RESOURCE_CREATION
google.admin.AdminService.createDataTransferRequest USER_RESOURCE_CREATION
google.admin.AdminService.createDeviceEnrollmentToken USER_RESOURCE_CREATION
google.admin.AdminService.createEmailMonitor USER_RESOURCE_CREATION
google.admin.AdminService.createGmailSetting USER_RESOURCE_CREATION
google.admin.AdminService.createGroup USER_RESOURCE_CREATION
google.admin.AdminService.createManagedConfiguration USER_RESOURCE_CREATION
google.admin.AdminService.createPlayForWorkToken USER_RESOURCE_CREATION
google.admin.AdminService.createRole USER_RESOURCE_CREATION
google.admin.AdminService.createRule USER_RESOURCE_CREATION
google.admin.AdminService.createUser USER_CREATION
google.admin.AdminService.delete2SvScratchCodes RESOURCE_DELETION
google.admin.AdminService.deleteAccountInfoDump RESOURCE_DELETION
google.admin.AdminService.deleteAlert RESOURCE_DELETION
google.admin.AdminService.deleteApplicationSetting RESOURCE_DELETION
google.admin.AdminService.deleteBuilding RESOURCE_DELETION
google.admin.AdminService.deleteCalendarResource RESOURCE_DELETION
google.admin.AdminService.deleteCalendarResourceFeature RESOURCE_DELETION
google.admin.AdminService.deleteChromeOsPrinter RESOURCE_DELETION
google.admin.AdminService.deleteDevice RESOURCE_DELETION
google.admin.AdminService.deleteEmailMonitor RESOURCE_DELETION
google.admin.AdminService.deleteGmailSetting RESOURCE_DELETION
google.admin.AdminService.deleteGroup RESOURCE_DELETION
google.admin.AdminService.deleteMailboxDump RESOURCE_DELETION
google.admin.AdminService.deleteManagedConfiguration RESOURCE_DELETION
google.admin.AdminService.deletePlayForWorkToken RESOURCE_DELETION
google.admin.AdminService.deleteRole RESOURCE_DELETION
google.admin.AdminService.deleteRule RESOURCE_DELETION
google.admin.AdminService.deleteUser RESOURCE_DELETION
google.admin.AdminService.disallowServiceForOauth2Access USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.downgradeUserFromGplus USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.downloadPendingInvitesList USER_RESOURCE_ACCESS
google.admin.AdminService.downloadUserlistCsv USER_RESOURCE_ACCESS
google.admin.AdminService.driveDataRestore USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.dropFromQuarantine USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.emailLogSearch USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.emailUndelete RESOURCE_DELETION
google.admin.AdminService.enableApiAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableFeedbackSolicitation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableNonAdminUserPasswordRecovery USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableServiceOrFeatureNotifications USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableUserIpWhitelist USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enforceStrongAuthentication USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.generate2SvScratchCodes USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.generatePin USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.generateTransferToken USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.gmailResetUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.gplusPremiumFeatures USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.grantAdminPrivilege USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.grantDelegatedAdminPrivileges USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.groupListDownload USER_RESOURCE_ACCESS
google.admin.AdminService.groupMemberBulkUpload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.groupMembersDownload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.insertChromeOsPrinter USER_RESOURCE_CREATION
google.admin.AdminService.mailRoutingDestinationAdded USER_RESOURCE_CREATION
google.admin.AdminService.mailRoutingDestinationRemoved RESOURCE_DELETION
google.admin.AdminService.meetInteropCreateGateway USER_RESOURCE_CREATION
google.admin.AdminService.meetInteropDeleteGateway RESOURCE_DELETION
google.admin.AdminService.meetInteropModifyGateway USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.moveDeviceToOrgUnit USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.moveUserToOrgUnit USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.mxRecordVerificationClaim USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.playForWorkEnroll USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.playForWorkUnenroll USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.regenerateOauthConsumerSecret USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.rejectFromQuarantine USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.releaseCalendarResources USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.releaseFromQuarantine USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.removeApiClientAccess RESOURCE_DELETION
google.admin.AdminService.removeApplication RESOURCE_DELETION
google.admin.AdminService.removeApplicationFromWhitelist RESOURCE_DELETION
google.admin.AdminService.removeChromeOsApplicationSettings RESOURCE_DELETION
google.admin.AdminService.removeDomainAlias RESOURCE_DELETION
google.admin.AdminService.removeFromTrustedOauth2Apps RESOURCE_DELETION
google.admin.AdminService.removeGroupMember RESOURCE_DELETION
google.admin.AdminService.removeNickname RESOURCE_DELETION
google.admin.AdminService.removePrivilege RESOURCE_DELETION
google.admin.AdminService.removeRecoveryEmail RESOURCE_DELETION
google.admin.AdminService.removeRecoveryPhone RESOURCE_DELETION
google.admin.AdminService.removeSecondaryDomain RESOURCE_DELETION
google.admin.AdminService.removeTrustedDomains RESOURCE_DELETION
google.admin.AdminService.renameAlert USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.renameCalendarResource USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.renameRole USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.renameRule USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.renameUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.reorderGroupBasedPoliciesEvent USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.requestAccountInfo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.requestMailboxDump USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.resendUserInvite USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.resetSigninCookies USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revoke3LoDeviceTokens USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revoke3LoToken USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revokeAdminPrivilege USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revokeAsp USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revokeSecurityKey USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.ruleActionsChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.ruleStatusChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationAction USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionCancellation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionCompletion USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionRetry USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionVerificationConfirmation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionVerificationRequest USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationChartCreate USER_RESOURCE_CREATION
google.admin.AdminService.securityInvestigationContentAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationDownloadAttachment USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationExportActionResults USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationExportQuery USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation USER_RESOURCE_CREATION
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation RESOURCE_DELETION
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectSaveInvestigation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing RESOURCE_WRITTEN
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing RESOURCE_WRITTEN
google.admin.AdminService.securityInvestigationQuery USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationSettingUpdate RESOURCE_WRITTEN
google.admin.AdminService.securityKeyRegisteredForUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.sendChromeOsDeviceCommand USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.sessionControlSettingsChange USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.skipDomainAliasMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.skipSecondaryDomainMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.suspendUser USER_CHANGE_PERMISSIONS
google.admin.AdminService.systemDefinedRuleUpdated USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.toggleAllowAdminPasswordReset USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleAutoAddNewService USER_RESOURCE_CREATION
google.admin.AdminService.toggleAutomaticContactSharing USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleCaaEnablement USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleContactSharing USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleEnableOauthConsumerKey USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleEnablePreReleaseFeatures USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleNewAppFeatures USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleOauthAccessToAllApis USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleOpenIdEnabled USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleOutboundRelay USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleServiceEnabled USER_UNCATEGORIZED
google.admin.AdminService.toggleSsl USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleSsoEnabled USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleUseCustomLogo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleUseNextGenControlPanel USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.transferDocumentOwnership USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.trustDomainOwnedOauth2Apps USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.turnOff2StepVerification USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unarchiveUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unassignRole USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.unblockOnDeviceAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unblockUserSession USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.undeleteUser RESOURCE_DELETION
google.admin.AdminService.unenrollUserFromStrongAuth USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unenrollUserFromTitanium USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unsuspendUser USER_CHANGE_PERMISSIONS
google.admin.AdminService.untrustDomainOwnedOauth2Apps USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateBirthdate RESOURCE_WRITTEN
google.admin.AdminService.updateBuilding RESOURCE_WRITTEN
google.admin.AdminService.updateCalendarResource RESOURCE_WRITTEN
google.admin.AdminService.updateCalendarResourceFeature RESOURCE_WRITTEN
google.admin.AdminService.updateChromeOsPrinter RESOURCE_WRITTEN
google.admin.AdminService.updateDomainPrimaryAdminEmail RESOURCE_WRITTEN
google.admin.AdminService.updateDomainSecondaryEmail RESOURCE_WRITTEN
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps RESOURCE_WRITTEN
google.admin.AdminService.updateGroupMember RESOURCE_WRITTEN
google.admin.AdminService.updateGroupMemberDeliverySettings RESOURCE_WRITTEN
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride RESOURCE_WRITTEN
google.admin.AdminService.updateManagedConfiguration RESOURCE_WRITTEN
google.admin.AdminService.updateRole RESOURCE_WRITTEN
google.admin.AdminService.updateRule RESOURCE_WRITTEN
google.admin.AdminService.upgradeUserToGplus USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.uploadOauthCertificate USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.userEnrolledInTwoStepVerification USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.userInvite USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.usersBulkUpload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.usersBulkUploadNotificationSent USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifyDomainAlias USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifyDomainAliasMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifySecondaryDomain USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifySecondaryDomainMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.viewDnsLoginDetails USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.viewTempPassword USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.weakProgrammaticLoginSettingsChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.whitelistedGroupsUpdated RESOURCE_WRITTEN
google.api.servicemanagement.v1.ServiceManager.ActivateServices USER_RESOURCE_UPDATE_CONTENT
google.api.serviceusage.v1.ServiceUsage.DisableService USER_RESOURCE_UPDATE_CONTENT
google.appengine.Datastore.Put STATUS_UPDATE
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup RESOURCE_WRITTEN
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership USER_RESOURCE_UPDATE_CONTENT
google.cloud.asset.v1.AssetService.UpdateFeed USER_RESOURCE_UPDATE_PERMISSIONS
google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection USER_RESOURCE_CREATION
google.cloud.bigquery.connection.v1.ConnectionService.DeleteConnection RESOURCE_DELETION
google.cloud.bigquery.connection.v1.ConnectionService.SetIamPolicy RESOURCE_PERMISSIONS_CHANGE
google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection RESOURCE_WRITTEN
google.cloud.bigquery.reservation.v1.ReservationService.CreateAssignment USER_RESOURCE_CREATION
google.cloud.bigquery.reservation.v1.ReservationService.CreateCapacityCommitment USER_RESOURCE_CREATION
google.cloud.bigquery.reservation.v1.ReservationService.CreateReservation USER_RESOURCE_CREATION
google.cloud.bigquery.reservation.v1.ReservationService.DeleteAssignment RESOURCE_DELETION
google.cloud.bigquery.reservation.v1.ReservationService.DeleteCapacityCommitment RESOURCE_DELETION
google.cloud.bigquery.reservation.v1.ReservationService.DeleteReservation RESOURCE_DELETION
google.cloud.bigquery.reservation.v1.ReservationService.MoveAssignment STATUS_UPDATE
google.cloud.bigquery.reservation.v1.ReservationService.UpdateReservation RESOURCE_WRITTEN
google.cloud.bigquery.v2.DatasetService.DeleteDataset USER_RESOURCE_DELETION
google.cloud.bigquery.v2.DatasetService.InsertDataset USER_RESOURCE_CREATION
google.cloud.bigquery.v2.DatasetService.PatchDataset USER_RESOURCE_UPDATE_CONTENT
google.cloud.bigquery.v2.DatasetService.UpdateDataset RESOURCE_WRITTEN
google.cloud.bigquery.v2.JobService.GetQueryResults USER_RESOURCE_ACCESS
google.cloud.bigquery.v2.JobService.InsertJob USER_RESOURCE_CREATION
google.cloud.bigquery.v2.JobService.Query USER_RESOURCE_ACCESS
google.cloud.bigquery.v2.TableDataService.List USER_RESOURCE_ACCESS
google.cloud.bigquery.v2.TableService.DeleteTable RESOURCE_DELETION
google.cloud.bigquery.v2.TableService.InsertTable USER_RESOURCE_CREATION
google.cloud.bigquery.v2.TableService.PatchTable USER_RESOURCE_UPDATE_CONTENT
google.cloud.bigquery.v2.TableService.UpdateTable RESOURCE_WRITTEN
google.cloud.dataproc.v1.JobController.SubmitJob RESOURCE_WRITTEN
google.cloud.dataproc.v1beta2.ClusterController.UpdateCluster RESOURCE_WRITTEN
google.cloud.functions.v1.CloudFunctionsService.CreateFunction RESOURCE_CREATION
google.cloud.healthcare.v1alpha2.dataset.DatasetService.AccessEhrSearch STATUS_UPDATE
google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy RESOURCE_WRITTEN
google.cloud.oslogin.v1.OsLoginService.CheckPolicy USER_LOGIN
google.cloud.run.v1.Services.ReplaceService SERVICE_UNCATEGORIZED
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings RESOURCE_DELETION
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateSecurityHealthAnalyticsSettings RESOURCE_WRITTEN
google.cloudresourcemanager.v1.Projects.SetIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
google.container.v1.ClusterManager.CreateCluster USER_RESOURCE_CREATION
google.datastore.v1.Datastore.RunQuery STATUS_UPDATE
google.devtools.cloudbuild.v1.CloudBuild.ListBuilds USER_RESOURCE_ACCESS
google.iam.admin.v1.GetPolicyDetails2 USER_RESOURCE_ACCESS
google.iam.v1.IAMPolicy.SetIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
google.iam.v2beta.Policies.CreatePolicy USER_RESOURCE_CREATION
google.iam.v2beta.Policies.DeletePolicy RESOURCE_DELETION
google.iam.v2beta.Policies.GetPolicy USER_RESOURCE_ACCESS
google.iam.v2beta.Policies.ListPolicies USER_RESOURCE_ACCESS
google.iam.v2beta.Policies.UpdatePolicy RESOURCE_WRITTEN
google.identity.accesscontextmanager.v1.AccessContextManager.CreateAccessLevel USER_RESOURCE_CREATION
google.login.LoginService.2svDisable STATUS_UPDATE
google.login.LoginService.2svEnroll STATUS_UPDATE
google.login.LoginService.accountDisabledGeneric USER_LOGIN
google.login.LoginService.accountDisabledHijacked USER_LOGIN

Security category: NETWORK_SUSPICIOUS

google.login.LoginService.accountDisabledPasswordLeak STATUS_UPDATE
google.login.LoginService.accountDisabledSpamming USER_LOGIN

Security category: NETWORK_SUSPICIOUS

google.login.LoginService.accountDisabledSpammingThroughRelay USER_LOGIN

Security category: NETWORK_SUSPICIOUS

google.login.LoginService.emailForwardingOutOfDomain EMAIL_TRANSACTION
google.login.LoginService.govAttackWarning USER_LOGIN

Security category: NETWORK_MALICIOUS

google.login.LoginService.loginChallenge USER_LOGIN
google.login.LoginService.loginFailure USER_LOGIN

Security category: AUTH_VIOLATION

google.login.LoginService.loginSuccess USER_LOGIN
google.login.LoginService.loginVerification USER_LOGIN
google.login.LoginService.logout USER_LOGOUT
google.login.LoginService.passwordEdit USER_CHANGE_PASSWORD
google.login.LoginService.recoveryEmailEdit USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.recoveryPhoneEdit USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.recoverySecretQaEdit USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.suspiciousLogin USER_LOGIN

Security category: ACL_VIOLATION

google.login.LoginService.suspiciousLoginLessSecureApp USER_LOGIN

Security category: ACL_VIOLATION

google.login.LoginService.suspiciousProgrammaticLogin USER_LOGIN

Security category: ACL_VIOLATION

google.login.LoginService.titaniumEnroll USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.titaniumUnenroll USER_RESOURCE_CREATION
google.longrunning.Operations.GetOperation RESOURCE_READ
google.pubsub.v1.Publisher.CreateTopic RESOURCE_CREATION
google.ssh-serialport.v1.connect NETWORK_CONNECTION
google.storage.objects.list USER_RESOURCE_ACCESS
InternalTableExpired USER_RESOURCE_DELETION
io.gke.networking.v1beta1.managedcertificates.update RESOURCE_WRITTEN
io.k8s.apiextensions.v1.customresourcedefinitions.patch RESOURCE_WRITTEN
io.k8s.app.v1beta1.applications.update RESOURCE_WRITTEN
io.k8s.apps.v1.daemonsets.create RESOURCE_CREATION
io.k8s.authorization.rbac.v1 STATUS_UPDATE
io.k8s.authorization.rbac.v1.clusterrolebindings.create RESOURCE_CREATION
io.k8s.authorization.rbac.v1.clusterroles.create RESOURCE_CREATION
io.k8s.authorization.rbac.v1.rolebindings.patch RESOURCE_WRITTEN
io.k8s.authorization.rbac.v1.roles STATUS_UPDATE
io.k8s.authorization.v1.selfsubjectaccessreviews.create RESOURCE_CREATION
io.k8s.batch.v1.jobs.create RESOURCE_CREATION
io.k8s.certificates.v1.certificatesigningrequests.create RESOURCE_CREATION
io.k8s.coordination.v1.leases.update RESOURCE_WRITTEN
io.k8s.core.v0.id.create RESOURCE_CREATION
io.k8s.core.v1.configmaps.update RESOURCE_WRITTEN
io.k8s.core.v1.nodes.proxy.get RESOURCE_READ
io.k8s.core.v1.pods.create RESOURCE_CREATION
io.k8s.core.v1.pods.delete RESOURCE_DELETION
io.k8s.core.v1.services.proxy.get RESOURCE_READ
io.k8s.extensions.v1beta1.deployments.patch RESOURCE_WRITTEN
io.k8s.post USER_UNCATEGORIZED
jobservice.jobcompleted RESOURCE_WRITTEN
ListRoles USER_RESOURCE_ACCESS
ListServiceAccountKeys USER_RESOURCE_ACCESS
ListServiceAccounts USER_RESOURCE_ACCESS
ListWorkforcePoolProviders USER_RESOURCE_ACCESS
ListWorkforcePools USER_RESOURCE_ACCESS
ListWorkloadIdentityPoolProviders USER_RESOURCE_ACCESS
ListWorkloadIdentityPools USER_RESOURCE_ACCESS
networks.addPeering STATUS_UPDATE
networks.delete RESOURCE_DELETION
networks.get USER_RESOURCE_ACCESS
networks.insert RESOURCE_CREATION
networks.list USER_RESOURCE_ACCESS
networks.listPeeringRoutes USER_RESOURCE_ACCESS
networks.patch USER_RESOURCE_UPDATE_CONTENT
networks.removePeering RESOURCE_DELETION
networks.switchToCustomMode STATUS_UPDATE
networks.updatePeering RESOURCE_WRITTEN
PatchServiceAccount USER_RESOURCE_UPDATE_CONTENT
QueryGrantableRoles USER_RESOURCE_ACCESS
routes.delete RESOURCE_DELETION
routes.get USER_RESOURCE_ACCESS
routes.insert USER_RESOURCE_CREATION
routes.list USER_RESOURCE_ACCESS
ScheduledSnapshots RESOURCE_WRITTEN
SetIAMPolicy USER_RESOURCE_UPDATE_PERMISSIONS
SetOrgPolicy USER_RESOURCE_UPDATE_PERMISSIONS
SignBlob USER_RESOURCE_UPDATE_CONTENT
SignJwt USER_RESOURCE_UPDATE_CONTENT
storage.buckets.get RESOURCE_READ
storage.buckets.list RESOURCE_READ
storage.objects.create RESOURCE_CREATION
storage.objects.update RESOURCE_WRITTEN
storage.setIamPermissions USER_RESOURCE_UPDATE_PERMISSIONS
subnetworks.aggregatedList USER_RESOURCE_ACCESS
subnetworks.delete RESOURCE_DELETION
subnetworks.expandIpCidrRange STATUS_UPDATE
subnetworks.get USER_RESOURCE_ACCESS
subnetworks.getIamPolicy USER_RESOURCE_ACCESS
subnetworks.insert RESOURCE_CREATION
subnetworks.list USER_RESOURCE_ACCESS
subnetworks.listUsable USER_RESOURCE_ACCESS
subnetworks.patch USER_RESOURCE_UPDATE_CONTENT
subnetworks.setIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
subnetworks.setPrivateIpGoogleAccess STATUS_UPDATE
subnetworks.testIamPermissions USER_RESOURCE_ACCESS
tableservice.delete USER_RESOURCE_DELETION
UndeleteRole RESOURCE_CREATION
UndeleteServiceAccount USER_CREATION
UndeleteWorkforcePool RESOURCE_DELETION
UndeleteWorkforcePoolProvider RESOURCE_DELETION
UndeleteWorkloadIdentityPool RESOURCE_CREATION
UndeleteWorkloadIdentityPoolProvider RESOURCE_DELETION
updateBackup RESOURCE_WRITTEN
UpdateCryptoKeyVersion RESOURCE_WRITTEN
updatePolicy RESOURCE_WRITTEN
UpdateRole RESOURCE_WRITTEN
UpdateServiceAccount RESOURCE_WRITTEN
UpdateWorkforcePool RESOURCE_WRITTEN
UpdateWorkforcePoolProvider RESOURCE_WRITTEN
UpdateWorkloadIdentityPool RESOURCE_WRITTEN
UpdateWorkloadIdentityPoolProvider RESOURCE_WRITTEN
UploadServiceAccountKey USER_CHANGE_PASSWORD
v1 STATUS_UPDATE
v1.compute.disks.delete RESOURCE_DELETION
v1.compute.disks.insert RESOURCE_CREATION
v1.compute.disks.setLabels RESOURCE_WRITTEN
v1.compute.instances.delete RESOURCE_DELETION
v1.compute.projects.setCommonInstanceMetadata USER_RESOURCE_UPDATE_CONTENT
v1.compute.securityPolicies.patchRule RESOURCE_WRITTEN

Field mapping reference: GCP_CLOUDAUDIT

The following table lists the log fields of the GCP_CLOUDAUDIT log type and their corresponding UDM fields.
Log field UDM mapping Logic
extensions.auth.auth_mechanism If protoPayload.metadata.event.eventName is equal to login_failure or login_verification or login_challenge or logic_success, then the extensions.auth.auth_mechanism UDM field is:
  • Set to MECHANISM_OTHER when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to is_second_factor.
    • The value protoPayload.metadata.event.eventName.parameter.value is not equal to True.
  • Set to USERNAME_PASSWORD when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to exchange or password or google_password or saml.
  • Set to OTP when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to backup_code or google_authenticator or idv_any_phone or idv_preregistered_phone or offline_otp or security_key_otp.
  • Set to INTERACTIVE when one of the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to is_second_factor and the value protoPayload.metadata.event.eventName.parameter.value is equal to True.
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type and the value protoPayload.metadata.event.eventName.parameter.value is equal to internal_two_factor or login_location.
  • Set to MECHANISM_OTHER when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to google_prompt or knowledge_employee_id or knowledge_preregistered_email or knowledge_preregistered_phone or other.
  • Set to HARDWARE_KEY when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to security_key.
  • Set to MECHANISM_UNSPECIFIED when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to reauth or unknown.
extensions.auth.type If the protoPayload.metadata.event.eventName log field value is equal to login_failure or login_verification or login_challenge or login_success, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_method, then the extensions.auth.type UDM field is set to MACHINE.
metadata.vendor_name The metadata.vendor_name UDM field is set to Google Cloud Platform.
principal.user.account_type If the access.principalSubject log field value matches the regular expression serviceAccount, then the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE.

If, the access.principalSubject log field value matches the regular expression user, then the principal.user.account_type UDM field is set to CLOUD_ACCOUNT_TYPE.
security_result.action_details If the protoPayload.metadata.event.eventName log field value is equal to login_challenge or login_verification, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_status, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the security_result.action_details UDM field.

If the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the security_result.action_details UDM field.
security_result.severity_details If the severity log field value is equal to CRITICAL, then the security_result.severity UDM field is set to CRITICAL.

If the severity log field value is equal to ERROR, then the security_result.severity UDM field is set to ERROR.

If the severity log field value is equal to ALERT or EMERGENCY, then the security_result.severity UDM field is set to HIGH.

If the severity log field value is equal to INFO or NOTICE, then the security_result.severity UDM field is set to INFORMATIONAL.

If the severity log field value is equal to DEBUG, then the security_result.severity UDM field is set to LOW.

If the severity log field value is equal to WARNING, then the security_result.severity UDM field is set to MEDIUM.

Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY.
target.asset.type If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to PRINTER_SERVER_NAME, then the target.asset.type UDM field is set to SERVER.

If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to PRINTER_NAME, then the target.asset.type UDM field is set to PRINTER.

If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to DEVICE_TYPE, then the target.asset.type UDM field is set to ROLE_UNSPECIFIED.
target.resource.resource_type If the resource.type log field value matches the regular expression gce_(firewall or forwarding_rule) or network_security_policy, then the target.resource.resource_type UDM field is set to FIREWALL_RULE and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

Else if, the resource.type log field value matches the regular expression gce_(subnetwork or network), then the target.resource.resource_type UDM field is set to VPC_NETWORK.

Else if, the resource.type log field value matches the regular expression cloud_dataproc_(batch or session), then the target.resource.resource_type UDM field is set to TASK.

Else if, the resource.type log field value is equal to gce_backend_service, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

Else if, the resource.type log field value is equal to build, then the target.resource.resource_type UDM field is set to TASK and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

Else if, the resource.type log field value is equal to pubsub_topic, then the target.resource.resource_type UDM field is set to PIPE and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

Else if, the resource.type log field value matches the regular expression cloudkms_cryptokey, then the target.resource.resource_type UDM field is set to CREDENTIAL and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

Else if, the resource.type log field value is equal to iam_role, then the target.resource.resource_type UDM field is set to ACCESS_POLICY and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

Else if, the resource.type log field value is equal to cloud_run_job, then the target.resource.resource_type UDM field is set to TASK and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

Else if, the resource.type log field value is equal to cloud_run_revision, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

Else if, the resource.type log field value matches the regular expression gcs_bucket, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.

Else if, the resource.type log field value matches the regular expression bigquery\.googleapis\.com/SparkJob, then the target.resource.resource_type UDM field is set to TASK.

Else if, the resource.type log field value matches the regular expression bigquery_(biengine_model or dataset), then the target.resource.resource_type UDM field is set to DATASET.

Else if, the resource.type log field value matches the regular expression bigquery_dts_config, then the target.resource.resource_type UDM field is set to SETTING.

Else if, the resource.type log field value matches the regular expression cloudsql or bigquery_project or bigquery_resource, then the target.resource.resource_type UDM field is set to DATABASE.

Else if, the resource.type log field value matches the regular expression service_account, then the target.resource.resource_type UDM field is set to SERVICE_ACCOUNT.

Else if, the resource.type log field value matches the regular expression organization, then the target.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.

Else if, the resource.type log field value matches the regular expression audited_resource or gae_app, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

Else if, the resource.type log field value matches the regular expression cloud_function, then the target.resource.resource_type UDM field is set to FUNCTION.

Else if, the resource.type log field value matches the regular expression gce_(network_endpoint_group or node_group), then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

Else if, the resource.type log field value matches the regular expression gce_(node_template or resource_policy), then the target.resource.resource_type UDM field is set to SETTING.

Else if, the resource.type log field value matches the regular expression gce_disk, then the target.resource.resource_type UDM field is set to DISK.

Else if, the resource.type log field value matches the regular expression k8s_(scale or service), then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

Else if, the resource.type log field value matches the regular expression k8s_(control_plane_component or container), then the target.resource.resource_type UDM field is set to CONTAINER.

Else if, the resource.type log field value matches the regular expression k8s_node, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the resource.type log field value matches the regular expression k8s_pod, then the target.resource.resource_type UDM field is set to POD.

Else if, the resource.type log field value matches the regular expression k8s_cluster or cloud_dataproc_cluster or gke_cluster or gke_nodepool, then the target.resource.resource_type UDM field is set to CLUSTER.

Else if, the resource.type log field value matches the regular expression gke_container, then the target.resource.resource_type UDM field is set to CONTAINER.

Else if, the resource.type log field value matches the regular expression gkebackup\.googleapis\.com/(BackupPlan or RestorePlan), then the target.resource.resource_type UDM field is set to SETTING.

Else if, the resource.type log field value matches the regular expression gce_(instance or snapshot), then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the resource.type log field value matches the regular expression gce_image, then the target.resource.resource_type UDM field is set to IMAGE.

Else if,the resource.type log field value contain one of the following values, then the resource.type log field is set to UNSPECIFIED and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.
  • identitytoolkit_project
  • storage.googleapis.com/Project
  • videostitcher.googleapis.com/Project
.

Else if, the resource.type log field value matches the regular expression project, then the target.resource.resource_type UDM field is set to CLOUD_PROJECT.

Else if, the resource.type log field value matches the regular expression gke_, then the target.resource.resource_type UDM field is set to CLUSTER.

Else, the target.resource.resource_type UDM field is set to UNSPECIFIED and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata principal.labels [service_metadata] (deprecated)
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata additional.fields[service_metadata]
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims principal.labels [third_party_claims] (deprecated)
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims additional.fields[third_party_claims]
httpRequest.cacheFillBytes about.labels[httpreq_cache_fill_bytes] (deprecated)
httpRequest.cacheFillBytes additional.fields[httpreq_cache_fill_bytes]
httpRequest.cacheHit about.labels[httpreq_cache_hit] (deprecated)
httpRequest.cacheHit additional.fields[httpreq_cache_hit]
httpRequest.cacheLookup about.labels[httpreq_cache_lookup] (deprecated)
httpRequest.cacheLookup additional.fields[httpreq_cache_lookup]
httpRequest.cacheValidatedWithOriginServer about.labels[httpreq_cache_validated_with_origin_server] (deprecated)
httpRequest.cacheValidatedWithOriginServer additional.fields[httpreq_cache_validated_with_origin_server]
httpRequest.latency about.labels[httprequest_latency] (deprecated)
httpRequest.latency additional.fields[httprequest_latency]
httpRequest.protocol network.application_protocol
httpRequest.referer network.http.referral_url
httpRequest.remoteIp target.ip
httpRequest.requestMethod network.http.method
httpRequest.requestSize network.sent_bytes
httpRequest.requestUrl network.http.referral_url
httpRequest.requestUrl target.url
httpRequest.responseSize network.received_bytes
httpRequest.serverIp principal.ip
httpRequest.status network.http.response_code
httpRequest.userAgent network.http.user_agent
insertId metadata.product_log_id
jsonPayload.accessApprovals[] target.resource.name
jsonPayload.accesses.methodName additional.fields[methodName]
jsonPayload.accesses[].methodName about.labels [methodName] (deprecated)
jsonPayload.accesses[].resourceName about.resource.name
jsonPayload.actor.user principal.user.userid If the jsonPayload.actor.user log field value is not empty, then userid_actor is extracted from the jsonPayload.actor.user log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
jsonPayload.actor.user principal.user.email_addresses If the jsonPayload.actor.user log field value is not empty and the jsonPayload.actor.user log field value matches the regular expression .@., then the jsonPayload.actor.user log field is mapped to the principal.user.email_addresses UDM field.
jsonPayload.bytes_sent network.sent_bytes
jsonPayload.connection.dest_ip target.ip
jsonPayload.connection.dest_port target.port
jsonPayload.connection.nat_ip principal.nat_ip
jsonPayload.connection.nat_port principal.nat_port
jsonPayload.connection.protocol network.ip_protocol
jsonPayload.connection.src_ip principal.ip
jsonPayload.connection.src_port principal.port
jsonPayload.dest_instance.project_id target.labels[jsonPayload_dest_instance_project_id] (deprecated)
jsonPayload.dest_instance.project_id additional.fields[jsonPayload_dest_instance_project_id]
jsonPayload.dest_instance.region target.location.name
jsonPayload.dest_instance.vm_name target.hostname
jsonPayload.dest_instance.zone target.cloud.availability_zone
jsonPayload.dest_location.asn target.labels[jsonPayload_dest_location_asn] (deprecated)
jsonPayload.dest_location.asn additional.fields[jsonPayload_dest_location_asn]
jsonPayload.dest_location.city target.location.city
jsonPayload.dest_location.continent target.location.country_or_region
jsonPayload.dest_location.continent target.labels[jsonPayload_dest_location_continent] (deprecated)
jsonPayload.dest_location.continent additional.fields[jsonPayload_dest_location_continent]
jsonPayload.dest_location.country target.location.country_or_region
jsonPayload.dest_location.region target.labesl[jsonPayload_dest_location_region]
jsonPayload.dest_vpc.project_id target.resource.product_object_id
jsonPayload.dest_vpc.subnetwork_name target.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]
jsonPayload.dest_vpc.vpc_name target.resource.name
jsonPayload.end_time about.labels[jsonPayload_end_time] (deprecated)
jsonPayload.end_time additional.fields[jsonPayload_end_time]
jsonPayload.event_subtype metadata.product_event_type
jsonPayload.location.principalEmployingEntity principal.user.company_name
jsonPayload.location.principalOfficeCountry principal.user.office_address.country_or_region
jsonPayload.packets_sent network.sent_packets
jsonPayload.product target.application
jsonPayload.reason[].detail security_result.description
jsonPayload.reason[].type security_result.summary
jsonPayload.reporter about.labels[jsonPayload_reporter] (deprecated)
jsonPayload.reporter additional.fields[jsonPayload_reporter]
jsonPayload.resource.id target.resource.product_object_id
jsonPayload.resource.name target.resource.name
jsonPayload.sourceNetwork principal.labels [source_network] (deprecated)
jsonPayload.sourceNetwork additional.fields[source_network]
jsonPayload.src_instance.project_id principal.labels[jsonPayload_src_instance_project_id] (deprecated)
jsonPayload.src_instance.project_id additional.fields[jsonPayload_src_instance_project_id]
jsonPayload.src_instance.region principal.location.name
jsonPayload.src_instance.vm_name principal.hostname
jsonPayload.src_instance.zone principal.cloud.availability_zone
jsonPayload.src_location.asn principal.labels[jsonPayload_src_location_asn] (deprecated)
jsonPayload.src_location.asn additional.fields[jsonPayload_src_location_asn]
jsonPayload.src_location.city principal.location.city
jsonPayload.src_location.continent principal.labels[jsonPayload_src_location_continent] (deprecated)
jsonPayload.src_location.continent additional.fields[jsonPayload_src_location_continent]
jsonPayload.src_location.country principal.location.country_or_region
jsonPayload.src_location.region principal.labesl[jsonPayload_src_location_region]
jsonPayload.src_vpc.project_id principal.resource.product_object_id
jsonPayload.src_vpc.subnetwork_name principal.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]
jsonPayload.src_vpc.vpc_name principal.resource.name
jsonPayload.start_time about.labels[jsonPayload_start_time] (deprecated)
jsonPayload.start_time additional.fields[jsonPayload_start_time]
key_id security_result.detection_field[key_id] key_id field value is extracted from the message log field using a Grok pattern.
labels.authorization.k8s.io/decision security_result.action If the labels.authorization.k8s.io/decision log field value is equal to allow, then the security_result.action UDM field is set to ALLOW.

Else, if the labels.authorization.k8s.io/decision log field value is equal to block, then the security_result.action UDM field is set to BLOCK.
labels.authorization.k8s.io/reason security_result.action_details
labels.execution_id additional.fields[execution_id]
labels.instance_id additional.fields[instance_id]
labels.mutation.webhook.admission.k8s.io/round_0_index_0 security_result.about.resource.attribute.labels[labels_round_0_index_0]
labels.pod-security.kubernetes.io/enforce-policy security_result.detection_fields[pod_security_kubernetes_io_enforce_policy]
labels.runtime_version additional.fields[runtime_version]
logName metadata.url_back_to_product
logName security_result.category_details
operation.first about.labels[operation_first] (deprecated)
operation.first additional.fields[operation_first]
operation.id about.labels[operation_id] (deprecated)
operation.id additional.fields[operation_id]
operation.last about.labels[operation_last] (deprecated)
operation.last additional.fields[operation_last]
operation.producer about.labels[operation_producer] (deprecated)
operation.producer additional.fields[operation_producer]
protoPayload.@type about.labels[type] (deprecated)
protoPayload.@type additional.fields[type]
protoPayload.authenticationInfo.authoritySelector principal.user.userid If the protoPayload.authenticationInfo.authoritySelector log field value is not empty, then userid_selector is extracted from the protoPayload.authenticationInfo.authoritySelector log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
protoPayload.authenticationInfo.authoritySelector principal.user.email_addresses If the protoPayload.authenticationInfo.authoritySelector log field value is not empty and the protoPayload.authenticationInfo.authoritySelector log field value matches the regular expression .@., then the protoPayload.authenticationInfo.authoritySelector log field is mapped to the principal.user.email_addresses UDM field.
protoPayload.authenticationInfo.principalEmail principal.user.userid If the protoPayload.authenticationInfo.principalEmail log field value is not empty, then userid_auth is extracted from the protoPayload.authenticationInfo.principalEmail log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
protoPayload.authenticationInfo.principalEmail principal.user.email_addresses If the protoPayload.authenticationInfo.principalEmail log field value is not empty and the protoPayload.authenticationInfo.principalEmail log field value matches the regular expression .@., then the protoPayload.authenticationInfo.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
protoPayload.authenticationInfo.principalSubject principal.user.userid If the protoPayload.authenticationInfo.principalSubject log field value is not empty, then new_user_id is extracted from the protoPayload.authenticationInfo.principalSubject log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
protoPayload.authenticationInfo.principalSubject principal.user.email_addresses If the protoPayload.authenticationInfo.principalSubject log field value is not empty, then new_email_id is extracted from the protoPayload.authenticationInfo.principalSubject log field using a Grok pattern, and mapped to the principal.user.email_addresses UDM field.
ProtoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail principal.email
protoPayload.authenticationInfo.serviceAccountDelegationInfo.principalSubject principal.user.attribute.labels[access_serviceAcc_principalSubject]
protoPayload.authenticationInfo.serviceAccountKeyName security_result.detection_fields[service_account_key_name]
protoPayload.authenticationInfo.thirdPartyPrincipal principal.labels[third_party_principal] (deprecated)
protoPayload.authenticationInfo.thirdPartyPrincipal additional.fields[third_party_principal]
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType principal.user.attribute.permissions.description
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType principal.user.attribute.permissions.type
protoPayload.authorizationInfo.granted target.resource_ancestors.attribute.labels[authorization_granted]
protoPayload.authorizationInfo.granted principal.user.attributes.labels[authorization_granted]
protoPayload.authorizationInfo.permission target.resource_ancestors.attribute.permissions.name
protoPayload.authorizationInfo.permission principal.user.attribute.permissions.name
protoPayload.authorizationInfo.permissionType target.resource_ancestors.attribute.permissions.type
protoPayload.authorizationInfo.resource principal.resource.name If the protoPayload.authorizationInfo.resource log field value is not empty, then the protoPayload.authorizationInfo.resource log field is mapped to the principal.resource.name UDM field.
protoPayload.authorizationInfo.resource security_result.detection_fields [resource]
protoPayload.authorizationInfo.resourceAttributes.name principal.resource.name If the protoPayload.authorizationInfo.resourceAttributes.name log field value is not empty, then the protoPayload.authorizationInfo.resourceAttributes.name log field is mapped to the principal.resource.name UDM field.
protoPayload.authorizationInfo.resourceAttributes.service target.resource_ancestors.attribute.labels[resource_attribute_service]
protoPayload.authorizationInfo.resourceAttributes.service principal.resource.attribute.labels[authorization_info_rcService]
protoPayload.authorizationInfo.resourceAttributes.type principal.resource.resource_subtype
protoPayload.metadata.@type about.labels[metadata_type] (deprecated)
protoPayload.metadata.@type additional.fields[metadata_type]
protoPayload.metadata.activityId.timeUsec about.labels[metadata_activityId_time_usec] (deprecated)
protoPayload.metadata.activityId.timeUsec additional.fields[metadata_activityId_time_usec]
protoPayload.metadata.activityId.uniqQualifier about.labels[metadata_activityId_uniq_qualifier] (deprecated)
protoPayload.metadata.activityId.uniqQualifier additional.fields[metadata_activityId_uniq_qualifier]
protoPayload.metadata.datasetChange.bindingDeltas.action target.resource.attribute.labels[dataset_change_binding_deltas_action]
protoPayload.metadata.datasetChange.bindingDeltas.member target.resource.attribute.labels[dataset_change_binding_deltas_member]
protoPayload.metadata.datasetChange.bindingDeltas.role target.resource.attribute.labels[dataset_change_binding_deltas_role]
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_members_{index1}]
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.role target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_role]
protoPayload.metadata.datasetCreation.dataset.datasetName target.resource.name
protoPayload.metadata.datasetCreation.reason security_result.description
protoPayload.metadata.datasetDeletion.reason security_result.description
protoPayload.metadata.device_id target.asset.asset_id
protoPayload.metadata.dryRun security_result.rule_type
protoPayload.metadata.event.eventName.parameter.name[ACTION_ID] security_result.detection_fields[action_id]
protoPayload.metadata.event.eventName.parameter.name[ACTION_TYPE] security_result.action The security_result.action is set to ALLOW when the following conditions are met:
  • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
  • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
  • The value in the protoPayload.metadata.event.parameter.value log field value is equal to ALLOW_ACCESS or APPROVE.
The security_result.action is set to BLOCK when the following conditions are met:
  • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
  • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
  • The value in the protoPayload.metadata.event.parameter.value log field value is equal to DISALLOW_ACCESS or BLOCK.
  • If the protoPayload.response.error.errors log field value is not empty.
The security_result.action is set to ALLOW_WITH_MODIFICATION when the following conditions are met:
  • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
  • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
  • The value in the protoPayload.metadata.event.parameter.value log field value is equal to RESET_PIN or REVOKE_TOKEN.
The security_result.action is set to QUARANTINE when the following conditions are met:
  • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
  • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
  • The value in the protoPayload.metadata.event.parameter.value log field value is equal to LOCK_DEVICE.
The security_result.action is set to QUARANTINE when the following conditions are met:
  • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
  • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
  • The value in the protoPayload.metadata.event.parameter.value log field value is equal to ACCOUNT_WIPE or COLLECT_BUGREPORT or DEVICE_WIPE or LOCATE_DEVICE or REMOVE_APP_FROM_DEVICE or REMOVE_IOS_PROFILE or RING_DEVICE or SYNC_DEVICE or UNKNOWN.
protoPayload.metadata.event.eventName.parameter.name[ALERT_NAME] security_result.detection_fields[alert_name]
protoPayload.metadata.event.eventName.parameter.name[ALLOWED_TWO_STEP_VERIFICATION_METHOD] security_result.detection_fields[allowed_two_step_verification_method]
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] about.labels[api_client_name] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] additional.fields[api_client_name]
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] about.labels[api_scopes] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] additional.fields[api_scopes]
protoPayload.metadata.event.eventName.parameter.name[APP_ID] target.application If the protoPayload.metadata.event.eventName.parameter.name1 log field value is equal to APP_NAME and the protoPayload.metadata.event.eventName.parameter.name2 log field value is equal to APP_ID, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 log field is mapped to the target.application UDM field.
protoPayload.metadata.event.eventName.parameter.name[APP_LICENSES_ORDER_NUMBER] target.asset.labels[app_licenses_order_number]
protoPayload.metadata.event.eventName.parameter.name[APP_NAME] target.application If the protoPayload.metadata.event.eventName.parameter.name1 log field value is equal to APP_NAME and the protoPayload.metadata.event.eventName.parameter.name2 log field value is equal to APP_ID, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 log field is mapped to the target.application UDM field.
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] target.labels[application_edition] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] additional.fields[application_edition]
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_NAME] target.application
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] target.labels[asp_id] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] additional.fields[asp_id]
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] about.labels[begin_date_time] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] additional.fields[begin_date_time]
protoPayload.metadata.event.eventName.parameter.name[BIRTHDATE] target.user.attribute.labels[birthdate]
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] about.labels[bulk_upload_fail_users_number] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] additional.fields[bulk_upload_fail_users_number]
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] about.labels[bulk_upload_total_users_number] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] additional.fields[bulk_upload_total_users_number]
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] about.labels[caa_assignments_new] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] additional.fields[caa_assignments_new]
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] about.labels[caa_assignments_old] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] additional.fields[caa_assignments_old]
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] about.labels[caa_enforcement_endpoints_new] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] additional.fields[caa_enforcement_endpoints_new]
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] about.labels[caa_enforcement_endpoints_old] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] additional.fields[caa_enforcement_endpoints_old]
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] about.labels[chrome_licenses_enabled] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] additional.fields[chrome_licenses_enabled]
protoPayload.metadata.event.eventName.parameter.name[CHROME_NUM_LICENSES_PURCHASED] target.asset.labels[chrome_num_licenses_purchased]
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] target.labels[chrome_os_session_type] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] additional.fields[chrome_os_session_type]
protoPayload.metadata.event.eventName.parameter.name[COMPANY_DEVICE_ID] target.asset.product_object_id
protoPayload.metadata.event.eventName.parameter.name[DESTINATION_USER_EMAIL] target.user.userid
protoPayload.metadata.event.eventName.parameter.name[DEVICE_COMMAND_DETAILS] target.asset.labels[device_command_details]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_ID] target.asset.product_object_id
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] target.labels[device_new_org_unit] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] additional.fields[device_new_org_unit]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_STATE] target.asset.attribute.labels[dvc_new_state]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] target.labels[device_previous_org_unit] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] additional.fields[device_previous_org_unit]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_STATE] target.asset.attribute.labels[dvc_previous_state]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_SERIAL_NUMBER] target.asset.hardware.serial_number
protoPayload.metadata.event.eventName.parameter.name[DEVICE_TYPE] target.asset.attribute.labels[dvc_type]
protoPayload.metadata.event.eventName.parameter.name[DIRECTORY_API_ID] target.asset.labels[directory_api_id]
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] target.labels[domain_alias] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] additional.fields[domain_alias]
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_NAME] target.hostname
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] target.labels[email_export_include_deleted] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] additional.fields[email_export_include_deleted]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] target.labels[email_export_package_content] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] additional.fields[email_export_package_content]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] target.labels[email_log_search_end_date] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] additional.fields[email_log_search_end_date]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_MSG_ID] network.email.mail_id
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_RECIPIENT] network.email.to
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SENDER] network.email.from
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP] target.ip
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_SENDER_IP] principal.ip
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] target.labels[email_log_search_start_date] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] additional.fields[email_log_search_start_date]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_DEST_EMAIL] target.user.userid
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] target.labels[email_monitor_level_chat] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] additional.fields[email_monitor_level_chat]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] target.labels[email_monitor_level_draft_email] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] additional.fields[email_monitor_level_draft_email]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] target.labels[email_monitor_level_in_email] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] additional.fields[email_monitor_level_in_email]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] target.labels[email_monitor_level_out_email] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] additional.fields[email_monitor_level_out_email]
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] about.labels[end_date_time] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] additional.fields[end_date_time]
protoPayload.metadata.event.eventName.parameter.name[END_DATE] about.labels[end_date] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[END_DATE] additional.fields[end_date]
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] about.labels[field_name] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] additional.fields[field_name]
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] about.labels[full_org_unit_path] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] additional.fields[full_org_unit_path]
protoPayload.metadata.event.eventName.parameter.name[GATEWAY_NAME] intermediary.resource.name
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] target.labels[email_reset_reason] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] additional.fields[email_reset_reason]
protoPayload.metadata.event.eventName.parameter.name[GROUP_EMAIL] target.group.email_addresses
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] about.labels[grp_member_bulk_upload_failed] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] additional.fields[grp_member_bulk_upload_failed]
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] about.labels[grp_member_bulk_upload_total] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] additional.fields[grp_member_bulk_upload_total]
protoPayload.metadata.event.eventName.parameter.name[GROUP_PRIORITIES] target.group.attribute.labels[group_priorities]
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] about.labels[info_type] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] additional.fields[info_type]
protoPayload.metadata.event.eventName.parameter.name[is_second_factor] security_result.detection_fields[is_second_factor] If the protoPayload.metadata.event.eventName log field value is equal to login_verification, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to is_second_factor, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the security_result.detection_fields.value UDM field.
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] security_result.category If the protoPayload.metadata.event.eventName log field value is equal to login_success, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to is_suspicious, then if the protoPayload.metadata.event.eventName.parameter.value log field value is equal to True, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] security_result.detection_fields[is_suspicious] If the protoPayload.metadata.event.eventName log field value is equal to login_success, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to is_suspicious, then the protoPayload.metadata.event.eventName.parameter.boolValue log field is mapped to the security_result.detection_fields.value UDM field.
protoPayload.metadata.event.eventName.parameter.name[login_challenge_method] extensions.auth.auth_details If the protoPayload.metadata.event.eventName log field value is equal to login_failure or login_verification or login_challenge or login_success, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_method, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the extensions.auth.auth_details UDM field.
protoPayload.metadata.event.eventName.parameter.name[login_challenge_status] security_result.action The security_result.action is set to ALLOW when the following conditions are met:
  • The value in the protoPayload.metadata.event.eventName log field value is equal to login_challenge or login_verification.
  • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_status.
  • The value in the protoPayload.metadata.event.parameter.value log field value is equal to Challenge Passed.
The security_result.action is set to FAIL when the following conditions are met:
  • The value in the protoPayload.metadata.event.eventName log field value is equal to login_challenge or login_verification.
  • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_status.
  • The value in the protoPayload.metadata.event.parameter.value log field value is equal to Challenge Failed.
protoPayload.metadata.event.eventName.parameter.name[login_failure_type] security_result.detection_fields[login_failure_type] If the protoPayload.metadata.event.eventName log field value is equal to login_failure, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_failure_type, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the security_result.detection_fields.value UDM field.
protoPayload.metadata.event.eventName.parameter.name[login_type] security_result.detection_fields[login_type] If the protoPayload.metadata.event.eventName log field value is equal to login_failure or login_challenge or login_verification or login_success or logout, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_type, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the about.labels.value UDM field.
protoPayload.metadata.event.eventName.parameter.name[MANAGED_CONFIGURATION_NAME] target.asset.attribute.labels[managed_config_name]
protoPayload.metadata.event.eventName.parameter.name[MOBILE_APP_PACKAGE_ID] target.asset.attribute.labels[mobile_app_package_id]
protoPayload.metadata.event.eventName.parameter.name[MOBILE_CERTIFICATE_COMMON_NAME] target.asset.attribute.labels[mobile_certificate_common_name]
protoPayload.metadata.event.eventName.parameter.name[MOBILE_WIRELESS_NETWORK_NAME] target.asset.attribute.labels[mobile_wireless_network_name]
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] about.labels[new_permission_grant_state] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] additional.fields[new_permission_grant_state]
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.user.first_name If the protoPayload.metadata.event.eventName log field value is equal to FIRST_NAME, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to NEW_VALUE, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.first_name UDM field.
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.user.last_name If the protoPayload.metadata.event.eventName log field value is equal to LAST_NAME, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to NEW_VALUE, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.last_name UDM field.
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.user.user_display_name If the protoPayload.metadata.event.eventName log field value is equal to RENAME_USER, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to NEW_VALUE, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.user_display_name UDM field.
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.labels[new_value] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] additional.fields[new_value]
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] about.labels[num_of_company_owned_device] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] additional.fields[num_of_company_owned_device]
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_ID] target.application If the protoPayload.metadata.event.eventName.parameter.name1 log field value is equal to OAUTH2_APP_NAME and the protoPayload.metadata.event.eventName.parameter.name2 log field value is equal to OAUTH2_APP_ID, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 log field is mapped to the target.application UDM field.
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_NAME] target.application If the protoPayload.metadata.event.eventName.parameter.name1 log field value is equal to OAUTH2_APP_NAME and the protoPayload.metadata.event.eventName.parameter.name2 log field value is equal to OAUTH2_APP_ID, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 log field is mapped to the target.application UDM field.
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] target.labels[oauth2_app_type] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] additional.fields[oauth2_app_type]
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_SERVICE_NAME] target.application
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] about.labels[old_permission_grant_state] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] additional.fields[old_permission_grant_state]
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] target.labels[old_value] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] additional.fields[old_value]
protoPayload.metadata.event.eventName.parameter.name[ORG_UNIT_NAME] network.organization_name
protoPayload.metadata.event.eventName.parameter.name[PERMISSION_GROUP_NAME] target.group.attribute.permissions.name
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_MDM_VENDOR_NAME] target.asset.attribute.labels[play_for_work_mdm_vendor_name]
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_TOKEN_ID] target.asset.attribute.labels[play_for_work_token_id]
protoPayload.metadata.event.eventName.parameter.name[PRINT_SERVER_NAME] target.asset.hostname
protoPayload.metadata.event.eventName.parameter.name[PRINTER_NAME] target.asset.hostname
protoPayload.metadata.event.eventName.parameter.name[PRIVILEGE_NAME] target.user.attribute.labels[privilege_name]
protoPayload.metadata.event.eventName.parameter.name[PRODUCT_NAME] metadata.product_name If the protoPayload.serviceName log field value matches the regular expression (compute.googleapis.com), then the metadata.product_name UDM field is set to Google Compute Engine.

If the protoPayload.serviceName log field value matches the regular expression (bigquery.googleapis.com), then the metadata.product_name UDM field is set to BigQuery.

If the protoPayload.serviceName log field value matches the regular expression (admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com), then the metadata.product_name UDM field is set to G Suite.

If the protoPayload.serviceName log field value matches the regular expression (k8s.io), then the metadata.product_name UDM field is set to Google Kubernetes Engine.

If the protoPayload.serviceName log field value matches the regular expression (servicemanagement.googleapis.com), then the metadata.product_name UDM field is set to Google Service Management.

If the protoPayload.serviceName log field value matches the regular expression (storage.googleapis.com), then the metadata.product_name UDM field is set to Google Cloud Storage.

If the protoPayload.serviceName log field value matches the regular expression (cloudsql.googleapis.com), then the metadata.product_name UDM field is set to Google Cloud SQL.

If the protoPayload.serviceName log field value matches the regular expression (dataproc.googleapis.com), then the metadata.product_name UDM field is set to Google Dataproc.

If the protoPayload.serviceName log field value matches the regular expression (iam.googleapis.com), then the metadata.product_name UDM field is set to Google Cloud IAM.

If the protoPayload.serviceName log field value matches the regular expression (accesscontextmanager.googleapis.com), then the metadata.product_name UDM field is set to Context Manager API.
protoPayload.metadata.event.eventName.parameter.name[QUARANTINE_NAME] security_result.detection_fields[quarantine_name]
protoPayload.metadata.event.eventName.parameter.name[REAUTH_APPLICATION, SITE_NAME] target.application
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] about.labels[reauth_setting_new] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] additional.fields[reauth_setting_new]
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] about.labels[reauth_setting_old] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] additional.fields[reauth_setting_old]
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] target.labels[request_id] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] additional.fields[request_id]
protoPayload.metadata.event.eventName.parameter.name[RESOURCE_IDENTIFIER] target.resource.product_object_id
protoPayload.metadata.event.eventName.parameter.name[ROLE_ID] target.user.attribute.roles.description If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ROLE_ID, then the Role_ID - protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.attribute.roles.description UDM field.
protoPayload.metadata.event.eventName.parameter.name[ROLE_NAME] target.user.attribute.roles.name
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] about.labels[search_query_for_dump] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] additional.fields[search_query_for_dump]
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] target.labels[secondary_domain_name] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] additional.fields[secondary_domain_name]
protoPayload.metadata.event.eventName.parameter.name[SERVICE_NAME] target.application
protoPayload.metadata.event.eventName.parameter.name[SETTING_DESCRIPTION] metadata.description
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] target.labels[setting_name] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] additional.fields[setting_name]
protoPayload.metadata.event.eventName.parameter.name[SHARED_DRIVE_ID] target.resource.product_object_id
protoPayload.metadata.event.eventName.parameter.name[SITE_LOCATION] target.file.full_path
protoPayload.metadata.event.eventName.parameter.name[SKU_NAME] target.asset.attribute.labels[sku_name]
protoPayload.metadata.event.eventName.parameter.name[START_DATE] about.labels[start_date] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[START_DATE] additional.fields[start_date]
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] target.labels[user_custom_field] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] additional.fields[user_custom_field]
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] target.labels[user_defined_setting_name] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] additional.fields[user_defined_setting_name]
protoPayload.metadata.event.eventName.parameter.name[USER_EMAIL] target.user.userid If the protoPayload.metadata.event.eventName log field value is equal to CREATE_EMAIL_MONITOR or CREATE_DATA_TRANSFER_REQUEST, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to USER_EMAIL, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the principal.user.userid UDM field.

Else if, the protoPayload.metadata.event.eventName.parameter.name log field value is equal to USER_EMAIL, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.userid UDM field.
protoPayload.metadata.event.eventName.parameter.name[USER_NICKNAME] target.user.attribute.labels[user_nickname]
protoPayload.metadata.event.eventName.parameter.name[WEB_ADDRESS] target.url
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] target.labels[web_origin] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] additional.fields[web_origin]
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] target.labels[whitelisted_groups] (deprecated)
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] additional.fields[whitelisted_groups]
protoPayload.metadata.event.eventName.parameter.value principal.user.userid If the protoPayload.metadata.event.eventName log field value is equal to CREATE_EMAIL_MONITOR or CREATE_DATA_TRANSFER_REQUEST:
  • If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to USER_EMAIL, then userid is extracted from the protoPayload.metadata.event.eventName.parameter.value log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
  • protoPayload.metadata.event.eventName.parameter.value principal.user.email_addresses The protoPayload.metadata.event.eventName.parameter.value is mapped to principal.user.email_addresses when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName log field value is equal to CREATE_EMAIL_MONITOR or CREATE_DATA_TRANSFER_REQUEST.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to USER_EMAIL.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value matches the regular expression .@.
    protoPayload.metadata.event.eventName.parameter.value target.user.email_addresses If the protoPayload.metadata.event.eventName.parameter.value log field value is not empty and the protoPayload.metadata.event.eventName log field value is equal to USER_EMAIL or EMAIL_MONITOR_DEST_EMAIL or DESTINATION_USER_EMAIL, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.email_addresses UDM field.
    protoPayload.metadata.event.parameter.label additional.fields[event_param_label]
    protoPayload.metadata.event.parameter.type additional.fields[event_param_type]
    protoPayload.metadata.event.parameter[].label about.labels[event_param_label] (deprecated)
    protoPayload.metadata.event.parameter[].type about.labels[event_param_type] (deprecated)
    protoPayload.metadata.groupDelta.action target.group.attribute.labels[metadata_group_delta_action]
    protoPayload.metadata.groupDelta.newGroup.description target.group.attribute.labels[metadata_group_delta_new_group_description]
    protoPayload.metadata.groupDelta.newGroup.email target.group.email_addresses
    protoPayload.metadata.groupDelta.newGroup.name target.group.group_display_name
    protoPayload.metadata.iapEnabled target.resource.attribute.labels [iapEnabled]
    protoPayload.metadata.ingressViolations.servicePerimeter security_result.detection_fields[protoPayload_metadata_ingressViolations_serviceParameter]
    protoPayload.metadata.ingressViolations.source security_result.detection_fields[protoPayload_metadata_ingressViolations_source]
    protoPayload.metadata.ingressViolations.sourceType security_result.detection_fields[protoPayload_metadata_ingressViolations_sourceType]
    protoPayload.metadata.ingressViolations.targetResource security_result.detection_fields[protoPayload_metadata_ingressViolations_targetResource]
    protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys metadata.ingestion_labels [instance_metadata_key_added]
    protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys metadata.ingestion_labels [instance_metadata_key_deletion]
    protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys metadata.ingestion_labels [instance_metadata_key_modification]
    protoPayload.metadata.jobChange.after target.resource_ancestors.attribute.labels[jobchange_after]
    protoPayload.metadata.jobChange.before target.resource_ancestors.attribute.labels[jobchange_before]
    protoPayload.metadata.jobChange.job.jobConfig.extractConfig.destinationUris target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_destinationuris]
    protoPayload.metadata.jobChange.job.jobConfig.extractConfig.sourceTable target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_sourcetable]
    protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id target.resource.attribute.labels[job_change_looker_studio_datasource_id]
    protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id target.resource.attribute.labels[job_change_looker_studio_report_id]
    protoPayload.metadata.jobChange.job.jobConfig.labels.requestor target.resource.attribute.labels[job_change_requestor]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.createDisposition target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_createdisposition]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.destinationTable target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_destinationtable]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.priority target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_priority]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query target.process.command_line
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_query]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.writeDisposition target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_writedisposition]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.createDisposition target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_createdisposition]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.destinationTable target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_destinationtable]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.operationType target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_operationtype]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.sourceTables target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_sourcetables]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.writeDisposition target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_writedisposition]
    protoPayload.metadata.jobChange.job.jobConfig.type target.resource_ancestors.attribute.labels[jobchange_jobconfig_type]
    protoPayload.metadata.jobChange.job.jobConfig.type target.resource.attribute.labels[job_type]
    protoPayload.metadata.jobChange.job.jobName target.resource_ancestors.name
    protoPayload.metadata.jobChange.job.jobStats.createTime target.resource_ancestors.attribute.creation_time
    protoPayload.metadata.jobChange.job.jobStats.endTime target.resource_ancestors.attribute.labels[jobchange_jobstats_endtime]
    protoPayload.metadata.jobChange.job.jobStats.queryStats target.resource_ancestors.attribute.labels[jobchange_jobstats_querystats]
    protoPayload.metadata.jobChange.job.jobStats.reservation target.resource_ancestors.attribute.labels[jobchange_jobstats_reservation]
    protoPayload.metadata.jobChange.job.jobStats.startTime target.resource_ancestors.attribute.labels[jobchange_jobstats_starttime]
    protoPayload.metadata.jobChange.job.jobStatus.errorResult.code security_result.detection_fields[jobchange_jobstatus_errorresult_code]
    protoPayload.metadata.jobChange.job.jobStatus.errorResult.message security_result.detection_fields[jobchange_jobstatus_errorresult_message]
    protoPayload.metadata.jobChange.job.jobStatus.errors.code security_result.detection_fields[jobchange_jobstatus_errors_code]
    protoPayload.metadata.jobChange.job.jobStatus.errors.message security_result.detection_fields[jobchange_jobstatus_errors_message]
    protoPayload.metadata.jobChange.job.jobStatus.jobState target.resource_ancestors.attribute.labels[jobstatus_jobstate]
    protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_destinationuris]
    protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris[] target.resource.attribute.labels[destination_uris]
    protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.sourceTable target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_sourcetable]
    protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id target.resource.attribute.labels[job_insertion_looker_studio_datasource_id] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id target.resource.attribute.labels[job_insertion_looker_studio_report_id] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor target.resource.attribute.labels[job_insertion_requestor] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.createDisposition target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_createdisposition]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.destinationTable target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_destinationtable]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.priority target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_priority]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query additional.fields[job_insertion_query_org_id_{index}] If the protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query log field value is not empty, then org_ids are extracted from the protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query log field using a Grok pattern, and mapped to the additional.fields.job_insertion_query_org_id_{index} UDM field.
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query target.process.command_line
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_query]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.statementType target.resource.attribute.labels[job_insertion_job_job_config_query_config_statement_type]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.writeDisposition target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_writedisposition]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.createDisposition target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_createdisposition]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.destinationTable target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_destinationtable]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.operationType target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_operationtype]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.sourceTables target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_sourcetables]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.writeDisposition target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_writedisposition]
    protoPayload.metadata.jobInsertion.job.jobConfig.type target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_type]
    protoPayload.metadata.jobInsertion.job.jobName target.resource_ancestors.name
    protoPayload.metadata.jobInsertion.job.jobStats.createTime target.resource_ancestors.attribute.creation_time
    protoPayload.metadata.jobInsertion.job.jobStats.endTime target.resource_ancestors.attribute.labels[jobinsertion_jobstats_endtime]
    protoPayload.metadata.jobInsertion.job.jobStats.queryStats target.resource_ancestors.attribute.labels[jobinsertion_jobstats_querystats]
    protoPayload.metadata.jobInsertion.job.jobStats.reservation target.resource_ancestors.attribute.labels[jobinsertion_jobstats_reservation]
    protoPayload.metadata.jobInsertion.job.jobStats.startTime target.resource_ancestors.attribute.labels[jobinsertion_jobstats_starttime]
    protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.code security_result.detection_fields[jobinsertion_jobstatus_errorresult_code]
    protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.message security_result.detection_fields[jobinsertion_jobstatus_errorresult_message]
    protoPayload.metadata.jobInsertion.job.jobStatus.errors.code security_result.detection_fields[jobinsertion_jobstatus_errors_code]
    protoPayload.metadata.jobInsertion.job.jobStatus.errors.message security_result.detection_fields[jobinsertion_jobstatus_errors_message]
    protoPayload.metadata.jobInsertion.job.jobStatus.jobState target.resource_ancestors.attribute.labels[jobinsertion_jobstatus_jobstate]
    protoPayload.metadata.jobInsertion.job.jobStatus.jobState target.resource.attribute.labels[job_insertion_job_job_status_job_state]
    protoPayload.metadata.jobInsertion.reason target.resource_ancestors.attribute.labels[jobinsertion_reason]
    protoPayload.metadata.jobInsertion.reason target.resource.attribute.labels[job_insertion_reason]
    protoPayload.metadata.membershipDelta.member target.resource.attribute.labels[membership_delta_member]
    protoPayload.metadata.membershipDelta.roleDeltas.action target.resource.attribute.labels[membership_role_deltas_action]
    protoPayload.metadata.membershipDelta.roleDeltas.role target.resource.attribute.labels[membership_role_deltas_role]
    protoPayload.metadata.oauth_client_id target.resource.attribute.labels [oauth_client_id]
    protoPayload.metadata.projectMetadataDelta.addedMetadataKeys metadata.ingestion_labels [AddedMetadataKeys]
    protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys metadata.ingestion_labels [DeletedMetadataKeys]
    protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys metadata.ingestion_labels [ModifiedMetadataKeys]
    protoPayload.metadata.request_id network.community_id
    protoPayload.metadata.securityPolicyInfo.organizationId security_result.detection_fields [securityPolicyInfo.organizationId]
    protoPayload.metadata.tableChange.bindingDeltas.action target.resource.attribute.labels[table_change_binding_deltas_action]
    protoPayload.metadata.tableChange.bindingDeltas.member target.resource.attribute.labels[table_change_binding_deltas_member]
    protoPayload.metadata.tableChange.bindingDeltas.role target.resource.attribute.labels[table_change_binding_deltas_role]
    protoPayload.metadata.tableChange.jobName target.process.pid
    protoPayload.metadata.tableChange.reason security_result.description
    protoPayload.metadata.tableChange.table.createTime target.resource.attribute.creation_time
    protoPayload.metadata.tableChange.table.policy.bindings.members target.resource.attribute.labels[table_change_table_policy_bindings_{index}_members_{index1}]
    protoPayload.metadata.tableChange.table.policy.bindings.role target.resource.attribute.labels[table_change_table_policy_bindings_{index}_role]
    protoPayload.metadata.tableChange.table.policy.etag target.resource.attribute.labels[table_change_table_policy_etag]
    protoPayload.metadata.tableChange.table.tableName target.resource.name
    protoPayload.metadata.tableChange.table.tableName target.resource.attribute.labels[metadata_changedTable_name]
    protoPayload.metadata.tableChange.table.updateTime target.resource.attribute.last_update_time
    protoPayload.metadata.tableCreation.jobName target.process.pid
    protoPayload.metadata.tableCreation.reason security_result.description
    protoPayload.metadata.tableCreation.table.createTime target.resource.attribute.creation_time
    protoPayload.metadata.tableCreation.table.expireTime target.resource.attribute.labels[metadata_creationTable_expire_time]
    protoPayload.metadata.tableCreation.table.schemaJSON target.resource.attributes.labels[table_schemaJson]
    protoPayload.metadata.tableCreation.table.tableName target.resource.name
    protoPayload.metadata.tableCreation.table.updateTime target.resource.attribute.last_update_time
    protoPayload.metadata.tableCreation.table.view.query target.process.command_line
    protoPayload.metadata.tableDataRead.fields target.resource.attribute.labels[data_read_fields]
    protoPayload.metadata.tableDeletion.reason security_result.description
    protoPayload.metadata.unsatisfied_access_levels target.resource.attribute.labels [unsatisfied_access_levels]
    protoPayload.metadata.updatedGrant.justification.unstructuredJustification target.resource.attribute.labels[justification] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.justification.unstructuredJustification log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource target.resource.attribute.labels[resource] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType target.resource.attribute.labels[resourceType] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role target.resource.attribute.roles.name If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role log field is mapped to the target.resource.attribute.roles.name UDM field.
    protoPayload.metadata.updatedGrant.requestedDuration target.resource.attribute.labels[requestedDuration] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.requestedDuration log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.updatedGrant.requester principal.user.userid If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.requester log field is mapped to the principal.user.userid UDM field.
    protoPayload.metadata.updatedGrant.state target.resource.attribute.labels[state] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.state log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.violationReason security_result.rule_name
    protoPayload.metadata.vpcServiceControlsUniqueId security_result.rule_id
    protoPayload.methodName metadata.product_event_type
    protoPayload.numResponseItems about.labels[num_response_items] (deprecated)
    protoPayload.numResponseItems additional.fields[num_response_items]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags security_result.detection_fields[policy_violation_resource_tags]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType security_result.detection_fields[policy_violation_resource_type]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.checkedValue security_result.detection_fields[policy_violation_checked_value]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.constraint security_result.detection_fields[policy_violation_constraint]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.errorMessage security_result.description
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.policyType security_result.rule_type
    protoPayload.redactions.reason principal.labels [protoPayload.redactions.field] (deprecated)
    protoPayload.redactions.reason additional.fields[protoPayload.redactions.field]
    protoPayload.redactions.type principal.labels [protoPayload.redactions.field] (deprecated)
    protoPayload.redactions.type additional.fields[protoPayload.redactions.field]
    protoPayload.request.@type target.resource.attribute.labels [request_type]
    protoPayload.request.accessLevel.title target.resource.name
    protoPayload.request.account_id target.resource.product_object_id
    protoPayload.request.alloweds.IPProtocol network.ip_protocol
    protoPayload.request.alloweds.ports additional.fields[req_alloweds_ports]
    protoPayload.request.alloweds[].ports about.labels[req_alloweds_ports] (deprecated)
    protoPayload.request.alloweds[].ports security_result.detection_fields[req_alloweds_ports]
    protoPayload.request.apiVersion target.resource.attribute.labels [request apiVersion]
    protoPayload.request.auditId target.resource.attribute.labels [audit_id]
    protoPayload.request.autoscalingPolicy.coolDownPeriodSec target.resource.attribute.labels [cool_down_period]
    protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod target.resource.attribute.labels [predictive_method]
    protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget target.resource.attribute.labels [utilization_target]
    protoPayload.request.autoscalingPolicy.maxNumReplicas target.resource.attribute.labels [max_replicas]
    protoPayload.request.autoscalingPolicy.minNumReplicas target.resource.attribute.labels [min_replicas]
    protoPayload.request.autoscalingPolicy.mode target.resource.attribute.labels [autoscaling_policy_mode]
    protoPayload.request.baselineQuery target.resource.attribute.labels[baseline_query]
    protoPayload.request.baselineTimeRange.endTime target.resource.attribute.labels[baseline_time_range_end_time]
    protoPayload.request.baselineTimeRange.startTime target.resource.attribute.labels[baseline_time_range_start_time]
    protoPayload.request.bindings.members target.resource.attribute.labels[request_bindings_{index}_members_{index1}]
    protoPayload.request.bindings.members[] security_result.detection_fields[members]
    protoPayload.request.bindings.role principal.user.attribute.roles.name
    protoPayload.request.bindings.role target.resource.attribute.labels[request_bindings_{index}_role]
    protoPayload.request.body.databaseVersion target.resource.attribute.labels[req_body_dbVersion]
    protoPayload.request.body.instanceUid target.resource_ancestors.product_object_id
    protoPayload.request.body.name about.labels[req_body_name] (deprecated)
    protoPayload.request.body.name additional.fields[req_body_name]
    protoPayload.request.body.region target.location.country_or_region
    protoPayload.request.body.settings.activationPolicy security_result.rule_name
    protoPayload.request.body.settings.activityPolicy about.labels[req_body_settings_activity_policy] (deprecated)
    protoPayload.request.body.settings.activityPolicy additional.fields[req_body_settings_activity_policy]
    protoPayload.request.body.settings.availabilityType target.resource.attributes.labels[resource_avaibilitytype]
    protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups target.resource.attribute.labels[backup_config_retention_settings_retained_backups]
    protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit target.resource.attribute.labels[backup_config_retention_settings_unit]
    protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled target.resource.attribute.labels[backup_config_binarylog_enabled]
    protoPayload.request.body.settings.backupConfiguration.enabled target.resource.attribute.labels[backup_config_enabled]
    protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled target.resource.attribute.labels[backup_config_point_in_time_recovery_enabled]
    protoPayload.request.body.settings.backupConfiguration.startTime target.resource.attribute.labels[backup_config_start_time]
    protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays target.resource.attribute.labels[backup_config_logRetention_days]
    protoPayload.request.body.settings.dataDiskSizeGb target.resource.attribute.labels[data_disk_size_gb]
    protoPayload.request.body.settings.dataDiskType target.resource.attribute.labels[data_disk_type]
    protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value security_result.detection_fields [protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind]
    protoPayload.request.body.settings.ipConfiguration.ipv4Enabled target.resource.attribute.labels[ip_config_ipv4_enabled]
    protoPayload.request.body.settings.ipconfiguration.privatNetwork target.resource.attribute.labels[ip_config_private_network]
    protoPayload.request.body.settings.ipconfiguration.requireSsl target.resource.attribute.labels[ip_config_require_ssl]
    protoPayload.request.body.settings.locationPreference.zone target.resource.attribute.cloud.availability_zone
    protoPayload.request.body.settings.pricingPlan target.resource.attribute.labels[pricing_plan]
    protoPayload.request.body.settings.storageAutoResize target.resource.attribute.labels[storage_auto_resize]
    protoPayload.request.body.settings.tier target.resource.attribute.labels[tier]
    protoPayload.request.canIpForward target.resource.attribute.labels[can_ip_forward]
    protoPayload.request.caseSensitive target.resource.attribute.labels[request_case_sensitive]
    protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled target.resource.attribute.labels[req_cls_policy_config_disabled]
    protoPayload.request.cluster.name target.resource.name
    protoPayload.request.cluster.network target.resource_ancestors.attribute.labels[req_cls_network]
    protoPayload.request.cluster.nodePools[].autoscaling.enabled target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_enabled]
    protoPayload.request.cluster.nodePools[].autoscaling.maxNodeCount target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_max_node_cnt]
    protoPayload.request.cluster.nodePools[].autoscaling.minNodeCount target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_min_node_cnt]
    protoPayload.request.cluster.nodePools[].config.diskSizeGb target.resource_ancestor.attribute.labels[req_clsNodePools_config_disksize]
    protoPayload.request.cluster.nodePools[].config.imageType target.resource_ancestor.attribute.labels[req_clsNodePools_config_imagetype]
    protoPayload.request.cluster.nodePools[].config.machineType target.resource_ancestor.attribute.labels[req_clsNodePools_config_machinetype]
    protoPayload.request.cluster.nodePools[].config.oauthScopes[] target.resource_ancestor.attribute.labels[req_clsNodePools_config_oauth_scopes]
    protoPayload.request.cluster.nodePools[].initialNodeCount target.resource_ancestor.attribute.labels[req_clsterNodePools_autoscaling_initial_node_cnt]
    protoPayload.request.cluster.nodePools[].management.autoRepair target.resource_ancestors.attribute.labels[req_clsNodePools_autorepair]
    protoPayload.request.cluster.nodePools[].management.autoupgrade target.resource_ancestor.attribute.labels[req_clsNodePools_autoupgrade]
    protoPayload.request.cluster.nodePools[].name target.resource_ancestor.attribute.labels[req_clsNodePools_name]
    protoPayload.request.cluster.releaseChannel.channel target.resource.attribute.labels[req_cls_channel]
    protoPayload.request.cluster.subnetwork target.resource_ancestor.attribute.labels[req_cls_subnetwork]
    protoPayload.request.cmd target.resource.attribute.labels [sql_operation_type ]
    protoPayload.request.constraint target.resource.attribute.labels [request_constraint]
    protoPayload.request.cryptoKey.nextRotationTime security_result.detection_fields [next_rotation_time]
    protoPayload.request.cryptoKey.purpose security_result.detection_fields [purpose]
    protoPayload.request.cryptoKey.rotationPeriod security_result.detection_fields [rotation_period]
    protoPayload.request.cryptoKey.versionTemplate.algorithm security_result.detection_fields [algorithm]
    protoPayload.request.cryptoKey.versionTemplate.protectionLevel security_result.detection_fields [protection_level]
    protoPayload.request.cryptoKeyVersion.state target.resource.attribute.labels[req_cryptokey_version_state]
    protoPayload.request.dataAccessed target.resource.attribute.labels [request_data_accessed]
    protoPayload.request.date target.resource.attribute.labels [audit_event_occurred]
    protoPayload.request.deletionProtection about.labels[req_deletion_protection] (deprecated)
    protoPayload.request.deletionProtection additional.fields[req_deletion_protection]
    protoPayload.request.denieds.0.IPProtocol target.resource.attribute.labels [Denied Protocol]
    protoPayload.request.description security_result.summary
    protoPayload.request.description principal.labels[req_description] (deprecated)
    protoPayload.request.description additional.labels[req_description]
    protoPayload.request.destinationRanges target.resource.attribute.labels [destination_ranges]
    protoPayload.request.direction network.direction
    protoPayload.request.direction target.resource.attribute.labels[direction]
    protoPayload.request.disabled about.labels[req_disabled] (deprecated)
    protoPayload.request.disabled target.resource.attribute.labels[req_disabled]
    protoPayload.request.disabled additional.fields[req_disabled]
    protoPayload.request.disk[].autoDelete target.resource_ancestors.attributes.permission.name
    protoPayload.request.disk[].mode target.resource_ancestors.attributes.permission.name
    protoPayload.request.disk[].type target.resource_ancestors.resource_subtype If the protoPayload.request.cluster.subnetwork log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to subnetwork.

    If the protoPayload.request.cluster.network log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to network.

    If the protoPayload.request.cluster.nodePools.name log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to nodepool.
    protoPayload.request.disks[].boot target.resource.attribute.labels[req_disk_boot]
    protoPayload.request.disks[].deviceName target.resource_ancestors.name
    protoPayload.request.disks[].initializeParams.diskSizeGb target.resource.attribute.labels[req_disk_initialize_disk_size]
    protoPayload.request.disks[].initializeParams.diskType target.resource.attribute.labels[req_disk_initialize_disk_type]
    protoPayload.request.disks[].initializeParams.sourceImage target.resource.attribute.labels[req_disk_initialize_source_image]
    protoPayload.request.displayDevice.enableDisplay about.labels[req_display_device_enable_display] (deprecated)
    protoPayload.request.displayDevice.enableDisplay additional.fields[req_display_device_enable_display]
    protoPayload.request.email target.user.email_addresses
    protoPayload.request.enableFlowLogs about.labels[req_enable_flow_logs] (deprecated)
    protoPayload.request.enableFlowLogs additional.fields[req_enable_flow_logs]
    protoPayload.request.fingerprint about.labels[req_fingerprint] (deprecated)
    protoPayload.request.fingerprint additional.fields[req_fingerprint]
    protoPayload.request.function.entryPoint target.resource.attribute.labels [function_entry_point]
    protoPayload.request.function.httpsTrigger.securityLevel target.resource.attribute.labels [function_httptrigger_security_level]
    protoPayload.request.function.labels.deployment-tool target.resource.attribute.labels [request_deployment_tool]
    protoPayload.request.function.name target.resource.attribute.labels [request_function_name]
    protoPayload.request.function.runtime target.resource.attribute.labels [function_runtime]
    protoPayload.request.function.serviceAccountEmail target.resource.attribute.labels [function_service_account_email]
    protoPayload.request.function.sourceUploadUrl target.resource.attribute.labels [function_source_upload_url]
    protoPayload.request.function.timeout target.resource.attribute.labels [ function_time_out]
    protoPayload.request.httpRequest.url target.url
    protoPayload.request.instance target.asset.product_object_id
    protoPayload.request.instances.instance target.asset.product_object_id The protoPayload.request.instances.instance log field is mapped to the target.asset.product_object_id UDM field when the index value in protoPayload.request.instances.instance is equal to 0.

    For every other index value, target.asset.labels.key UDM field is set to request_instance and the protoPayload.request.instances.instance log field is mapped to the target.asset.labels.value UDM field.
    protoPayload.request.instances[].instance target.resource.attribute.labels[req_instance]
    protoPayload.request.ip target.ip
    protoPayload.request.ipCidrRange principal.labels[req_ip_cidr_range] (deprecated)
    protoPayload.request.ipCidrRange additional.fields[req_ip_cidr_range]
    protoPayload.request.IPProtocol network.ip_protocol
    protoPayload.request.key_types additional.fields[req_key_types]
    protoPayload.request.key_types[] about.labels[req_key_types] (deprecated)
    protoPayload.request.kind target.resource.attribute.labels[request.kind]
    protoPayload.request.labels.0.value target.resource.attribute.labels [protoPayload.request.labels.0.key]
    protoPayload.request.listManagedInstancesResults target.resource.attribute.labels [managed_instances_result]
    protoPayload.request.loadBalancingScheme target.labels[req_load_balancing_scheme] (deprecated)
    protoPayload.request.loadBalancingScheme additional.fields[req_load_balancing_scheme]
    protoPayload.request.location target.resource.attribute.labels [request_location]
    protoPayload.request.logconfig.enable about.labels[req_logconfig_enable] (deprecated)
    protoPayload.request.logconfig.enable target.resource.attribute.labels[req_logconfig_enable]
    protoPayload.request.logconfig.enable additional.fields[req_logconfig_enable]
    protoPayload.request.machineType target.resource.resource_subtype If the resource.type log field value matches the regular expression gce_(autoscaler or instance_group) or gae_app", then the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.
    protoPayload.request.maxResults target.resource.attribute.labels[req_max_results]
    protoPayload.request.member target.user.email_addresses
    protoPayload.request.metadata.annotations.deprecated.daemonset.template.generation target.resource.attribute.labels[req_metadata_annotations_deprecated_daemonset_template_generation]
    protoPayload.request.metadata.creationTimestamp target.resource.attribute.creation_time
    protoPayload.request.metadata.labels.app target.resource.attribute.labels[req_metadata_app]
    protoPayload.request.metadata.labels.trivy.automatic.created target.resource.attribute.labels[req_metadata_trivy_automatic_created]
    protoPayload.request.metadata.labels.trivy.collector.name target.resource.attribute.labels[req_metadata_trivy_collector_name]
    protoPayload.request.metadata.labels.trivy.resource.kind target.resource.attribute.labels[req_metadata_trivy_resource_kind]
    protoPayload.request.metadata.labels.trivy.resource.name target.resource.attribute.labels[req_metadata_trivy_resource_name]
    protoPayload.request.metadata.labels.type target.resource.attribute.labels[req_metadata_labels_type]
    protoPayload.request.metadata.name target.resource.attribute.labels[request.metadata.name]
    protoPayload.request.metadata.namespace principal.namespace
    protoPayload.request.metadata.state target.resource.attribute.labels[request_state]
    protoPayload.request.msgType target.resource.attribute.labels [msg_type]
    protoPayload.request.name target.resource.name If the protoPayload.methodName log field value is equal to beta.compute.instances.insert, then the protoPayload.request.name log field is mapped to the target.resource.name UDM field.
    protoPayload.request.name target.resource.name
    protoPayload.request.name target.resource.attribute.labels[req_name]
    protoPayload.request.network target.resource_ancestors.name
    protoPayload.request.network about.labels[req_network] (deprecated)
    protoPayload.request.network target.resource.attribute.labels[req_network]
    protoPayload.request.network target.resource.attribute.labels[req_network]
    protoPayload.request.network additional.fields[req_network]
    protoPayload.request.networkInterfaces[].accessConfig.name target.resource.attribute.labels[req_network_access_config_name]
    protoPayload.request.networkInterfaces[].accessConfig.networkTier target.resource.attribute.labels[req_network_access_config_network_tier]
    protoPayload.request.networkInterfaces[].accessConfig.type target.resource.attribute.labels[req_network_access_config_type]
    protoPayload.request.networkInterfaces[].subnetwork target.resource_ancestors.name
    protoPayload.request.networkTier about.labels[req_network_tier] (deprecated)
    protoPayload.request.networkTier additional.fields[req_network_tier]
    protoPayload.request.New Data target.resource_ancestors.attribute.labels[req_new_data]
    protoPayload.request.objects.db about.labels [database_name] (deprecated)
    protoPayload.request.objects.db additional.fields[database_name]
    protoPayload.request.objects.name about.labels [objects_name] (deprecated)
    protoPayload.request.objects.name additional.fields[objects_name]
    protoPayload.request.occurrence.resourceUri additional.fields[request_resourceuri]
    protoPayload.request.occurrence.vulnerability.effectiveSeverity extensions.vulns.vulnerabilities.severity If the protoPayload.request.occurrence.vulnerability.effectiveSeverity log field value contain one of the following values, then the protoPayload.request.occurrence.vulnerability.effectiveSeverity log field is mapped to the extensions.vulns.vulnerabilities.severity UDM field.
    • CRITICAL
    • HIGH
    • MEDIUM
    • LOW
    protoPayload.request.occurrence.vulnerability.shortDescription extensions.vulns.vulnerabilities.cve_id
    protoPayload.request.override.overrideValue target.resource.attribute.labels[request_override_value]
    protoPayload.request.page_size about.labels[req_page_size] (deprecated)
    protoPayload.request.page_size additional.fields[req_page_size]
    protoPayload.request.parent target.resource_ancestors.name
    protoPayload.request.permissions target.resource.attribute.labels.permission
    protoPayload.request.personIdentifier.canonicalPersonId target.user.group_identifiers
    protoPayload.request.policy security_result.rule_name
    protoPayload.request.policy.bindings.members target.resource.attribute.labels[req_bindings_members]
    protoPayload.request.policy.bindings.role target.resource.attribute.labels[req_policy_bindings_role]
    protoPayload.request.policy.booleanPolicy.enforced target.resource.attribute.labels[request_constraint]
    protoPayload.request.policy.constraint target.resource.attribute.labels [request_policy_constraint]
    protoPayload.request.policy.etag about.labels[req_policy_etag] (deprecated)
    protoPayload.request.policy.etag additional.fields[req_policy_etag]
    protoPayload.request.portRange about.labels[req_port_range] (deprecated)
    protoPayload.request.portRange additional.fields[req_port_range]
    protoPayload.request.priority security_result.priority_details
    protoPayload.request.priority target.resource.attribute.labels[Request Priority]
    protoPayload.request.private_key_type about.labels[req_private_key_type] (deprecated)
    protoPayload.request.private_key_type additional.fields[req_private_key_type]
    protoPayload.request.privateIpGoogleAccess about.labels[req_private_ip_google_access] (deprecated)
    protoPayload.request.privateIpGoogleAccess additional.fields[req_private_ip_google_access]
    protoPayload.request.productSources target.resource.attribute.labels[request_product_sources]
    protoPayload.request.project target.resource.attribute.labels[req_project]
    protoPayload.request.projection target.resource.attribute.labels[req_projection]
    protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute target.resource.attribute.labels [ enable_confidential_compute]
    protoPayload.request.properties.description target.resource.attribute.labels [request_description]
    protoPayload.request.properties.disks.0.initializeParams.diskSizeGb principal.resource.attribute.labels[diskSizeGb]
    protoPayload.request.properties.disks.0.initializeParams.diskType principal.resource.attribute.labels[diskType]
    protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type principal.resource.attribute.labels[guestOsFeatures type]
    protoPayload.request.properties.disks.0.initializeParams.labels.0.key principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key]
    protoPayload.request.properties.disks.0.initializeParams.sourceImage principal.resource.attribute.labels[sourceImage]
    protoPayload.request.properties.disks.0.type principal.resource.attribute.labels[disks Type]
    protoPayload.request.query target.resource.attribute.labels[request_query]
    protoPayload.request.queryId target.resource.attribute.labels [query_id]
    protoPayload.request.referenceList.displayName security_result.associations.name If the protoPayload.response.displayName log field value is empty, then the protoPayload.request.referenceList.displayName log field is mapped to the security_result.associations.name UDM field.
    protoPayload.request.regexSearch target.resource.attribute.labels[request_regex_search]
    protoPayload.request.region target.location.country_or_region
    protoPayload.request.remove_deleted_service_accounts about.labels[req_remove_deleted_serviceAcc] (deprecated)
    protoPayload.request.remove_deleted_service_accounts additional.fields[req_remove_deleted_serviceAcc]
    protoPayload.request.requestId target.labels[request_id] (deprecated)
    protoPayload.request.requestId additional.fields[request_id]
    protoPayload.request.reservationAffinity.consumeReservationType target.resource.attribute.labels[req_consumeReservation_type]
    protoPayload.request.role_id target.resource.product_object_id If the protoPayload.methodName log field value is equal to google.iam.admin.v1.CreateRole, then the protoPayload.request.role_id log field is mapped to the target.resource.product_object_id UDM field.
    protoPayload.request.role.description target.resource.attributes.roles.description
    protoPayload.request.role.included_permissions[] target.resource.attributes.permission.name
    protoPayload.request.role.included_permissions[] target.user.attribute.permissions.name
    protoPayload.request.role.stage target.resource.attribute.labels[req_role_stage]
    protoPayload.request.roleRef.apiGroup target.user.attribute.labels[req_role_ref_api_group]
    protoPayload.request.roleRef.kind target.user.attribute.labels[req_role_ref_kind]
    protoPayload.request.roleRef.name target.user.attribute.roles.name
    protoPayload.request.rules.apiGroups security_result.rule_labels[req_rule_api_group]
    protoPayload.request.rules.resourceNames security_result.rule_labels[req_rule_resource_name]
    protoPayload.request.rules.resources security_result.rule_labels[req_rule_resource]
    protoPayload.request.rules.verbs security_result.rule_labels[req_rule_verb]
    protoPayload.request.scheduling.automaticRestart target.resource.attribute.labels[req_scheduling_automatic_restart]
    protoPayload.request.scheduling.onHostMaintenance target.resource.attribute.labels[req_scheduling_on_host_mainten]
    protoPayload.request.scheduling.preemptible target.resource.attribute.labels[req_scheduling_preemptible]
    protoPayload.request.securityHealthAnalyticsSettings.modules.PUBLIC_BUCKET_ACL.moduleEnablementState target.resource.attribute.labels[PUBLIC_BUCKET_ACL_module_enablement_state]
    protoPayload.request.serialConsoleOptions principal.port Iterate through log field protoPayload.request.serialConsoleOptions, then
    If the protoPayload.request.serialConsoleOptions.name value is equal to port then, protoPayload.request.serialConsoleOptions.value log field is mapped to the principal.port UDM field.
    Else, the protoPayload.request.serialConsoleOptions.name log field is mapped to the principal.resource.attribute.labels.key UDM field and protoPayload.request.serialConsoleOptions.value log field is mapped to the principal.resource.attribute.labels.value UDM field.
    protoPayload.request.service_account.description target.resource.attribute.labels[req_serviceAcc_description]
    protoPayload.request.service_account.display_name target.resource.name
    protoPayload.request.service.metadata.annotations.run.googleapis.com/binary-authorization target.resource_ancestors.attribute.labels[req_service_metadata_binary_authorization]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/client-name target.resource_ancestors.attribute.labels[req_service_metadata_client_name]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/client-version target.resource_ancestors.attribute.labels[req_service_metadata_client_version]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress target.resource_ancestors.attribute.labels[req_service_metadata_ingress]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress-status target.resource_ancestors.attribute.labels[req_service_metadata_client_ingress_status]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/operation-id target.resource_ancestors.attribute.labels[req_service_metadata_client_operation_id]
    protoPayload.request.service.metadata.annotations.serving.knative.dev/creator target.resource_ancestors.attribute.labels[req_service_metadata_creator]
    protoPayload.request.service.metadata.annotations.serving.knative.dev/lastModifier target.resource_ancestors.attribute.labels[req_service_metadata_last_modifier]
    protoPayload.request.service.spec.template.metadata.annotations.autoscaling.knative.dev/maxScale target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_max_scale]
    protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-name target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_name]
    protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-version target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_version]
    protoPayload.request.serviceAccounts[].email target.user.email_addresses
    protoPayload.request.serviceAccounts[].email target.resource.attribute.labels[req_serviceAcc_email]
    protoPayload.request.serviceAccounts[].scopes principal.user.attribute.permissions.name
    protoPayload.request.serviceAccounts[].scopes security_result.detection_fields [service_account_scope]
    protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring about.labels[req_instance_enable_integrity_monitoring] (deprecated)
    protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring additional.fields[req_instance_enable_integrity_monitoring]
    protoPayload.request.shieldedInstanceConfig.enableSecureBoot about.labels[req_instance_config_enable_secure_boot] (deprecated)
    protoPayload.request.shieldedInstanceConfig.enableSecureBoot additional.fields[req_instance_config_enable_secure_boot]
    protoPayload.request.shieldedInstanceConfig.enableVtpm about.labels[req_instance_config_enable_vtpm] (deprecated)
    protoPayload.request.shieldedInstanceConfig.enableVtpm additional.fields[req_instance_config_enable_vtpm]
    protoPayload.request.showDeleted about.labels[req_show_deleted] (deprecated)
    protoPayload.request.showDeleted additional.fields[req_show_deleted]
    protoPayload.request.skip_visibility_check about.labels[req_skip_visibility_check] (deprecated)
    protoPayload.request.skip_visibility_check additional.fields[req_skip_visibility_check]
    protoPayload.request.sourceRanges additional.fields[req_source_ranges]
    protoPayload.request.sourceRanges[] principal.labels[req_source_ranges] (deprecated)
    protoPayload.request.sourceRanges[] target.resource.attribute.labels[source_ranges]
    protoPayload.request.spec.automountServiceAccountToken target.resource.attribute.labels[req_spec_automount_service_account_token]
    protoPayload.request.spec.backoffLimit target.resource.attribute.labels[req_spec_backoff_limit]
    protoPayload.request.spec.completionMode target.resource.attribute.labels[req_spec_completion_mode]
    protoPayload.request.spec.completions target.resource.attribute.labels[req_spec_completions]
    protoPayload.request.spec.containers.0.args about.file.capabilities_tags
    protoPayload.request.spec.containers.0.image target.process.command_line
    protoPayload.request.spec.containers.0.imagePullPolicy traget.resource.attribute.labels[imagePullPolicy]
    protoPayload.request.spec.containers.0.name target.resource.attribute.labels[name]
    protoPayload.request.spec.containers.0.terminationMessagePath traget.resource.attribute.labels[terminationMessagePath]
    protoPayload.request.spec.containers.0.terminationMessagePolicy traget.resource.attribute.labels[terminationMessagePolicy]
    protoPayload.request.spec.containers.command target.resource.attribute.labels[req_spec_container_command]
    protoPayload.request.spec.containers.securityContext.allowPrivilegeEscalation target.resource.attribute.labels[req_spec_container_security_context_allow_privilege_escalation]
    protoPayload.request.spec.containers.securityContext.capabilities.add target.resource_ancestors.attribute.labels[req_spec_container_security_context_capabilities_add]
    protoPayload.request.spec.containers.securityContext.capabilities.drop target.resource.attribute.labels[req_spec_container_security_context_capabilities_drop]
    protoPayload.request.spec.containers.securityContext.privileged target.resource.attribute.labels[req_spec_container_security_context_privileged]
    protoPayload.request.spec.containers.securityContext.readOnlyRootFilesystem target.resource.attribute.labels[req_spec_container_security_context_read_only_root_filesystem]
    protoPayload.request.spec.containers.securityContext.seccompProfile.type target.resource_ancestors.attribute.labels[req_spec_container_security_context_seccomp_profile_type]
    protoPayload.request.spec.containers.volumeMounts.mountPath target.resource.attribute.labels[req_spec_container_volume_mount_path]
    protoPayload.request.spec.containers.volumeMounts.name target.resource.attribute.labels[req_spec_container_volume_mount_name]
    protoPayload.request.spec.containers.volumeMounts.readOnly target.resource.attribute.labels[req_spec_container_volume_mount_read_only]
    protoPayload.request.spec.dnsPolicy target.resource.attribute.labels[imagePullPolicy]
    protoPayload.request.spec.enableServiceLinks traget.resource.attribute.labels[enableServiceLinks]
    protoPayload.request.spec.expirationSeconds target.resource.attribute.labels[req_spec_expiration_seconds]
    protoPayload.request.spec.hostIPC target.resource.attribute.labels[req_spec_host_ipc]
    protoPayload.request.spec.hostNetwork target.resource.attribute.labels[req_spec_host_network]
    protoPayload.request.spec.hostPID target.resource.attribute.labels[req_spec_host_pid]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.args target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_arg_{index}]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.command target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_command_{index}]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image_pull_policy]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.name target.resource_ancestors.name
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_cpu]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_memory]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.cpu target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_cpu]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.memory target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_memory]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_allow_privilege_escalation]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_capabilities_drop_{index}]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_privileged]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_read_only_root_filesystem]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_path]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_policy]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_mount_path_{index}]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_name_{index}]
    protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_readonly_{index}]
    protoPayload.request.spec.jobTemplate.spec.template.spec.restartPolicy target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_restart_policy]
    protoPayload.request.spec.jobTemplate.spec.template.spec.shareProcessNamespace target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_share_process_namespace]
    protoPayload.request.spec.nodeName target.resource.attribute.labels[req_spec_node_name]
    protoPayload.request.spec.parallelism target.resource.attribute.labels[req_spec_parallelism]
    protoPayload.request.spec.request target.resource.attribute.labels[req_spec_request]
    protoPayload.request.spec.resourceAttributes.namespace target.resource.attribute.labels[req_spec_resource_attribute_namespace]
    protoPayload.request.spec.resourceAttributes.resource target.resource.attribute.labels[req_spec_resource_attribute_resource]
    protoPayload.request.spec.resourceAttributes.verb target.resource.attribute.labels[req_spec_resource_attribute_verb]
    protoPayload.request.spec.restartPolicy target.resource.attribute.labels[restartPolicy]
    protoPayload.request.spec.revisionHistoryLimit target.resource.attribute.labels[req_spec_revision_history_limit]
    protoPayload.request.spec.schedulerName target.resource.attribute.labels[schedulerName]
    protoPayload.request.spec.securityContext.allowPrivilegeEscalation target.resource.attribute.labels[req_spec_security_context_allow_privilege_escalation]
    protoPayload.request.spec.securityContext.capabilities.drop target.resource.attribute.labels[req_spec_security_context_capabilities_drop]
    protoPayload.request.spec.securityContext.privileged target.resource.attribute.labels[req_spec_security_context_privileged]
    protoPayload.request.spec.securityContext.readOnlyRootFilesystem target.resource.attribute.labels[req_spec_security_context_read_only_root_filesystem]
    protoPayload.request.spec.selector.matchLabels.app target.resource.attribute.labels[req_spec_selector_match_label_app]
    protoPayload.request.spec.selector.matchLabels.type target.resource.attribute.labels[req_spec_selector_match_label_type]
    protoPayload.request.spec.serviceAccount target.resource.attribute.labels[req_spec_service_account]
    protoPayload.request.spec.serviceAccountName target.resource.attribute.labels[req_spec_serivce_account_name]
    protoPayload.request.spec.shareProcessNamespace target.resource.attribute.labels[req_spec_share_process_namespace]
    protoPayload.request.spec.signerName target.resource.attribute.labels[req_spec_signer_name]
    protoPayload.request.spec.suspend target.resource.attribute.labels[req_spec_suspend]
    protoPayload.request.spec.template.metadata.creationTimestamp target.resource.attribute.labels[req_spec_template_metadata_creation_time]
    protoPayload.request.spec.template.metadata.labels.app target.resource.attribute.labels[req_spec_template_metadata_app]
    protoPayload.request.spec.template.metadata.labels.type target.resource.attribute.labels[req_spec_template_metadata_labels_type]
    protoPayload.request.spec.template.spec.automountServiceAccountToken target.resource.attribute.labels[req_spec_template_spec_automount_service_account_token]
    protoPayload.request.spec.template.spec.containers.args target.resource.attribute.labels[req_spec_template_spec_container_arg]
    protoPayload.request.spec.template.spec.containers.command target.resource_ancestors.attribute.labels[req_spec_template_spec_container_command]
    protoPayload.request.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image]
    protoPayload.request.spec.template.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image_pull_policy]
    protoPayload.request.spec.template.spec.containers.name target.resource_ancestors.name
    protoPayload.request.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_cpu]
    protoPayload.request.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_memory]
    protoPayload.request.spec.template.spec.containers.resources.requests.cpu target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_cpu]
    protoPayload.request.spec.template.spec.containers.resources.requests.memory target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_memory]
    protoPayload.request.spec.template.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_allow_privilege_escalation]
    protoPayload.request.spec.template.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_capabilities_drop]
    protoPayload.request.spec.template.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_privileged]
    protoPayload.request.spec.template.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_read_only_root_filesystem]
    protoPayload.request.spec.template.spec.containers.securityContext.runAsUser target.resource.attribute.labels[req_spec_template_spec_containers_securitycontext_run_as_user]
    protoPayload.request.spec.template.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_path]
    protoPayload.request.spec.template.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_policy]
    protoPayload.request.spec.template.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_mount_path]
    protoPayload.request.spec.template.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_name]
    protoPayload.request.spec.template.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_readonly]
    protoPayload.request.spec.template.spec.dnsPolicy target.resource.attribute.labels[req_spec_template_spec_dns_policy]
    protoPayload.request.spec.template.spec.hostIPC target.resource.attribute.labels[req_spec_template_spec_host_ipc]
    protoPayload.request.spec.template.spec.hostNetwork target.resource.attribute.labels[req_spec_template_spec_host_network]
    protoPayload.request.spec.template.spec.hostPID target.resource.attribute.labels[req_spec_template_spec_host_pid]
    protoPayload.request.spec.template.spec.restartPolicy target.resource.attribute.labels[req_spec_template_spec_restart_policy]
    protoPayload.request.spec.template.spec.schedulerName target.resource.attribute.labels[req_spec_template_spec_scheduler_name]
    protoPayload.request.spec.template.spec.securityContext.runAsGroup target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_group]
    protoPayload.request.spec.template.spec.securityContext.runAsUser target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_user]
    protoPayload.request.spec.template.spec.securityContext.seccompProfile.type target.resource.attribute.labels[req_spec_template_spec_security_context_seccomp_profile_type]
    protoPayload.request.spec.template.spec.shareProcessNamespace target.resource.attribute.labels[req_spec_template_spec_share_process_namespace]
    protoPayload.request.spec.template.spec.terminationGracePeriodSeconds target.resource.attribute.labels[req_spec_template_spec_termination_grace_period_seconds]
    protoPayload.request.spec.template.spec.volumes.hostPath.path target.resource.attribute.labels[req_spec_template_spec_volumes_host_path]
    protoPayload.request.spec.template.spec.volumes.hostPath.type target.resource.attribute.labels[req_spec_template_spec_volumes_host_path_type]
    protoPayload.request.spec.template.spec.volumes.name target.resource.attribute.labels[req_spec_template_spec_volumes_name]
    protoPayload.request.spec.terminationGracePeriodSeconds traget.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds]
    protoPayload.request.spec.type target.resource.attribute.labels[request_spec_type]
    protoPayload.request.spec.updateStrategy.rollingUpdate.maxSurge target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_surge]
    protoPayload.request.spec.updateStrategy.rollingUpdate.maxUnavailable target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_unavailable]
    protoPayload.request.spec.updateStrategy.type target.resource.attribute.labels[req_spec_update_strategy_type]
    protoPayload.request.spec.usages target.resource.attribute.labels[req_spec_usage]
    protoPayload.request.spec.volumes.hostPath.path target.resource.attribute.labels[req_spec_volume_host_path]
    protoPayload.request.spec.volumes.hostPath.type target.resource.attribute.labels[req_spec_volume_host_path_type]
    protoPayload.request.spec.volumes.name target.resource.attribute.labels[req_spec_volume_name]
    protoPayload.request.stackType about.labels[req_stack_type] (deprecated)
    protoPayload.request.stackType additional.fields[req_stack_type]
    protoPayload.request.status security_result.description
    protoPayload.request.status.allowed target.resource.attribute.labels[req_status_allowed]
    protoPayload.request.status.currentNumberScheduled target.resource.attribute.labels[req_status_current_number_scheduled]
    protoPayload.request.status.desiredNumberScheduled target.resource.attribute.labels[req_status_desired_number_scheduled]
    protoPayload.request.status.numberMisscheduled target.resource.attribute.labels[req_status_number_miss_scheduled]
    protoPayload.request.status.numberReady target.resource.attribute.labels[req_status_number_ready]
    protoPayload.request.subjects.apiGroup target.user.attribute.labels[req_subject_api_group]
    protoPayload.request.subjects.kind target.user.attribute.labels[req_subject_kind]
    protoPayload.request.subjects.name target.user.attribute.labels[subject_name]
    protoPayload.request.target target.resource_ancestors.name
    protoPayload.request.threadId target.resource.attribute.labels [thread_id]
    protoPayload.request.timestampRange.endTime target.resource.attribute.labels[timestamp_range_end_time]
    protoPayload.request.timestampRange.startTime target.resource.attribute.labels[timestamp_range_start_time]
    protoPayload.request.type about.labels[req_type] (deprecated)
    protoPayload.request.type additional.fields[req_type]
    protoPayload.request.updateMask about.labels[req_update_mask] (deprecated)
    protoPayload.request.updateMask additional.fields[req_update_mask]
    protoPayload.request.user target.user.userid
    protoPayload.request.username principal.user.userid
    protoPayload.request.version about.labels[req_version] (deprecated)
    protoPayload.request.version additional.fields[req_version]
    protoPayload.request.workloadIdentityPool.description target.resource.attribute.labels[req_identityPool_description]
    protoPayload.request.workloadIdentityPool.disabled target.resource.attribute.labels[req_identityPool_disabled]
    protoPayload.request.workloadIdentityPool.displayName target.resource.name
    protoPayload.request.workloadIdentityPoolId target.resource.product_object_id
    protoPayload.request.workloadIdentityPoolProvider.attributeCondition target.resource.attribute.labels[req_identityPool_attribute_condition]
    protoPayload.request.workloadIdentityPoolProvider.attributeMapping.attribute.aws_role target.resource.attribute.labels[req_identityPool_aws_role]
    protoPayload.request.workloadIdentityPoolProvider.attributeMapping.google.subject target.resource.attribute.labels[req_identityPool_googleSubject]
    protoPayload.request.workloadIdentityPoolProvider.aws.accountId target.resource.attribute.labels[req_identityPool_aws_accountId]
    protoPayload.request.workloadIdentityPoolProvider.disabled target.resource.attribute.labels[req_identityPool_provider_disabled]
    protoPayload.request.workloadIdentityPoolProvider.displayName target.resource.attribute.labels[req_identityPool_displayName]
    protoPayload.request.workloadIdentityPoolProviderId target.resource.product_object_id
    protoPayload.request.workloadIdentityPoolProviderId target.resource.attribute.labels[req_identityPool_providerId]
    protoPayload.requestMetadata.callerIp principal.ip
    protoPayload.requestMetadata.callerNetwork about.labels[caller_network] (deprecated)
    protoPayload.requestMetadata.callerNetwork principal.labels[caller_network] (deprecated)
    protoPayload.requestMetadata.callerNetwork additional.fields[caller_network]
    protoPayload.requestMetadata.callerNetwork additional.fields[caller_network]
    protoPayload.requestMetadata.callerNetwork.requestAttributes.reason security_result.detection_fields[caller_network_request_reason]
    protoPayload.requestMetadata.callerSuppliedUserAgent network.http.user_agent If the protoPayload.requestMetadata.callerSuppliedUserAgent log field value matches the regular expression Group, then the protoPayload.requestMetadata.callerSuppliedUserAgent log field is mapped to the principal.group.group_display_name UDM field.
    protoPayload.requestMetadata.destinationAttributes.ip target.ip
    protoPayload.requestMetadata.destinationAttributes.port target.port
    protoPayload.requestMetadata.destinationAttributes.principal target.labels[peer_principal] (deprecated)
    protoPayload.requestMetadata.destinationAttributes.principal additional.fields[peer_principal]
    protoPayload.requestMetadata.destinationAttributes.regionCode target.labels[peer_region_code] (deprecated)
    protoPayload.requestMetadata.destinationAttributes.regionCode additional.fields[peer_region_code]
    protoPayload.requestMetadata.requestAttributes.auth.accessLevels target.resource.attribute.labels [accessLevel]
    protoPayload.requestMetadata.requestAttributes.auth.claims target.labels [request_auth_claims] (deprecated)
    protoPayload.requestMetadata.requestAttributes.auth.claims additional.fields[request_auth_claims]
    protoPayload.requestMetadata.requestAttributes.host target.hostname
    protoPayload.requestMetadata.requestAttributes.id network.session_id
    protoPayload.requestMetadata.requestAttributes.method network.http.method
    protoPayload.requestMetadata.requestAttributes.path network.http.referral_url
    protoPayload.requestMetadata.requestAttributes.protocol network.ip_protocol
    protoPayload.requestMetadata.requestAttributes.reason principal.labels[request_attributes_reason] (deprecated)
    protoPayload.requestMetadata.requestAttributes.reason additional.fields[request_attributes_reason]
    protoPayload.requestMetadata.requestAttributes.size about.labels[caller_network_request_size] (deprecated)
    protoPayload.requestMetadata.requestAttributes.size principal.labels[caller_network_request_size] (deprecated)
    protoPayload.requestMetadata.requestAttributes.size additional.fields[caller_network_request_size]
    protoPayload.requestMetadata.requestAttributes.size additional.fields[caller_network_request_size]
    protoPayload.requestMetadata.requestAttributes.time about.labels[caller_network_request_time] (deprecated)
    protoPayload.requestMetadata.requestAttributes.time principal.labels[request_attributes_time] (deprecated)
    protoPayload.requestMetadata.requestAttributes.time principal.labels[caller_network_request_time] (deprecated)
    protoPayload.requestMetadata.requestAttributes.time additional.fields[caller_network_request_time]
    protoPayload.requestMetadata.requestAttributes.time additional.fields[request_attributes_time]
    protoPayload.requestMetadata.requestAttributes.time additional.fields[caller_network_request_time]
    protoPayload.resource.labels.firewall_rule_id target.resource.id
    protoPayload.resource.labels.role_name target.resource.name If the protoPayload.methodName log field value is equal to google.iam.admin.v1.CreateRole, then the protoPayload.resource.labels.role_name log field is mapped to the target.resource.name UDM field.
    protoPayload.resource.role_name target.resource_ancestors.name
    protoPayload.resource.role_name target.resource.name
    protoPayload.resourceName target.resource_ancestors.name If the protoPayload.methodName log field value matches the regular expression (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider), then the protoPayload.resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    protoPayload.resourceName target.resource.name If the protoPayload.resourceName log field value is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.
    protoPayload.resourceName security_result.detection_fields [resource_name]
    protoPayload.resourceName security_result.detection_fields[rule_id] If the protoPayload.resourceName log field value is not empty and the protoPayload.response.@type log field value is type.googleapis.com/google.cloud.chronicle.v1alpha.Rule, then new_rule_id is extracted from the protoPayload.resourceName log field using a Grok pattern, and mapped to the security_result.detection_fields[rule_id] UDM field.
    protoPayload.resourceOriginalState.@type target.resource.attribute.labels[rc_orgState_type]
    protoPayload.resourceOriginalState.alloweds.IPProtocol network.ip_protocol
    protoPayload.resourceOriginalState.alloweds.ports target.port
    protoPayload.resourceOriginalState.creationTimestamp target.resource.attribute.creation_time
    protoPayload.resourceOriginalState.description target.labels[res_originalState_description] (deprecated)
    protoPayload.resourceOriginalState.description additional.fields[res_originalState_description]
    protoPayload.resourceOriginalState.direction network.direction
    protoPayload.resourceOriginalState.direction security_result.detection_fields[resource_original_state_direction]
    protoPayload.resourceOriginalState.disabled target.resource.attribute.labels[rc_orgState_disabled]
    protoPayload.resourceOriginalState.enableLogging target.resource.attribute.labels[rc_orgState_enable_logging]
    protoPayload.resourceOriginalState.logconfig.enable security_result.detection_fields[rc_orgState_logconfig_enable]
    protoPayload.resourceOriginalState.logconfig.enable target.resource.attribute.labels[rc_orgState_logconfig_enable]
    protoPayload.resourceOriginalState.name principal.resource.name
    protoPayload.resourceOriginalState.network network.http.referral_url
    protoPayload.resourceOriginalState.priority security_result.priority_details
    protoPayload.resourceOriginalState.selfLink target.resource.attribute.labels[rc_orgState_selflink]
    protoPayload.resourceOriginalState.selfLinkWithId about.labels[rc_old_selflinkWithId] (deprecated)
    protoPayload.resourceOriginalState.selfLinkWithId additional.fields[rc_old_selflinkWithId]
    protoPayload.resourceOriginalState.sourceRanges target.resource.attribute.labels[rc_orgState_srcranges]
    protoPayload.resourceOriginalState.targetTags target.resource.attribute.labels[rc_orgState_target_tags]
    protoPayload.response.@type target.resource.attribute.labels[res_type]
    protoPayload.response.apiVersion target.resource.attribute.labels[res_api_version]
    protoPayload.response.bindings.members additional.fields[response_bindings_members]
    protoPayload.response.bindings[].members[] target.labels[response_bindings_members] (deprecated)
    protoPayload.response.bindings[].role target.user.attribute.roles.name
    protoPayload.response.booleanPolicy.enforced target.resource.attribute.labels[response_enforce_policy]
    protoPayload.response.buildConfig.entryPoint target.resource.attribute.labels[buildconfig_entrypoint]
    protoPayload.response.clientOperationId about.labels[res_client_operation_id] (deprecated)
    protoPayload.response.clientOperationId additional.fields[res_client_operation_id]
    protoPayload.response.code security_result.detection_fields [response_code]
    protoPayload.response.code network.http.response_code
    protoPayload.response.description target.labels[response_description] (deprecated)
    protoPayload.response.description additional.fields[response_description]
    protoPayload.response.details[].@type security_result.detection_fields [details_type]
    protoPayload.response.details[].violations[].subject security_result.detection_fields [violation_subject]
    protoPayload.response.details[].violations[].type security_result.detection_fields [violation_type]
    protoPayload.response.display_name target.labels[response_display_name] (deprecated)
    protoPayload.response.display_name additional.fields[response_display_name]
    protoPayload.response.displayName security_result.associations.name If the protoPayload.response.displayName log field value is not empty, then the protoPayload.response.displayName log field is mapped to the security_result.associations.name UDM field.
    protoPayload.response.duration network.session_duration
    protoPayload.response.email target.resource.attribute.labels[res_email]
    protoPayload.response.endTime about.labels[res_end_time] (deprecated)
    protoPayload.response.endTime additional.fields[res_end_time]
    protoPayload.response.error.code network.http.response_code
    protoPayload.response.error.errors[].domain security_result.detection_fields[res_error_domain]
    protoPayload.response.error.errors[].message security_result.summary
    protoPayload.response.error.errors[].reason security_result.description
    protoPayload.response.error.message security_result.summary
    protoPayload.response.etag target.resource.attribute.labels[res_etag]
    protoPayload.response.id about.labels[res_id] (deprecated)
    protoPayload.response.id additional.fields[res_id]
    protoPayload.response.insertTime target.resource.attribute.creation_time
    protoPayload.response.instanceUid target.resource_ancestors.product_object_id
    protoPayload.response.items.etag target.resource.attribute.labels[res_items_etag]
    protoPayload.response.items.iamConfiguration.publicAccessPrevention target.resource.attribute.labels[res_items_iam_conf_public_access_prevention]
    protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_enabled]
    protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_locked_time]
    protoPayload.response.items.id target.resource.attribute.labels[res_items_id]
    protoPayload.response.items.labels.business_project_number target.resource.attribute.labels[res_items_labels_business_project_number]
    protoPayload.response.items.labels.created_by target.resource.attribute.labels[res_items_labels_created_by]
    protoPayload.response.items.labels.created_date target.resource.attribute.labels[res_items_labels_created_date]
    protoPayload.response.items.labels.department target.resource.attribute.labels[res_items_labels_department]
    protoPayload.response.items.labels.environment target.resource.attribute.labels[res_items_labels_environment]
    protoPayload.response.items.labels.finops_tag target.resource.attribute.labels[res_items_labels_finops_tag]
    protoPayload.response.items.labels.office_name target.resource.attribute.labels[res_items_labels_office_name]
    protoPayload.response.items.labels.office_number target.resource.attribute.labels[res_items_labels_official_number]
    protoPayload.response.items.labels.owner_email target.resource.attribute.labels[res_items_labels_owner_email]
    protoPayload.response.items.labels.owner_role target.resource.attribute.labels[res_items_labels_owner_role]
    protoPayload.response.items.labels.project_name target.resource.attribute.labels[res_items_labels_project_name]
    protoPayload.response.items.labels.purchase_order_number target.resource.attribute.labels[res_items_labels_purchase_order_number]
    protoPayload.response.items.labels.team_email target.resource.attribute.labels[res_items_labels_team_email]
    protoPayload.response.items.labels.team_name target.resource.attribute.labels[res_items_labels_team_name]
    protoPayload.response.items.location target.resource.attribute.labels[res_items_location]
    protoPayload.response.items.locationType target.resource.attribute.labels[res_items_location_type]
    protoPayload.response.items.metageneration target.resource.attribute.labels[res_items_metageneration]
    protoPayload.response.items.name target.resource.attribute.labels[res_items_name]
    protoPayload.response.items.projectNumber target.resource.attribute.labels[res_items_project_number]
    protoPayload.response.items.softDeletePolicy.effectiveTime target.resource.attribute.labels[res_items_soft_delete_policy_effective_time]
    protoPayload.response.items.softDeletePolicy.retentionDurationSeconds target.resource.attribute.labels[res_items_soft_delete_policy_retention_duration_seconds]
    protoPayload.response.items.storageClass target.resource.attribute.labels[res_items_storage_class]
    protoPayload.response.items.timeCreated target.resource.attribute.labels[res_items_time_created]
    protoPayload.response.items.updated target.resource.attribute.labels[res_items_updated]
    protoPayload.response.items.versioning.enabled target.resource.attribute.labels[res_items_versioning_enabled]
    protoPayload.response.key_algorithm about.labels[res_key_algorithm] (deprecated)
    protoPayload.response.key_algorithm additional.fields[res_key_algorithm]
    protoPayload.response.key_origin about.labels[res_key_origin] (deprecated)
    protoPayload.response.key_origin additional.fields[res_key_origin]
    protoPayload.response.key_type about.labels[res_key_type] (deprecated)
    protoPayload.response.key_type additional.fields[res_key_type]
    protoPayload.response.kind target.resource.attribute.labels[response_kind]
    protoPayload.response.kind about.labels[res_kind] (deprecated)
    protoPayload.response.kind additional.fields[res_kind]
    protoPayload.response.message security_result.summary
    protoPayload.response.metadata.annotations.deprecated.daemonset.template.generation target.resource.attribute.labels[res_metadata_annotations_deprecated_daemonset_template_generation]
    protoPayload.response.metadata.creationTimestamp target.resource.attribute.labels[res_metadata_creation_time]
    protoPayload.response.metadata.generation target.resource.attribute.labels[res_metadata_generation]
    protoPayload.response.metadata.labels.app target.resource.attribute.labels[res_metadata_label_app]
    protoPayload.response.metadata.labels.type target.resource.attribute.labels[res_metadata_labels_type]
    protoPayload.response.metadata.managedFields.apiVersion target.resource.attribute.labels[res_managed_field_api_version]
    protoPayload.response.metadata.managedFields.fieldsType target.resource.attribute.labels[res_managed_field_type]
    protoPayload.response.metadata.managedFields.manager target.resource.attribute.labels[res_managed_field_manager]
    protoPayload.response.metadata.managedFields.operation target.resource.attribute.labels[res_managed_field_operation]
    protoPayload.response.metadata.managedFields.time target.resource.attribute.labels[res_managed_field_time]
    protoPayload.response.metadata.name target.resource.attribute.labels[res_metadata_name]
    protoPayload.response.metadata.namespace target.resource.attribute.labels[res_metadata_namespace]
    protoPayload.response.metadata.resourceVersion target.resource.attribute.labels[res_metadata_resource_version]
    protoPayload.response.metadata.uid target.resource.attribute.labels[res_metadata_uid]
    protoPayload.response.name target.resource.name
    protoPayload.response.name target.resource.attribute.labels[res_name]
    protoPayload.response.oauth2_client_id principal.user.attribute.labels[response_oauth2_client_id]
    protoPayload.response.operationType metadata.description If the protoPayload.methodName log field value is equal to cloudsql.instances.create, then the protoPayload.response.operationType - protoPayload.response.kind log field is mapped to the metadata.description UDM field.
    protoPayload.response.operationType target.resource.attribute.labels[response_operation_type]
    protoPayload.response.Original Data target.resource_ancestors.attribute.labels[req_original_data]
    protoPayload.response.overrideValue target.resource.attribute.labels[response_override_value]
    protoPayload.response.private_key_type about.labels[res_private_key_type] (deprecated)
    protoPayload.response.private_key_type additional.fields[res_private_key_type]
    protoPayload.response.progress about.labels[res_progress] (deprecated)
    protoPayload.response.progress additional.fields[res_progress]
    protoPayload.response.project_id target.resource_ancestors.id
    protoPayload.response.reason additional.fields[res_reason]
    protoPayload.response.region target.location.country_or_region
    protoPayload.response.selfLink about.url
    protoPayload.response.selfLinkWithId metadata.url_back_to_product
    protoPayload.response.serviceConfig.timeoutSeconds target.resource.attribute.labels[response_service_config_timeout_seconds]
    protoPayload.response.serviceEnablementState target.resource.attribute.labels[service_enablement_state]
    protoPayload.response.spec.containers.args target.resource_ancestors.attribute.labels[res_spec_container_arg]
    protoPayload.response.spec.containers.command target.resource_ancestors.attribute.labels[res_spec_container_command]
    protoPayload.response.spec.containers.image target.resource_ancestors.attribute.labels[res_spec_container_image]
    protoPayload.response.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[res_spec_container_image_pull_policy]
    protoPayload.response.spec.containers.name target.resource_ancestors.name
    protoPayload.response.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[res_spec_container_security_context_allow_privilege_escalation]
    protoPayload.response.spec.containers.securityContext.capabilities.add target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_add]
    protoPayload.response.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_drop]
    protoPayload.response.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[res_spec_container_security_context_privileged]
    protoPayload.response.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[res_spec_container_security_context_read_only_root_filesystem]
    protoPayload.response.spec.containers.securityContext.seccompProfile.type target.resource_ancestors.attribute.labels[res_spec_container_security_context_seccomp_profile_type]
    protoPayload.response.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[res_spec_container_termination_message_path]
    protoPayload.response.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[res_spec_container_termination_message_policy]
    protoPayload.response.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_path]
    protoPayload.response.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_name]
    protoPayload.response.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_read_only]
    protoPayload.response.spec.dnsPolicy target.resource.attribute.labels[res_spec_dns_policy]
    protoPayload.response.spec.enableServiceLinks target.resource.attribute.labels[res_spec_enable_service_links]
    protoPayload.response.spec.expirationSeconds target.resource.attribute.labels[res_spec_expiration_seconds]
    protoPayload.response.spec.extra.iam.gke.io/user-assertion target.resource.attribute.labels[res_spec_extra_iam_gke_io/user_assertion]
    protoPayload.response.spec.extra.user-assertion.cloud.google.com target.resource.attribute.labels[res_spec_extra_user_assertion_cloud_google_com]
    protoPayload.response.spec.groups target.resource.attribute.labels[res_spec_group]
    protoPayload.response.spec.hostIPC target.resource.attribute.labels[res_spec_host_ipc]
    protoPayload.response.spec.hostNetwork target.resource.attribute.labels[res_spec_host_network]
    protoPayload.response.spec.hostPID target.resource.attribute.labels[res_spec_host_pid]
    protoPayload.response.spec.nodeName target.resource.attribute.labels[res_spec_node_name]
    protoPayload.response.spec.preemptionPolicy target.resource.attribute.labels[res_spec_preemption_policy]
    protoPayload.response.spec.priority target.resource.attribute.labels[res_spec_priority]
    protoPayload.response.spec.request target.resource.attribute.labels[res_spec_request]
    protoPayload.response.spec.resourceAttributes.namespace target.resource.attribute.labels[res_spec_resource_attribute_namespace]
    protoPayload.response.spec.resourceAttributes.resource target.resource.attribute.labels[res_spec_resource_attribute_resource]
    protoPayload.response.spec.resourceAttributes.verb target.resource.attribute.labels[res_spec_resource_attribute_verb]
    protoPayload.response.spec.restartPolicy target.resource.attribute.labels[res_spec_restart_policy]
    protoPayload.response.spec.revisionHistoryLimit target.resource.attribute.labels[res_spec_revision_history_limit]
    protoPayload.response.spec.schedulerName target.resource.attribute.labels[res_spec_scheduler_name]
    protoPayload.response.spec.selector.matchLabels.app target.resource.attribute.labels[res_spec_selector_match_label_app]
    protoPayload.response.spec.selector.matchLabels.type target.resource.attribute.labels[res_spec_selector_match_label_type]
    protoPayload.response.spec.serviceAccount target.resource.attribute.labels[res_spec_service_account]
    protoPayload.response.spec.serviceAccountName target.resource.attribute.labels[res_spec_serivce_account_name]
    protoPayload.response.spec.shareProcessNamespace target.resource.attribute.labels[res_spec_share_process_namespace]
    protoPayload.response.spec.signerName target.resource.attribute.labels[res_spec_signer_name]
    protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-name target.resource.attribute.labels[res_spec_template_metadata_client_name]
    protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-version target.resource.attribute.labels[res_spec_template_metadata_client_version]
    protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/execution-environment target.resource.attribute.labels[res_spec_template_metadata_exection_environment]
    protoPayload.response.spec.template.metadata.creationTimestamp target.resource.attribute.labels[res_spec_template_metadata_creation_time]
    protoPayload.response.spec.template.metadata.labels.app target.resource.attribute.labels[res_spec_template_metadata_app]
    protoPayload.response.spec.template.metadata.labels.client.knative.dev/nonce target.resource.attribute.labels[res_spec_template_metadata_nonce]
    protoPayload.response.spec.template.metadata.labels.type target.resource.attribute.labels[res_spec_template_metadata_type]
    protoPayload.response.spec.template.spec.containers.args target.resource_ancestors.attribute.labels[res_spec_template_spec_container_arg]
    protoPayload.response.spec.template.spec.containers.command target.resource_ancestors.attribute.labels[res_spec_template_spec_container_command]
    protoPayload.response.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image]
    protoPayload.response.spec.template.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image_pull_policy]
    protoPayload.response.spec.template.spec.containers.name target.resource_ancestors.name
    protoPayload.response.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_cpu]
    protoPayload.response.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_memory]
    protoPayload.response.spec.template.spec.containers.resources.requests.cpu target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_cpu]
    protoPayload.response.spec.template.spec.containers.resources.requests.memory target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_memory]
    protoPayload.response.spec.template.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_allow_privilege_escalation]
    protoPayload.response.spec.template.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_capabilities_drop]
    protoPayload.response.spec.template.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_privileged]
    protoPayload.response.spec.template.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_read_only_root_filesystem]
    protoPayload.response.spec.template.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_path]
    protoPayload.response.spec.template.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_policy]
    protoPayload.response.spec.template.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_mount_path]
    protoPayload.response.spec.template.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_name]
    protoPayload.response.spec.template.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_read_only]
    protoPayload.response.spec.template.spec.dnsPolicy target.resource.attribute.labels[res_spec_template_spec_dns_policy]
    protoPayload.response.spec.template.spec.hostIPC target.resource.attribute.labels[res_spec_template_spec_host_pid]
    protoPayload.response.spec.template.spec.hostNetwork target.resource.attribute.labels[res_spec_template_spec_host_network]
    protoPayload.response.spec.template.spec.hostPID target.resource.attribute.labels[res_spec_template_spec_host_ipc]
    protoPayload.response.spec.template.spec.nodeName target.resource.attribute.labels[res_spec_template_spec_node_name]
    protoPayload.response.spec.template.spec.restartPolicy target.resource.attribute.labels[res_spec_template_spec_restart_policy]
    protoPayload.response.spec.template.spec.schedulerName target.resource.attribute.labels[res_spec_template_spec_scheduler_name]
    protoPayload.response.spec.template.spec.securityContext.runAsGroup target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_group]
    protoPayload.response.spec.template.spec.securityContext.runAsUser target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_user]
    protoPayload.response.spec.template.spec.securityContext.seccompProfile.type target.resource.attribute.labels[res_spec_template_spec_security_context_seccomp_profile_type]
    protoPayload.response.spec.template.spec.shareProcessNamespace target.resource.attribute.labels[resp_spec_template_spec_share_process_namespace]
    protoPayload.response.spec.template.spec.taskCount target.resource.attribute.labels[res_spec_template_spec_taskcount]
    protoPayload.response.spec.template.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_image]
    protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_cpu]
    protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_memory]
    protoPayload.response.spec.template.spec.template.spec.maxRetries target.resource.attribute.labels[res_spec_template_spec_template_spec_max_retries]
    protoPayload.response.spec.template.spec.template.spec.serviceAccountName principal.user.email_addresses
    protoPayload.response.spec.template.spec.template.spec.timeoutSeconds target.resource.attribute.labels[res_spec_template_spec_template_spec_timeout_seconds]
    protoPayload.response.spec.template.spec.terminationGracePeriodSeconds target.resource.attribute.labels[res_spec_template_spec_termination_grace_period_seconds]
    protoPayload.response.spec.template.spec.volumes.hostPath.path target.resource.attribute.labels[res_spec_template_spec_volumes_host_path]
    protoPayload.response.spec.template.spec.volumes.hostPath.type target.resource.attribute.labels[res_spec_template_spec_volumes_host_path_type]
    protoPayload.response.spec.template.spec.volumes.name target.resource.attribute.labels[res_spec_template_spec_volumes_name]
    protoPayload.response.spec.terminationGracePeriodSeconds target.resource.attribute.labels[res_spec_termination_grace_period_seconds]
    protoPayload.response.spec.tolerations.effect target.resource.attribute.labels[res_spec_toleration_effect]
    protoPayload.response.spec.tolerations.key target.resource.attribute.labels[res_spec_toleration_key]
    protoPayload.response.spec.tolerations.operator target.resource.attribute.labels[res_spec_toleration_operator]
    protoPayload.response.spec.tolerations.tolerationSeconds target.resource.attribute.labels[res_spec_toleration_second]
    protoPayload.response.spec.type target.resource.attribute.labels[response_spec_type]
    protoPayload.response.spec.updateStrategy.rollingUpdate.maxSurge target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_surge]
    protoPayload.response.spec.updateStrategy.rollingUpdate.maxUnavailable target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_unavailable]
    protoPayload.response.spec.updateStrategy.type target.resource.attribute.labels[res_spec_update_strategy_type]
    protoPayload.response.spec.usages target.resource.attribute.labels[res_spec_usage]
    protoPayload.response.spec.username target.resource.attribute.labels[res_spec_username]
    protoPayload.response.spec.volumes.hostPath.path target.resource.attribute.labels[res_spec_volume_host_path]
    protoPayload.response.spec.volumes.hostPath.type target.resource.attribute.labels[res_spec_volume_host_path_type]
    protoPayload.response.spec.volumes.name target.resource.attribute.labels[res_spec_volume_name]
    protoPayload.response.spec.volumes.projected.defaultMode target.resource.attribute.labels[res_spec_volume_projected_default_mode]
    protoPayload.response.spec.volumes.projected.sources.configMap.items.key target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_key]
    protoPayload.response.spec.volumes.projected.sources.configMap.items.path target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_path]
    protoPayload.response.spec.volumes.projected.sources.configMap.name target.resource.attribute.labels[res_spec_volume_projected_src_config_map_name]
    protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.apiVersion target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_api_version]
    protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.fieldPath target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_field_path]
    protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.path target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_path]
    protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.expirationSeconds target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_ecpiration_sec]
    protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.path target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_path]
    protoPayload.response.startTime about.labels[res_start_time] (deprecated)
    protoPayload.response.startTime additional.fields[res_start_time]
    protoPayload.response.state target.resource.attribute.labels[response_state]
    protoPayload.response.status security_result.description
    protoPayload.response.status about.labels[res_status] (deprecated) If the protoPayload.methodName log field value is equal to cloudsql.instances.create, then the protoPayload.response.status log field is mapped to the security_result.description UDM field.
    protoPayload.response.status target.resource.attribute.labels[response_status]
    protoPayload.response.status security_result.action The security_result.action is set to FAIL when the following conditions are met:
    • The value in the protoPayload.response.status log field value is equal to Failure.
    • The value in the security_result.action UDM field is equal to ALLOW.
    protoPayload.response.status additional.fields[res_status]
    protoPayload.response.status.allowed target.resource.attribute.labels[res_status_allowed]
    protoPayload.response.status.conditions.message target.resource.attribute.labels[response_status]
    protoPayload.response.status.conditions[].message security_result.description If the message log field value matches the regular expression response.*status.*conditions.*message, then the protoPayload.response.status.conditions.0.message log field is mapped to the security_result.description UDM field.
    protoPayload.response.status.currentNumberScheduled target.resource.attribute.labels[res_status_current_number_scheduled]
    protoPayload.response.status.desiredNumberScheduled target.resource.attribute.labels[res_status_desired_number_scheduled]
    protoPayload.response.status.numberMisscheduled target.resource.attribute.labels[res_status_number_miss_scheduled]
    protoPayload.response.status.numberReady target.resource.attribute.labels[res_status_number_ready]
    protoPayload.response.status.phase target.resource.attribute.labels[res_status_phase]
    protoPayload.response.status.qosClass target.resource.attribute.labels[res_status_qos_class]
    protoPayload.response.status.state security_result.description
    protoPayload.response.targetId target.asset.attribute.labels[target_id] If the protoPayload.methodName log field value is not equal to cloudsql.instances.create, then the protoPayload.response.targetId log field is mapped to the target.asset.attribute.labels.value UDM field.
    protoPayload.response.targetLink target.url
    protoPayload.response.targetProject target.resource_ancestors.name
    protoPayload.response.type about.labels[res_type] (deprecated)
    protoPayload.response.type additional.fields[res_type]
    protoPayload.response.unique_id target.resource.product_object_id If the protoPayload.methodName log field value matches the regular expression (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider), then the protoPayload.response.unique_id log field is mapped to the target.resource.product_object_Id UDM field.
    protoPayload.response.unique_id about.labels[res_unique_id] (deprecated) If the protoPayload.methodName log field value matches the regular expression (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider), then the protoPayload.response.unique_id log field is mapped to the target.resource.product_object_id UDM field.
    protoPayload.response.unique_id additional.fields[res_unique_id]
    protoPayload.response.user target.user.userid
    protoPayload.response.valid_after_time.seconds about.labels[res_valid_after_time] (deprecated)
    protoPayload.response.valid_after_time.seconds additional.fields[res_valid_after_time]
    protoPayload.response.valid_before_time.seconds about.labels[res_valid_before_time] (deprecated)
    protoPayload.response.valid_before_time.seconds additional.fields[res_valid_before_time]
    protoPayload.response.version about.labels[res_version] (deprecated)
    protoPayload.response.version additional.fields[res_version]
    protoPayload.response.vulnerability.effectiveSeverity extensions.vulns.vulnerabilities.severity If the protoPayload.response.vulnerability.effectiveSeverity log field value contains one of the following values, then the protoPayload.response.vulnerability.effectiveSeverity log field is mapped to the extensions.vulns.vulnerabilities.severity UDM field.
    • CRITICAL
    • HIGH
    • MEDIUM
    • LOW
    protoPayload.response.vulnerability.shortDescription extensions.vulns.vulnerabilities.cve_id
    protoPayload.response.zone about.labels[res_zone] (deprecated)
    protoPayload.response.zone target.resource.attribute.labels[res_zone]
    protoPayload.response.zone additional.fields[res_zone]
    protoPayload.serviceData.@type target.resource.attribute.labels[ser_type]
    protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id target.resource.attribute.labels[ser_jobconf_looker_studio_datasource_id]
    protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id target.resource.attribute.labels[ser_jobconf_looker_studio_report_id]
    protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor target.resource.attribute.labels[ser_jobconf_requestor]
    protoPayload.serviceData.jobGetQueryResultsRequest.maxResults target.resource.attribute.labels[req_max_results]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.createDisposotion target.resource.attribute.labels[ser_reqCreate_disposotion]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.datasetId target.resource.attribute.labels[ser_destTable_datasetId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.projectId target.resource.attribute.labels[ser_destTable_projectId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.tableId target.resource.attribute.labels[ser_destTable_tableId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.query target.resource.attribute.labels[ser_req_query]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.queryPriority security_result.priority_details
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.statementType target.resource.attribute.labels[ser_reqStatement_type]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.writeDisposition target.resource.attribute.labels[ser_reqWrite_disposition]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.jobId target.resource.attribute.labels[ser_req_jobId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.location target.resource.attribute.labels[ser_reqJob_location]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.projectId target.resource.attribute.labels[ser_reqJob_projectid]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime target.resource.attribute.labels[ser_jobCreate_time]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.startTime target.resource.attribute.labels[ser_reqJob_start_time]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.totalSlotMs target.resource.attribute.labels[ser_reqJob_total_slot_ms]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatus.state target.resource.attribute.labels[ser_reqJob_state]
    protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query additional.fields[job_insert_request_query_org_id_{index}] If the protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query log field value is not empty, then org_ids are extracted from the protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query log field using a Grok pattern, and mapped to the additional.fields.job_insert_request_query_org_id_{index} UDM field.
    protoPayload.serviceData.jobQueryRequest.query target.process.command_line
    protoPayload.serviceData.permissionDelta.addedPermissions[] target.resource.attribute.labels[ser_added_perm]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.action target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_action]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.exemptedMember target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_exempted_member]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.logType target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_log_type]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.service target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_service]
    protoPayload.serviceData.policyDelta.auditConfigDeltas[].action security_result.detection_fields[action]
    protoPayload.serviceData.policyDelta.auditConfigDeltas[].logType target.resource.attribute.permissions.type
    protoPayload.serviceData.policyDelta.bindingDeltas[].action principal.user.attribute.roles.description
    protoPayload.serviceData.policyDelta.bindingDeltas[].action target.resource.attribute.labels[ser_binding_deltas_action]
    protoPayload.serviceData.policyDelta.bindingDeltas[].member target.user.userid
    protoPayload.serviceData.policyDelta.bindingDeltas[].member target.resource.attribute.labels[ser_binding_deltas_member]
    protoPayload.serviceData.policyDelta.bindingDeltas[].role principal.user.attribute.roles.name
    protoPayload.serviceData.tabelDataListRequest.maxResults target.resource.attribute.labels[req_max_results]
    protoPayload.serviceData.tableInsertRequest.resource.view.query target.resource.attribute.labels[ser_tableInsert_query]
    protoPayload.serviceData.tableInsertResponse.resource.view.query target.process.command_line
    protoPayload.serviceName target.application
    protoPayload.status.code security_result.detection_fields [status_code]
    protoPayload.status.details.type security_result.detection_fields[status_details_type]
    protoPayload.status.details.violations.description security_result.summary
    protoPayload.status.details.violations.subject security_result.detection_fields[status_details_violation_subject]
    protoPayload.status.details.violations.type security_result.detection_fields[status_details_violation_type]
    protoPayload.status.message metadata.description
    protoPayload.status.message security_result.description
    protoType.metadata.event.eventName additional.fields[event_name]
    protoType.metadata.event.eventType additional.fields[event_type]
    protoType.metadata.event[].eventName about.labels[event_name] (deprecated)
    protoType.metadata.event[].eventType about.labels[event_type] (deprecated)
    receiveTimestamp metadata.collected_timestamp
    Referred this from Default parser. security_result.detection_fields[SERVICE]
    Referred this from default parser. target.resource.attribute.labels[ser_binding_deltas_member]
    request.cluster.name target.resource.name
    request.cluster.name target.resource.attribute.labels[cls_name]
    request.pagesize about.labels[req_page_size] (deprecated)
    request.pagesize additional.fields[req_page_size]
    request.role.title target.resource.attribute.roles.name
    resource.data.name target.resource.attribute.labels[resource_data_name]
    resource.data.oauth2ClientId target.resource.attribute.labels [oauth_client_id]
    resource.data.projectId target.resource.attribute.labels[projectId]
    resource.data.uniqueId target.resource.product_object_id
    resource.discoveryDocumentUri target.url
    resource.discoveryName target.resource.name
    resource.email_id target.resource.attribute.labels[email_id]
    resource.labels.backend_service_name target.labels [backend_service_name] (deprecated)
    resource.labels.backend_service_name additional.fields[backend_service_name]
    resource.labels.bucket_name target.resource.parent If the resource.type log field value is equal to gcs_bucket, then the resource.labels.bucket_name log field is mapped to the target.resource.parent UDM field.
    resource.labels.cluster_name target.resource.name
    resource.labels.cluster_name target.resource.attribute.labels[cls_name]
    resource.labels.dataset_id target.resource.product_object_id
    resource.labels.email_id target.resource.name If the resource.labels.email_id log field value is not empty, then the resource.labels.email_id log field is mapped to the target.resource.name UDM field.
    resource.labels.email_id target.resource.attribute.labels[email_id]
    resource.labels.firewall_rule_id target.resource.product_object_id
    resource.labels.forwarding_rule_id target.resource.product_object_id
    resource.labels.forwarding_rule_name target.resource.attribute.labels[forwarding_rule_name]
    resource.labels.function_name target.resource.name If the resource.type log field value matches the regular expression cloud_function, then the resource.labels.function_name log field is mapped to the target.resource.name UDM field.
    resource.labels.instance_group_id target.resource.product_object_id
    resource.labels.instance_group_name target.resource.attribute.labels[rc_instance_groupName]
    resource.labels.instance_id target.resource.product_object_id
    resource.labels.instance_id target.asset.attribute.labels[rc_instance_id]
    resource.labels.location target.location.name
    resource.labels.method metadata.product_event_type
    resource.labels.method target.resource.attribute.labels[rc_method]
    resource.labels.network_id target.resource.name
    resource.labels.network_id target.resource.product_object_id
    resource.labels.project_id target.cloud.project.name
    resource.labels.project_id target.resource_ancestors.name
    resource.labels.region target.location.country_or_region
    resource.labels.region target.location.country_or_region
    resource.labels.service target.application
    resource.labels.service target.resource.attribute.labels[rc_service]
    resource.labels.subnetwork_id target.resource.product_object_id
    resource.labels.subnetwork_id target.resource.attribute.labels[resource_labels_subnetwork_id]
    resource.labels.subnetwork_name target.resource.attribute.labels[rc_subnetwork_name]
    resource.labels.target_proxy_name target.resource.attribute.labels[target_proxy_name]
    resource.labels.unique_id target.resource.product_object_id
    resource.labels.url_map_name target.resource.attribute.labels[url_map_name]
    resource.labels.version target.resource.attribute.labels[rc_version]
    resource.labels.zone target.resource.attribute.cloud.availability_zone
    resource.location target.resource.attribute.cloud.availability_zone
    resource.parent target.resource.parent
    resource.type target.resource_ancestors.resource_type If the resource.type log field value matches the regular expression gce_(firewall or forwarding_rule), then the target.resource_ancestors.resource_type UDM field is set to FIREWALL_RULE.

    If the resource.type log field value matches the regular expression gce_(subnetwork or network), then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    If the resource.type log field value matches the regular expression dataproc, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.

    If the resource.type log field value matches the regular expression k8s or gke_, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.

    If the resource.type log field value is equal to gce_backend_service, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.

    If the resource.type log field value matches the regular expression (gce_ or dns_query), then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    If the resource.type log field value matches the regular expression gcs_bucket, then the target.resource_ancestors.resource_type UDM field is set to STORAGE_BUCKET.

    If the resource.type log field value matches the regular expression bigquery, then the target.resource_ancestors.resource_type UDM field is set to DATABASE.

    If the resource.type log field value matches the regular expression cloudsql, then the target.resource_ancestors.resource_type UDM field is set to DATABASE.

    If the resource.type log field value matches the regular expression service_account, then the target.resource_ancestors.resource_type UDM field is set to SERVICE_ACCOUNT.

    If the resource.type log field value matches the regular expression project, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.

    If the resource.type log field value matches the regular expression organization, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.

    Else, the target.resource_ancestors.resource_type UDM field is set to UNSPECIFIED.

    If the resource.labels.project_id log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
    resourceLocation.currentLocations target.resource.attribute.cloud.availability_zone
    resourceLocation.originalLocations principal.location.name
    severity security_result.severity
    sourceLocation.file src.file.full_path
    sourceLocation.function src.labels[src_location_function]
    sourceLocation.function additional.fields[src_location_function]
    sourceLocation.line src.labels[src_location_line]
    sourceLocation.line additional.fields[src_location_line]
    spanId about.labels[span_id] (deprecated)
    spanId additional.fields[span_id]
    timestamp metadata.event_timestamp
    Trace about.labels[trace] (deprecated)
    Trace additional.fields[trace]
    traceSampled about.labels[trace_sampled] (deprecated)
    traceSampled additional.fields[trace_sampled]

    What's next

    Need more help? Get answers from Community members and Google SecOps professionals.