Cloud-Audit-Logs erfassen
In diesem Dokument wird beschrieben, wie Sie Cloud-Audit-Logs exportieren können, indem Sie die Aufnahme von Google Cloud-Telemetriedaten in Google Security Operations aktivieren. Außerdem wird beschrieben, wie die Felder von Cloud-Audit-Logs den Feldern des Google Security Operations Unified Data Model (UDM) zugeordnet werden.
Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.
Eine typische Bereitstellung besteht aus Cloud-Audit-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Jede Kundenbereitstellung kann von dieser Darstellung abweichen und komplexer sein.
Das Deployment enthält die folgenden Komponenten:
Google Cloud: Die Google Cloud-Dienste und -Produkte, für die Sie Logs erfassen.
Cloud-Audit-Logs: die Cloud-Audit-Logs, die für die Aufnahme in Google Security Operations aktiviert sind
Google Workspace-Audit-Logs: die Google Workspace-Audit-Logs, die für die Aufnahme in Google Security Operations aktiviert sind
Google Security Operations: speichert und analysiert Cloud-Audit-Logs und Google Workspace-Audit-Logs
Ein Aufnahmelabel gibt den Parser an, der Logrohdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel GCP_CLOUDAUDIT
.
Hinweise
Prüfen Sie, ob Sie die Zugriffssteuerung für Ihre Organisation und Ihre Ressourcen mithilfe von Identity and Access Management (IAM) eingerichtet haben. Weitere Informationen zur Zugriffssteuerung finden Sie unter Zugriffssteuerung für Organisationen mit IAM.
Konfigurieren Sie Audit-Logs zum Datenzugriff für Ihre Google Cloud-Ressourcen und -Dienste.
Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur in der UTC-Zeitzone konfiguriert sind.
Prüfen Sie die Logtypen, die der Cloud-Audit-Logs-Parser unterstützt. In der folgenden Tabelle sind die Logquellen und -typen aufgeführt, die vom Cloud-Audit-Logs-Parser unterstützt werden:
Log-Quellen | Typ der Logquelle |
---|---|
Cloud DNS | – |
syslog | – |
Audit-Logs für Google Workspace | Log-in-Audit |
Audit-Logs für Google Workspace | Administratorprüfung |
Cloud-Audit-Logs | Administratoraktivität |
Cloud-Audit-Logs | VPC Service Controls-Audit |
Cloud-Audit-Logs | Google Kubernetes Engine-Datenzugriff |
Cloud-Audit-Logs | Zugriff auf Resource Manager-Daten |
Cloud-Audit-Logs | BigQuery Audit Metadaten-Datenzugriff |
Cloud-Audit-Logs | MySQL-Datenzugriff, Administratoraktivität |
Cloud-Audit-Logs | PostgreSQL-Datenzugriff, Administratoraktivität |
Cloud-Audit-Logs | SQL Server-Datenzugriff, Administratoraktivität |
Cloud Load Balancing | Cloud-HTTP-Load-Balancer |
Cloud DNS | Administratoraktivität |
Virtual Private Cloud-Datenfluss | Virtual Private Cloud-Datenfluss |
Firewallregeln | Firewallregeln |
Cloud NAT | Cloud NAT |
Aufnahme von Cloud-Audit-Logs konfigurieren
Führen Sie die Schritte auf der Seite Google Cloud-Logs in Google Security Operations aufnehmen aus, um Cloud-Audit-Logs in Google Security Operations aufzunehmen.
Wenn bei der Aufnahme von Cloud-Audit-Logs Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.
Feldzuordnungsreferenz
In diesem Abschnitt wird erläutert, wie der Google Security Operations-Parser die Felder von Cloud-Audit-Logs den Feldern im Google Security Operations Unified Data Model (UDM) zuordnet.
GCP_CLOUDAUDIT-Protokolltypen in UDM-Ereignistyp
In der folgenden Tabelle sind die GCP_CLOUDAUDIT-Ereigniskennzeichnungen und ihre entsprechenden Ereignistypen aufgeführt.Event identifier | Event type |
---|---|
dns.managedZones.get |
USER_RESOURCE_ACCESS |
dns.managedZones.list |
USER_RESOURCE_ACCESS |
dns.changes.get |
USER_RESOURCE_ACCESS |
dns.changes.list |
USER_RESOURCE_ACCESS |
dns.activePeeringZones.list |
USER_RESOURCE_ACCESS |
dns.activePeeringZones.getpeeringzoneinfo |
USER_RESOURCE_ACCESS |
dns.resourceRecordSets.get |
USER_RESOURCE_ACCESS |
dns.resourceRecordSets.list |
USER_RESOURCE_ACCESS |
dns.responsePolicies.get |
USER_RESOURCE_ACCESS |
dns.responsePolicies.list |
USER_RESOURCE_ACCESS |
dns.responsePolicyRules.get |
USER_RESOURCE_ACCESS |
dns.responsePolicyRules.list |
USER_RESOURCE_ACCESS |
dns.policies.get |
USER_RESOURCE_ACCESS |
dns.policies.list |
USER_RESOURCE_ACCESS |
dns.projects.get |
USER_RESOURCE_ACCESS |
dns.managedZones.create |
USER_RESOURCE_CREATION |
dns.managedZones.delete |
RESOURCE_DELETION |
dns.managedZones.update |
RESOURCE_WRITTEN |
dns.managedZones.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.changes.create |
USER_RESOURCE_CREATION |
dns.changes.delete |
RESOURCE_DELETION |
dns.activePeeringZones.deactivate |
USER_RESOURCE_UPDATE_CONTENT |
dns.resourceRecordSets.create |
USER_RESOURCE_CREATION |
dns.resourceRecordSets.delete |
RESOURCE_DELETION |
dns.resourceRecordSets.update |
RESOURCE_WRITTEN |
dns.resourceRecordSets.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.responsePolicies.create |
USER_RESOURCE_CREATION |
dns.responsePolicies.delete |
RESOURCE_DELETION |
dns.responsePolicies.update |
RESOURCE_WRITTEN |
dns.responsePolicies.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.responsePolicyRules.create |
USER_RESOURCE_CREATION |
dns.responsePolicyRules.delete |
RESOURCE_DELETION |
dns.responsePolicyRules.update |
RESOURCE_WRITTEN |
dns.responsePolicyRules.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.policies.create |
USER_RESOURCE_CREATION |
dns.policies.delete |
RESOURCE_DELETION |
dns.policies.update |
RESOURCE_WRITTEN |
dns.policies.patch |
USER_RESOURCE_UPDATE_CONTENT |
CreateRole |
USER_UNCATEGORIZED |
DeleteRole |
RESOURCE_DELETION |
UndeleteRole |
RESOURCE_CREATION |
UpdateRole |
RESOURCE_WRITTEN |
google.iam.v2beta.Policies.CreatePolicy |
USER_RESOURCE_CREATION |
google.iam.v2beta.Policies.DeletePolicy |
RESOURCE_DELETION |
google.iam.v2beta.Policies.UpdatePolicy |
RESOURCE_WRITTEN |
CreateServiceAccount |
USER_RESOURCE_CREATION |
DeleteServiceAccount |
RESOURCE_DELETION |
DisableServiceAccount |
STATUS_UPDATE |
EnableServiceAccount |
STATUS_UPDATE |
GetServiceAccount |
USER_RESOURCE_ACCESS |
PatchServiceAccount |
USER_RESOURCE_UPDATE_CONTENT |
SetIAMPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
UndeleteServiceAccount |
RESOURCE_DELETION |
UpdateServiceAccount |
RESOURCE_WRITTEN |
CreateServiceAccountKey |
USER_RESOURCE_CREATION |
DeleteServiceAccountKey |
RESOURCE_DELETION |
UploadServiceAccountKey |
USER_RESOURCE_UPDATE_CONTENT |
CreateWorkloadIdentityPool |
USER_RESOURCE_CREATION |
DeleteWorkloadIdentityPool |
RESOURCE_DELETION |
UndeleteWorkloadIdentityPool |
RESOURCE_DELETION |
UpdateWorkloadIdentityPool |
RESOURCE_WRITTEN |
CreateWorkloadIdentityPoolProvider |
USER_RESOURCE_CREATION |
DeleteWorkloadIdentityPoolProvider |
RESOURCE_DELETION |
UndeleteWorkloadIdentityPoolProvider |
RESOURCE_DELETION |
UpdateWorkloadIdentityPoolProvider |
RESOURCE_WRITTEN |
CreateWorkforcePool |
USER_RESOURCE_CREATION |
DeleteWorkforcePool |
RESOURCE_DELETION |
UndeleteWorkforcePool |
RESOURCE_DELETION |
UpdateWorkforcePool |
RESOURCE_WRITTEN |
CreateWorkforcePoolProvider |
USER_RESOURCE_CREATION |
DeleteWorkforcePoolProvider |
RESOURCE_DELETION |
UndeleteWorkforcePoolProvider |
RESOURCE_DELETION |
UpdateWorkforcePoolProvider |
RESOURCE_WRITTEN |
GetEffectivePolicy1 |
USER_RESOURCE_ACCESS |
google.iam.admin.v1.GetPolicyDetails2 |
USER_RESOURCE_ACCESS |
ExchangeToken |
USER_RESOURCE_ACCESS |
Google Cloud console (federated) sign in |
USER_RESOURCE_UPDATE_PERMISSIONS |
GetRole |
USER_RESOURCE_ACCESS |
ListRoles |
USER_RESOURCE_ACCESS |
google.iam.v2beta.Policies.GetPolicy |
USER_RESOURCE_ACCESS |
google.iam.v2beta.Policies.ListPolicies |
USER_RESOURCE_ACCESS |
QueryGrantableRoles |
USER_RESOURCE_ACCESS |
GenerateAccessToken |
USER_RESOURCE_UPDATE_CONTENT |
GenerateIdToken |
USER_RESOURCE_UPDATE_CONTENT |
ListServiceAccounts |
USER_RESOURCE_ACCESS |
SignBlob |
USER_RESOURCE_UPDATE_CONTENT |
SignJwt |
USER_RESOURCE_UPDATE_CONTENT |
GetServiceAccountKey |
USER_RESOURCE_ACCESS |
ListServiceAccountKeys |
USER_RESOURCE_ACCESS |
GetWorkloadIdentityPool |
USER_RESOURCE_ACCESS |
ListWorkloadIdentityPools |
USER_RESOURCE_ACCESS |
GetWorkloadIdentityPoolProvider |
USER_RESOURCE_ACCESS |
ListWorkloadIdentityPoolProviders |
USER_RESOURCE_ACCESS |
GetWorkforcePool |
USER_RESOURCE_ACCESS |
ListWorkforcePools |
USER_RESOURCE_ACCESS |
GetWorkforcePoolProvider |
USER_RESOURCE_ACCESS |
ListWorkforcePoolProviders |
USER_RESOURCE_ACCESS |
io.k8s.authorization.rbac.v1 |
STATUS_UPDATE |
io.k8s.authorization.rbac.v1.roles |
STATUS_UPDATE |
io.k8s.batch.v1.jobs.create |
RESOURCE_CREATION |
io.k8s.authorization.rbac.v1.clusterroles.create |
RESOURCE_CREATION |
io.k8s.apps.v1.daemonsets.create |
RESOURCE_CREATION |
io.k8s.authorization.v1.selfsubjectaccessreviews.create |
RESOURCE_CREATION |
google.container.v1.ClusterManager.CreateCluster |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.TableService.InsertTable |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.TableService.UpdateTable |
RESOURCE_WRITTEN |
google.cloud.bigquery.v2.TableService.PatchTable |
USER_RESOURCE_UPDATE_CONTENT |
google.cloud.bigquery.v2.TableService.DeleteTable |
RESOURCE_DELETION |
google.cloud.bigquery.v2.DatasetService.InsertDataset |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.DatasetService.UpdateDataset |
RESOURCE_WRITTEN |
google.cloud.bigquery.v2.DatasetService.PatchDataset |
USER_RESOURCE_UPDATE_CONTENT |
google.cloud.bigquery.v2.DatasetService.DeleteDataset |
USER_RESOURCE_DELETION |
google.cloud.bigquery.v2.TableDataService.List |
USER_RESOURCE_ACCESS |
google.cloud.bigquery.v2.JobService.InsertJob |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.JobService.Query |
USER_RESOURCE_ACCESS |
google.cloud.bigquery.v2.JobService.GetQueryResults |
USER_RESOURCE_ACCESS |
InternalTableExpired |
USER_RESOURCE_DELETION |
google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection |
USER_RESOURCE_CREATION |
google.cloud.bigquery.connection.v1.ConnectionService.DeleteConnection |
RESOURCE_DELETION |
google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection |
RESOURCE_WRITTEN |
google.cloud.bigquery.connection.v1.ConnectionService.SetIamPolicy |
RESOURCE_PERMISSIONS_CHANGE |
google.cloud.bigquery.reservation.v1.ReservationService.CreateReservation |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteReservation |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.UpdateReservation |
RESOURCE_WRITTEN |
google.cloud.bigquery.reservation.v1.ReservationService.CreateCapacityCommitment |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteCapacityCommitment |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.CreateAssignment |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteAssignment |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.MoveAssignment |
STATUS_UPDATE |
cloudsql.backupRuns.get |
USER_RESOURCE_ACCESS |
cloudsql.backupRuns.list |
USER_RESOURCE_ACCESS |
cloudsql.databases.create |
USER_RESOURCE_CREATION |
cloudsql.databases.delete |
RESOURCE_DELETION |
cloudsql.databases.get |
USER_RESOURCE_ACCESS |
cloudsql.databases.list |
USER_RESOURCE_ACCESS |
cloudsql.databases.update |
RESOURCE_WRITTEN |
cloudsql.instances.export |
USER_RESOURCE_ACCESS |
cloudsql.instances.get |
USER_RESOURCE_ACCESS |
cloudsql.instances.import |
STATUS_UNCATEGORIZED |
cloudsql.instances.list |
USER_RESOURCE_ACCESS |
cloudsql.instances.listEffectiveTags |
USER_RESOURCE_ACCESS |
cloudsql.instances.listServerCas |
USER_RESOURCE_ACCESS |
cloudsql.instances.listTagBindings |
USER_RESOURCE_ACCESS |
cloudsql.instances.login |
USER_LOGIN |
cloudsql.sslCerts.get |
USER_RESOURCE_ACCESS |
cloudsql.sslCerts.list |
USER_RESOURCE_ACCESS |
cloudsql.users.create |
USER_RESOURCE_CREATION |
cloudsql.users.delete |
RESOURCE_DELETION |
cloudsql.users.get |
USER_RESOURCE_ACCESS |
cloudsql.users.list |
USER_RESOURCE_ACCESS |
cloudsql.users.update |
RESOURCE_WRITTEN |
cloudsql.backupRuns.create |
USER_RESOURCE_CREATION |
cloudsql.backupRuns.delete |
RESOURCE_DELETION |
cloudsql.instances.addServerCa |
USER_RESOURCE_CREATION |
cloudsql.instances.clone |
USER_RESOURCE_CREATION |
cloudsql.instances.connect |
RESOURCE_READ |
cloudsql.instances.create |
USER_RESOURCE_CREATION |
cloudsql.instances.createTagBinding |
USER_RESOURCE_CREATION |
cloudsql.instances.delete |
RESOURCE_DELETION |
cloudsql.instances.deleteTagBinding |
RESOURCE_DELETION |
cloudsql.instances.demoteMaster |
STATUS_UPDATE |
cloudsql.instances.failover |
STATUS_UPDATE |
cloudsql.instances.promoteReplica |
STATUS_UPDATE |
cloudsql.instances.resetSslConfig |
USER_RESOURCE_UPDATE_CONTENT |
cloudsql.instances.restart |
STATUS_STARTUP |
cloudsql.instances.restoreBackup |
STATUS_UPDATE |
cloudsql.instances.rotateServerCa |
STATUS_UPDATE |
cloudsql.instances.startReplica |
STATUS_STARTUP |
cloudsql.instances.stopReplica |
STATUS_UPDATE |
cloudsql.instances.truncateLog |
STATUS_UPDATE |
cloudsql.instances.update |
RESOURCE_WRITTEN |
cloudsql.sslCerts.create |
USER_RESOURCE_CREATION |
cloudsql.sslCerts.createEphemeral |
USER_RESOURCE_CREATION |
cloudsql.sslCerts.delete |
RESOURCE_DELETION |
compute.instances.insert |
RESOURCE_CREATION |
compute.instanceGroups.removeInstances |
RESOURCE_DELETION |
compute.instances.setMetadata |
USER_RESOURCE_UPDATE_CONTENT |
compute.instances.setLabels |
USER_RESOURCE_CREATION |
compute.instances.setTags |
USER_RESOURCE_CREATION |
compute.instances.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
compute.instances.list |
USER_RESOURCE_ACCESS |
compute.images.get |
USER_RESOURCE_ACCESS |
compute.interconnectAttachments.aggregatedList |
USER_RESOURCE_ACCESS |
compute.instance.getSerialPortOutput |
USER_RESOURCE_ACCESS |
compute.instances.migrateOnHostMaintenance |
RESOURCE_CREATION |
compute.instances.automaticRestart |
USER_RESOURCE_UPDATE_CONTENT |
compute.instanceGroupManagers.resizeAdvanced |
USER_RESOURCE_UPDATE_CONTENT |
google.ssh-serialport.v1.connect |
NETWORK_CONNECTION |
firewalls.delete |
RESOURCE_DELETION |
firewalls.insert |
RESOURCE_CREATION |
firewalls.patch |
USER_RESOURCE_UPDATE_CONTENT |
firewalls.update |
RESOURCE_WRITTEN |
forwardingRules.delete |
RESOURCE_DELETION |
forwardingRules.insert |
RESOURCE_CREATION |
forwardingRules.patch |
USER_RESOURCE_UPDATE_CONTENT |
forwardingRules.setTarget |
STATUS_UPDATE |
networks.addPeering |
STATUS_UPDATE |
networks.delete |
RESOURCE_DELETION |
networks.insert |
RESOURCE_CREATION |
networks.patch |
USER_RESOURCE_UPDATE_CONTENT |
networks.removePeering |
RESOURCE_DELETION |
networks.switchToCustomMode |
STATUS_UPDATE |
networks.updatePeering |
RESOURCE_WRITTEN |
routes.delete |
RESOURCE_DELETION |
routes.insert |
USER_RESOURCE_CREATION |
subnetworks.delete |
RESOURCE_DELETION |
subnetworks.expandIpCidrRange |
STATUS_UPDATE |
subnetworks.insert |
RESOURCE_CREATION |
subnetworks.patch |
USER_RESOURCE_UPDATE_CONTENT |
subnetworks.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
subnetworks.setPrivateIpGoogleAccess |
STATUS_UPDATE |
subnetworks.testIamPermissions |
USER_RESOURCE_ACCESS |
firewalls.get |
USER_RESOURCE_ACCESS |
firewalls.list |
USER_RESOURCE_ACCESS |
forwardingRules.aggregatedList |
USER_RESOURCE_ACCESS |
forwardingRules.get |
USER_RESOURCE_ACCESS |
forwardingRules.list |
USER_RESOURCE_ACCESS |
networks.get |
USER_RESOURCE_ACCESS |
networks.list |
USER_RESOURCE_ACCESS |
networks.listPeeringRoutes |
USER_RESOURCE_ACCESS |
routes.get |
USER_RESOURCE_ACCESS |
routes.list |
USER_RESOURCE_ACCESS |
subnetworks.aggregatedList |
USER_RESOURCE_ACCESS |
subnetworks.get |
USER_RESOURCE_ACCESS |
subnetworks.getIamPolicy |
USER_RESOURCE_ACCESS |
subnetworks.list |
USER_RESOURCE_ACCESS |
subnetworks.listUsable |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterBatchDeleteAlerts |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterBatchUndeleteAlerts |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterCreateAlert |
USER_RESOURCE_CREATION |
google.admin.AdminService.alertCenterCreateFeedback |
USER_RESOURCE_CREATION |
google.admin.AdminService.alertCenterDeleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterGetAlertMetadata |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterGetCustomerSettings |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterGetSitLink |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListChange |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListFeedback |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListRelatedAlerts |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterUndeleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterUpdateAlert |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterUpdateAlertMetadata |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterUpdateCustomerSettings |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterView |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createApplicationSetting |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteApplicationSetting |
RESOURCE_DELETION |
google.admin.AdminService.reorderGroupBasedPoliciesEvent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.gplusPremiumFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createManagedConfiguration |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteManagedConfiguration |
RESOURCE_DELETION |
google.admin.AdminService.updateManagedConfiguration |
RESOURCE_WRITTEN |
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createBuilding |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteBuilding |
RESOURCE_DELETION |
google.admin.AdminService.updateBuilding |
RESOURCE_WRITTEN |
google.admin.AdminService.createCalendarResource |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteCalendarResource |
RESOURCE_DELETION |
google.admin.AdminService.createCalendarResourceFeature |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteCalendarResourceFeature |
RESOURCE_DELETION |
google.admin.AdminService.updateCalendarResourceFeature |
RESOURCE_WRITTEN |
google.admin.AdminService.renameCalendarResource |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateCalendarResource |
RESOURCE_WRITTEN |
google.admin.AdminService.changeCalendarSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.cancelCalendarEvents |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.releaseCalendarResources |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.meetInteropCreateGateway |
USER_RESOURCE_CREATION |
google.admin.AdminService.meetInteropDeleteGateway |
RESOURCE_DELETION |
google.admin.AdminService.meetInteropModifyGateway |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChatSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsAndroidApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.sendChromeOsDeviceCommand |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceAnnotation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceState |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsPublicSessionSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.insertChromeOsPrinter |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteChromeOsPrinter |
RESOURCE_DELETION |
google.admin.AdminService.updateChromeOsPrinter |
RESOURCE_WRITTEN |
google.admin.AdminService.changeChromeOsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsUserSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeChromeOsApplicationSettings |
RESOURCE_DELETION |
google.admin.AdminService.changeContactsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.assignRole |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.createRole |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteRole |
RESOURCE_DELETION |
google.admin.AdminService.addPrivilege |
USER_RESOURCE_CREATION |
google.admin.AdminService.removePrivilege |
RESOURCE_DELETION |
google.admin.AdminService.renameRole |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateRole |
RESOURCE_WRITTEN |
google.admin.AdminService.unassignRole |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.deleteDevice |
RESOURCE_DELETION |
google.admin.AdminService.moveDeviceToOrgUnit |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.transferDocumentOwnership |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.driveDataRestore |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDocsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAccountAutoRenewal |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addApplication |
USER_RESOURCE_CREATION |
google.admin.AdminService.addApplicationToWhitelist |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeAdvertisementOption |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createAlert |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeAlertCriteria |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertReceiversChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.renameAlert |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.alertStatusChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addDomainAlias |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeDomainAlias |
RESOURCE_DELETION |
google.admin.AdminService.skipDomainAliasMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifyDomainAliasMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifyDomainAlias |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOauthAccessToAllApis |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAllowAdminPasswordReset |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableApiAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.authorizeApiClientAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeApiClientAccess |
RESOURCE_DELETION |
google.admin.AdminService.chromeLicensesRedeemed |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAutoAddNewService |
USER_RESOURCE_CREATION |
google.admin.AdminService.changePrimaryDomain |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeWhitelistSetting |
USER_RESOURCE_ACCESS |
google.admin.AdminService.communicationPreferencesSettingChange |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeConflictAccountAction |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableFeedbackSolicitation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleContactSharing |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createPlayForWorkToken |
USER_RESOURCE_CREATION |
google.admin.AdminService.toggleUseCustomLogo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCustomLogo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataLocalizationForRussia |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataLocalizationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataProtectionOfficerContactInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deletePlayForWorkToken |
RESOURCE_DELETION |
google.admin.AdminService.viewDnsLoginDetails |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainDefaultLocale |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainDefaultTimezone |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleEnablePreReleaseFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainSupportMessage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addTrustedDomains |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeTrustedDomains |
RESOURCE_DELETION |
google.admin.AdminService.changeEduType |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleEnableOauthConsumerKey |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleSsoEnabled |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleSsl |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeEuRepresentativeContactInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.generateTransferToken |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginBackgroundColor |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginBorderColor |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginActivityTrace |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.playForWorkEnroll |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.playForWorkUnenroll |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.mxRecordVerificationClaim |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleNewAppFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleUseNextGenControlPanel |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.uploadOauthCertificate |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.regenerateOauthConsumerSecret |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOpenIdEnabled |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeOrganizationName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOutboundRelay |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePasswordMaxLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePasswordMinLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateDomainPrimaryAdminEmail |
RESOURCE_WRITTEN |
google.admin.AdminService.enableServiceOrFeatureNotifications |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeApplication |
RESOURCE_DELETION |
google.admin.AdminService.removeApplicationFromWhitelist |
RESOURCE_DELETION |
google.admin.AdminService.changeRenewDomainRegistration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeResellerAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.ruleActionsChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createRule |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeRuleCriteria |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteRule |
RESOURCE_DELETION |
google.admin.AdminService.renameRule |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.ruleStatusChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addSecondaryDomain |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeSecondaryDomain |
RESOURCE_DELETION |
google.admin.AdminService.skipSecondaryDomainMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifySecondaryDomainMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifySecondaryDomain |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateDomainSecondaryEmail |
RESOURCE_WRITTEN |
google.admin.AdminService.changeSsoSettings |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.generatePin |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateRule |
RESOURCE_WRITTEN |
google.admin.AdminService.dropFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.emailLogSearch |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.emailUndelete |
RESOURCE_DELETION |
google.admin.AdminService.changeEmailSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGmailSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createGmailSetting |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteGmailSetting |
RESOURCE_DELETION |
google.admin.AdminService.rejectFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.releaseFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createGroup |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteGroup |
RESOURCE_DELETION |
google.admin.AdminService.changeGroupDescription |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.groupListDownload |
USER_RESOURCE_ACCESS |
google.admin.AdminService.addGroupMember |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeGroupMember |
RESOURCE_DELETION |
google.admin.AdminService.updateGroupMember |
RESOURCE_WRITTEN |
google.admin.AdminService.updateGroupMemberDeliverySettings |
RESOURCE_WRITTEN |
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride |
RESOURCE_WRITTEN |
google.admin.AdminService.groupMemberBulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.groupMembersDownload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGroupName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGroupSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.whitelistedGroupsUpdated |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationAction |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionCancellation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionCompletion |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionRetry |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationConfirmation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationRequest |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationChartCreate |
USER_RESOURCE_CREATION |
google.admin.AdminService.securityInvestigationContentAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationDownloadAttachment |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationExportActionResults |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationExportQuery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation |
USER_RESOURCE_CREATION |
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation |
RESOURCE_DELETION |
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectSaveInvestigation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationQuery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationSettingUpdate |
RESOURCE_WRITTEN |
google.admin.AdminService.addToTrustedOauth2Apps |
USER_RESOURCE_CREATION |
google.admin.AdminService.allowAspWithout2Sv |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.allowServiceForOauth2Access |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.allowStrongAuthentication |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.blockOnDeviceAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAllowedTwoStepVerificationMethods |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAppAccessSettingsCollectionId |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaAppAssignments |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaDefaultAssignments |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaErrorMessage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeSessionLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationFrequency |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationStartDate |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.disallowServiceForOauth2Access |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableNonAdminUserPasswordRecovery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enforceStrongAuthentication |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.removeFromTrustedOauth2Apps |
RESOURCE_DELETION |
google.admin.AdminService.sessionControlSettingsChange |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleCaaEnablement |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.trustDomainOwnedOauth2Apps |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unblockOnDeviceAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.untrustDomainOwnedOauth2Apps |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps |
RESOURCE_WRITTEN |
google.admin.AdminService.weakProgrammaticLoginSettingsChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.delete2SvScratchCodes |
RESOURCE_DELETION |
google.admin.AdminService.generate2SvScratchCodes |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revoke3LoDeviceTokens |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revoke3LoToken |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addRecoveryEmail |
USER_RESOURCE_CREATION |
google.admin.AdminService.addRecoveryPhone |
USER_RESOURCE_CREATION |
google.admin.AdminService.grantAdminPrivilege |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeAdminPrivilege |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeAsp |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAutomaticContactSharing |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.bulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.bulkUploadNotificationSent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.cancelUserInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserCustomField |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserExternalId |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserGender |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserIm |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableUserIpWhitelist |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserKeyword |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserLanguage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserLocation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserOrganization |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserPhoneNumber |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeRecoveryEmail |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeRecoveryPhone |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserRelation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserAddress |
USER_RESOURCE_CREATION |
google.admin.AdminService.createEmailMonitor |
USER_RESOURCE_CREATION |
google.admin.AdminService.createDataTransferRequest |
USER_RESOURCE_CREATION |
google.admin.AdminService.grantDelegatedAdminPrivileges |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteAccountInfoDump |
RESOURCE_DELETION |
google.admin.AdminService.deleteEmailMonitor |
RESOURCE_DELETION |
google.admin.AdminService.deleteMailboxDump |
RESOURCE_DELETION |
google.admin.AdminService.changeFirstName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.gmailResetUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLastName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.mailRoutingDestinationAdded |
USER_RESOURCE_CREATION |
google.admin.AdminService.mailRoutingDestinationRemoved |
RESOURCE_DELETION |
google.admin.AdminService.addNickname |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeNickname |
RESOURCE_DELETION |
google.admin.AdminService.changePassword |
USER_CHANGE_PASSWORD |
google.admin.AdminService.changePasswordOnNextLogin |
USER_CHANGE_PASSWORD |
google.admin.AdminService.downloadPendingInvitesList |
USER_RESOURCE_ACCESS |
google.admin.AdminService.removeRecoveryEmail |
RESOURCE_DELETION |
google.admin.AdminService.removeRecoveryPhone |
RESOURCE_DELETION |
google.admin.AdminService.requestAccountInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.requestMailboxDump |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.resendUserInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.resetSigninCookies |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityKeyRegisteredForUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeSecurityKey |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.viewTempPassword |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.turnOff2StepVerification |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unblockUserSession |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unenrollUserFromTitanium |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.archiveUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateBirthdate |
RESOURCE_WRITTEN |
google.admin.AdminService.createUser |
USER_CREATION |
google.admin.AdminService.deleteUser |
RESOURCE_DELETION |
google.admin.AdminService.downgradeUserFromGplus |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userEnrolledInTwoStepVerification |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.downloadUserlistCsv |
USER_RESOURCE_ACCESS |
google.admin.AdminService.moveUserToOrgUnit |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.renameUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unenrollUserFromStrongAuth |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.suspendUser |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.unarchiveUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.undeleteUser |
RESOURCE_DELETION |
google.admin.AdminService.unsuspendUser |
STATUS_UPDATE |
google.admin.AdminService.upgradeUserToGplus |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.usersBulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.usersBulkUploadNotificationSent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createAccessLevelV2 |
USER_RESOURCE_CREATION |
google.admin.AdminService.systemDefinedRuleUpdated |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.createDeviceEnrollmentToken |
USER_RESOURCE_CREATION |
google.login.LoginService.2svDisable |
STATUS_UPDATE |
google.login.LoginService.2svEnroll |
STATUS_UPDATE |
google.login.LoginService.accountDisabledPasswordLeak |
STATUS_UPDATE |
google.login.LoginService.accountDisabledGeneric |
USER_LOGIN |
google.login.LoginService.accountDisabledSpammingThroughRelay |
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledSpamming |
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledHijacked |
USER_LOGIN
Security category: |
google.login.LoginService.emailForwardingOutOfDomain |
EMAIL_TRANSACTION |
google.login.LoginService.govAttackWarning |
USER_LOGIN
Security category: |
google.login.LoginService.loginChallenge |
USER_LOGIN |
google.login.LoginService.loginFailure |
USER_LOGIN
Security category: |
google.login.LoginService.loginVerification |
USER_LOGIN |
google.login.LoginService.logout |
USER_LOGOUT |
google.login.LoginService.loginSuccess |
USER_LOGIN |
google.login.LoginService.passwordEdit |
USER_CHANGE_PASSWORD |
google.login.LoginService.recoveryEmailEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.recoveryPhoneEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.recoverySecretQaEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.suspiciousLogin |
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousLoginLessSecureApp |
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousProgrammaticLogin |
USER_LOGIN
Security category: |
google.login.LoginService.titaniumEnroll |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.titaniumUnenroll |
USER_RESOURCE_CREATION |
google.identity.accesscontextmanager.v1.AccessContextManager.CreateAccessLevel |
USER_RESOURCE_CREATION |
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.core.v1.pods.create |
RESOURCE_CREATION |
io.k8s.authorization.rbac.v1.clusterrolebindings.create |
RESOURCE_CREATION |
beta.compute.instanceTemplates.insert |
RESOURCE_CREATION |
SetOrgPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
beta.compute.instanceGroupManagers.patch |
RESOURCE_WRITTEN |
beta.compute.autoscalers.update |
RESOURCE_WRITTEN |
compute.v1.InstancesService.Get |
USER_RESOURCE_ACCESS |
google.storage.objects.list |
USER_RESOURCE_ACCESS |
google.cloudresourcemanager.v1.Projects.SetIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
cloudsql.instances.query |
USER_RESOURCE_ACCESS |
cloudtrace.googleapis.com/ListInsights |
RESOURCE_READ |
google.cloud.functions.v1.CloudFunctionsService.CreateFunction |
RESOURCE_CREATION |
google.api.servicemanagement.v1.ServiceManager.ActivateServices |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePassword |
USER_CHANGE_PASSWORD |
google.api.serviceusage.v1.ServiceUsage.DisableService |
USER_RESOURCE_UPDATE_CONTENT |
AuthorizeUser |
USER_LOGIN |
google.cloud.oslogin.v1.OsLoginService.CheckPolicy |
USER_LOGIN |
google.admin.AdminService.unsuspendUser |
STATUS_UPDATE |
jobservice.jobcompleted |
RESOURCE_WRITTEN |
compute.v1.ProjectsService.Get |
USER_RESOURCE_ACCESS |
v1.compute.projects.setCommonInstanceMetadata |
USER_RESOURCE_UPDATE_CONTENT |
CreateCryptoKey |
RESOURCE_CREATION |
storage.buckets.get |
RESOURCE_READ |
google.longrunning.Operations.GetOperation |
RESOURCE_READ |
io.k8s.core.v1.pods.delete |
RESOURCE_DELETION |
v1.compute.disks.delete |
RESOURCE_DELETION |
v1.compute.disks.insert |
RESOURCE_CREATION |
ScheduledSnapshots |
RESOURCE_WRITTEN |
v1.compute.disks.setLabels |
RESOURCE_WRITTEN |
google.cloud.healthcare.v1alpha2.dataset.DatasetService.AccessEhrSearch |
STATUS_UPDATE |
io.k8s.apiextensions.v1.customresourcedefinitions.patch |
RESOURCE_WRITTEN |
io.k8s.post |
USER_UNCATEGORIZED |
v1.compute.instances.delete |
RESOURCE_DELETION |
storage.buckets.list |
RESOURCE_READ |
storage.objects.create |
RESOURCE_CREATION |
google.pubsub.v1.Publisher.CreateTopic |
RESOURCE_CREATION |
google.devtools.cloudbuild.v1.CloudBuild.ListBuilds |
USER_RESOURCE_ACCESS |
google.cloud.asset.v1.AssetService.UpdateFeed |
USER_RESOURCE_UPDATE_PERMISSIONS |
storage.objects.update |
RESOURCE_WRITTEN |
datasetservice.insert |
USER_RESOURCE_CREATION |
storage.setIamPermissions |
USER_RESOURCE_UPDATE_PERMISSIONS |
io.k8s.coordination.v1.leases.update |
RESOURCE_WRITTEN |
datasetservice.delete |
USER_RESOURCE_DELETION |
compute.instances.repair.recreateInstance |
RESOURCE_CREATION |
tableservice.delete |
USER_RESOURCE_DELETION |
io.k8s.core.v1.configmaps.update |
RESOURCE_WRITTEN |
io.k8s.core.v1.nodes.proxy.get |
RESOURCE_READ |
compute.instances.repair.deleteInstance |
RESOURCE_DELETION |
google.cloud.dataproc.v1.JobController.SubmitJob |
RESOURCE_WRITTEN |
google.cloud.dataproc.v1beta2.ClusterController.UpdateCluster |
RESOURCE_WRITTEN |
io.k8s.app.v1beta1.applications.update |
RESOURCE_WRITTEN |
io.gke.networking.v1beta1.managedcertificates.update |
RESOURCE_WRITTEN |
io.k8s.extensions.v1beta1.deployments.patch |
RESOURCE_WRITTEN |
compute.instanceGroupManagers.deleteInstances |
RESOURCE_DELETION |
io.k8s.authorization.rbac.v1.rolebindings.patch |
RESOURCE_WRITTEN |
google.admin.AdminService.toggleServiceEnabled |
USER_UNCATEGORIZED |
io.k8s.core.v1.services.proxy.get |
RESOURCE_READ |
google.datastore.v1.Datastore.RunQuery |
STATUS_UPDATE |
google.appengine.Datastore.Put |
STATUS_UPDATE |
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateSecurityHealthAnalyticsSettings |
RESOURCE_WRITTEN |
v1.compute.securityPolicies.patchRule |
RESOURCE_WRITTEN |
beta.compute.images.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.iam.v1.IAMPolicy.SetIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
io.k8s.certificates.v1.certificatesigningrequests.create |
RESOURCE_CREATION |
io.k8s.core.v0.id.create |
RESOURCE_CREATION |
google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy |
RESOURCE_WRITTEN |
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings |
RESOURCE_DELETION |
UpdateCryptoKeyVersion |
RESOURCE_WRITTEN |
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup |
RESOURCE_WRITTEN |
v1 |
STATUS_UPDATE |
google.cloud.run.v1.Services.ReplaceService |
SERVICE_UNCATEGORIZED |
updatePolicy |
RESOURCE_WRITTEN |
updateBackup |
RESOURCE_WRITTEN |
Referenz zur Feldzuordnung: GCP_CLOUDAUDIT
In der folgenden Tabelle sind die Logfelder des Logtyps GCP_CLOUDAUDIT und die entsprechenden UDM-Felder aufgeführt.Logfeld | UDM-Zuordnung | Logik |
---|---|---|
jsonPayload.accesses[].resourceName |
about.resource.name |
|
protoPayload.response.selfLink |
about.url |
|
protoPayload.metadata.event.eventName.parameter.name[login_challenge_method] |
extensions.auth.auth_details |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich login_failure oder login_verification oder login_challenge oder login_success ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich login_challenge_method ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld extensions.auth.auth_details zugeordnet. |
extensions.auth.auth_mechanism |
Wenn protoPayload.metadata.event.eventName gleich login_failure oder login_verification oder login_challenge oder logic_success ist, ist das UDM-Feld extensions.auth.auth_mechanism :
|
|
extensions.auth.type |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich login_failure oder login_verification oder login_challenge oder login_success ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich login_challenge_method ist, wird das UDM-Feld extensions.auth.type auf MACHINE festgelegt. |
|
protoPayload.metadata.event.eventName.parameter.name[GATEWAY_NAME] |
intermediary.resource.name |
|
receiveTimestamp |
metadata.collected_timestamp |
|
protoPayload.response.operationType |
metadata.description |
Wenn der Wert des Logfelds protoPayload.methodName gleich cloudsql.instances.create ist, wird das Logfeld protoPayload.response.operationType - protoPayload.response.kind dem UDM-Feld metadata.description zugeordnet. |
protoPayload.response.kind |
metadata.description |
Wenn der Wert des Logfelds protoPayload.methodName gleich cloudsql.instances.create ist, wird das Logfeld protoPayload.response.operationType - protoPayload.response.kind dem UDM-Feld metadata.description zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[SETTING_DESCRIPTION] |
metadata.description |
|
timestamp |
metadata.event_timestamp |
|
protoPayload.methodName |
metadata.product_event_type |
|
resource.labels.method |
metadata.product_event_type |
|
jsonPayload.event_subtype |
metadata.product_event_type |
|
insertId |
metadata.product_log_id |
|
protoPayload.metadata.event.eventName.parameter.name[PRODUCT_NAME] |
metadata.product_name |
Wenn der Logfeldwert protoPayload.serviceName mit dem regulären Ausdruck (compute.googleapis.com) übereinstimmt, dann ist das metadata.product_name UDM-Feld ist mit dem regulären Ausdruck mit dem regulären Ausdruck „metadata.product_name “ übereinstimmt.Wenn der Logfeldwert protoPayload.serviceName mit dem regulären Ausdruck (bigquery.googleapis.com) übereinstimmt, wird das UDM-Feld metadata.product_name auf BigQuery festgelegt.Wenn der Logfeldwert protoPayload.serviceName mit dem regulären Ausdruck (admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com) übereinstimmt, dann wird das metadata.product_name UDM-Feld auf G Suite festgelegt.Wenn der protoPayload.serviceName -Logfeldwert mit dem regulären Ausdruck übereinstimmt, dann 1 auf. protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName metadata.product_name metadata.product_name metadata.product_name metadata.product_name metadata.product_name metadata.product_name Google Compute Engine (k8s.io) Google Kubernetes Engine (servicemanagement.googleapis.com) Google Service Management (storage.googleapis.com) Google Cloud Storage (cloudsql.googleapis.com) Google Cloud SQL (dataproc.googleapis.com) Google Dataproc (iam.googleapis.com) Google Cloud IAM (accesscontextmanager.googleapis.com) Context Manager API |
logName |
metadata.url_back_to_product |
|
protoPayload.response.selfLinkWithId |
metadata.url_back_to_product |
|
metadata.vendor_name |
Das UDM-Feld metadata.vendor_name ist auf Google Cloud Platform gesetzt. |
|
httpRequest.protocol |
network.application_protocol |
|
protoPayload.metadata.request_id |
network.community_id |
|
protoPayload.resourceOriginalState.direction |
network.direction |
|
protoPayload.request.direction |
network.direction |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SENDER] |
network.email.from |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_MSG_ID] |
network.email.mail_id |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_RECIPIENT] |
network.email.to |
|
httpRequest.requestMethod |
network.http.method |
|
protoPayload.requestMetadata.requestAttributes.method |
network.http.method |
|
httpRequest.referer |
network.http.referral_url |
|
protoPayload.requestMetadata.requestAttributes.path |
network.http.referral_url |
|
httpRequest.requestUrl |
network.http.referral_url |
|
protoPayload.resourceOriginalState.network |
network.http.referral_url |
|
httpRequest.status |
network.http.response_code |
|
protoPayload.response.error.code |
network.http.response_code |
|
protoPayload.status.code |
security_result.detection_fields [status_code] |
|
protoPayload.requestMetadata.callerSuppliedUserAgent |
network.http.user_agent |
Wenn der Wert des Logfelds protoPayload.requestMetadata.callerSuppliedUserAgent mit dem regulären Ausdruck Group übereinstimmt, wird das Logfeld protoPayload.requestMetadata.callerSuppliedUserAgent dem UDM-Feld principal.group.group_display_name zugeordnet. |
httpRequest.userAgent |
network.http.user_agent |
|
protoPayload.resourceOriginalState.alloweds.IPProtocol |
network.ip_protocol |
|
protoPayload.requestMetadata.requestAttributes.protocol |
network.ip_protocol |
|
protoPayload.request.IPProtocol |
network.ip_protocol |
|
protoPayload.request.alloweds.IPProtocol |
network.ip_protocol |
|
jsonPayload.connection.protocol |
network.ip_protocol |
|
protoPayload.metadata.event.eventName.parameter.name[ORG_UNIT_NAME] |
network.organization_name |
|
httpRequest.responseSize |
network.received_bytes |
|
httpRequest.requestSize |
network.sent_bytes |
|
jsonPayload.bytes_sent |
network.sent_bytes |
|
protoPayload.requestMetadata.requestAttributes.id |
network.session_id |
|
ProtoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail |
principal.email |
|
jsonPayload.src_instance.vm_name |
principal.hostname |
|
protoPayload.requestMetadata.callerIp |
principal.ip |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_SENDER_IP] |
principal.ip |
|
jsonPayload.connection.src_ip |
principal.ip |
|
httpRequest.serverIp |
principal.ip |
|
resourceLocation.originalLocations |
principal.location.name |
|
jsonPayload.connection.nat_ip |
principal.nat_ip |
|
jsonPayload.connection.nat_port |
principal.nat_port |
|
jsonPayload.connection.src_port |
principal.port |
|
protoPayload.authorizationInfo.resource |
principal.resource.name |
Wenn der Wert des Logfelds protoPayload.authorizationInfo.resource nicht leer ist, wird das Logfeld protoPayload.authorizationInfo.resource dem UDM-Feld principal.resource.name zugeordnet. |
protoPayload.authorizationInfo.resourceAttributes.name |
principal.resource.name |
Wenn der Wert des Logfelds protoPayload.authorizationInfo.resourceAttributes.name nicht leer ist, wird das Logfeld protoPayload.authorizationInfo.resourceAttributes.name dem UDM-Feld principal.resource.name zugeordnet. |
protoPayload.resourceOriginalState.name |
principal.resource.name |
|
protoPayload.authorizationInfo.resourceAttributes.type |
principal.resource.resource_subtype |
|
principal.user.account_type |
Wenn der Wert des Logfelds access.principalSubject mit dem regulären Ausdruck serviceAccount übereinstimmt, wird das UDM-Feld principal.user.account_type auf SERVICE_ACCOUNT_TYPE gesetzt.Wenn der Wert des Logfelds access.principalSubject mit dem regulären Ausdruck user übereinstimmt, wird das UDM-Feld principal.user.account_type auf CLOUD_ACCOUNT_TYPE festgelegt. |
|
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType |
principal.user.attribute.permissions.description |
|
protoPayload.request.serviceAccounts[].scopes |
principal.user.attribute.permissions.name |
|
protoPayload.authorizationInfo.permission |
principal.user.attribute.permissions.name |
|
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType |
principal.user.attribute.permissions.type |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].action |
principal.user.attribute.roles.description |
|
protoPayload.request.bindings.role |
principal.user.attribute.roles.name |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].role |
principal.user.attribute.roles.name |
|
jsonPayload.location.principalEmployingEntity |
principal.user.company_name |
|
jsonPayload.location.principalOfficeCountry |
principal.user.office_address.country_or_region |
|
protoPayload.authenticationInfo.principalEmail |
principal.user.userid |
Wenn der Wert des Logfelds protoPayload.authenticationInfo.principalEmail nicht leer ist, wird userid_auth mithilfe eines Grok-Musters aus dem protoPayload.authenticationInfo.principalEmail -Logfeld extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
protoPayload.metadata.event.eventName.parameter.value |
principal.user.userid |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich CREATE_EMAIL_MONITOR oder CREATE_DATA_TRANSFER_REQUEST ist:
protoPayload.metadata.event.eventName.parameter.name gleich USER_EMAIL ist, wird userid mithilfe eines Grok-Musters aus dem Logfeld protoPayload.metadata.event.eventName.parameter.value extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
protoPayload.authenticationInfo.authoritySelector |
principal.user.userid |
Wenn der Wert des Logfelds protoPayload.authenticationInfo.authoritySelector nicht leer ist, wird userid_selector mithilfe eines Grok-Musters aus dem protoPayload.authenticationInfo.authoritySelector -Logfeld extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
jsonPayload.actor.user |
principal.user.userid |
Wenn der Wert des Logfelds jsonPayload.actor.user nicht leer ist, wird userid_actor mithilfe eines Grok-Musters aus dem jsonPayload.actor.user -Logfeld extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
protoPayload.authenticationInfo.principalEmail |
principal.user.email_addresses |
Wenn der Wert des Logfelds protoPayload.authenticationInfo.principalEmail nicht leer ist und der Wert des Logfelds protoPayload.authenticationInfo.principalEmail mit dem regulären Ausdruck .@. übereinstimmt, wird das Logfeld protoPayload.authenticationInfo.principalEmail dem UDM-Feld principal.user.email_addresses zugeordnet. |
protoPayload.metadata.event.eventName.parameter.value |
principal.user.email_addresses |
protoPayload.metadata.event.eventName.parameter.value wird principal.user.email_addresses zugeordnet, wenn die folgenden Bedingungen erfüllt sind:
|
protoPayload.authenticationInfo.authoritySelector |
principal.user.email_addresses |
Wenn der Wert des Logfelds protoPayload.authenticationInfo.authoritySelector nicht leer ist und der Wert des Logfelds protoPayload.authenticationInfo.authoritySelector mit dem regulären Ausdruck .@. übereinstimmt, wird das Logfeld protoPayload.authenticationInfo.authoritySelector dem UDM-Feld principal.user.email_addresses zugeordnet. |
jsonPayload.actor.user |
principal.user.email_addresses |
Wenn der Wert des Logfelds jsonPayload.actor.user nicht leer ist und der Wert des Logfelds jsonPayload.actor.user mit dem regulären Ausdruck .@. übereinstimmt, wird das Logfeld jsonPayload.actor.user dem UDM-Feld principal.user.email_addresses zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[login_challenge_status] |
security_result.action |
security_result.action wird auf ALLOW gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf FAIL gesetzt, wenn die folgenden Bedingungen erfüllt sind:
|
protoPayload.metadata.event.eventName.parameter.name[ACTION_TYPE] |
security_result.action |
security_result.action wird auf ALLOW gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf BLOCK gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf ALLOW_WITH_MODIFICATION gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf QUARANTINE gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf QUARANTINE gesetzt, wenn die folgenden Bedingungen erfüllt sind:
|
security_result.action_details |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich login_challenge oder login_verification ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich login_challenge_status ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld security_result.action_details zugeordnet.Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich ACTION_CANCELLED oder ACTION_REQUESTED ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich ACTION_TYPE ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld security_result.action_details zugeordnet. |
|
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] |
security_result.category |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich login_success ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich is_suspicious ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.value gleich True ist, wird das UDM-Feld security_result.category auf NETWORK_SUSPICIOUS festgelegt. |
logName |
security_result.category_details |
|
protoPayload.response.status |
security_result.description |
|
protoPayload.response.error.errors[].reason |
security_result.description |
|
protoPayload.metadata.tableCreation.reason |
security_result.description |
|
protoPayload.metadata.tableChange.reason |
security_result.description |
|
protoPayload.metadata.tableDeletion.reason |
security_result.description |
|
protoPayload.metadata.datasetCreation.reason |
security_result.description |
|
protoPayload.metadata.datasetDeletion.reason |
security_result.description |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.errorMessage |
security_result.description |
|
protoPayload.status.message |
security_result.description |
|
protoPayload.request.status |
security_result.description |
|
jsonPayload.reason[].detail |
security_result.description |
|
protoPayload.response.status.state |
security_result.description |
|
protoPayload.response.status.conditions[].message |
security_result.description |
Wenn der Wert des Logfelds message mit dem regulären Ausdruck response.*status.*conditions.*message übereinstimmt, wird das Logfeld protoPayload.response.status.conditions.0.message dem UDM-Feld security_result.description zugeordnet. |
protoPayload.resourceOriginalState.priority |
security_result.priority_details |
|
protoPayload.request.priority |
security_result.priority_details |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.queryPriority |
security_result.priority_details |
|
protoPayload.metadata.vpcServiceControlsUniqueId |
security_result.rule_id |
|
protoPayload.request.body.settings.activationPolicy |
security_result.rule_name |
|
protoPayload.request.policy |
security_result.rule_name |
|
protoPayload.metadata.violationReason |
security_result.rule_name |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.policyType |
security_result.rule_type |
|
protoPayload.metadata.dryRun |
security_result.rule_type |
|
severity |
security_result.severity |
|
security_result.severity_details |
Wenn der Wert des Logfelds severity gleich CRITICAL ist, wird das UDM-Feld security_result.severity auf CRITICAL gesetzt.Wenn der Wert des Logfelds severity gleich ERROR ist, wird das UDM-Feld security_result.severity auf ERROR festgelegt.Wenn der Wert des Logfelds severity gleich ALERT oder EMERGENCY ist, wird das UDM-Feld security_result.severity auf HIGH festgelegt.Wenn der Wert des Logfelds severity gleich INFO oder NOTICE ist, dann ist das Feld security_result.severity UDM/severity auf {1/severity .ist {1/ severity }.security_result.severity security_result.severity security_result.severity INFORMATIONAL DEBUG LOW WARNING MEDIUM UNKNOWN_SEVERITY |
|
protoPayload.response.error.message |
security_result.summary |
|
protoPayload.response.error.errors[].message |
security_result.summary |
|
protoPayload.status.details.violations.description |
security_result.summary |
|
protoPayload.response.message |
security_result.summary |
|
protoPayload.request.description |
security_result.summary |
|
jsonPayload.reason[].type |
security_result.summary |
|
sourceLocation.file |
src.file.full_path |
|
protoPayload.serviceName |
target.application |
|
resource.labels.service |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[APP_NAME] |
target.application |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name1 gleich APP_NAME und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name2 gleich APP_ID ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 dem UDM-Feld target.application zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[APP_ID] |
target.application |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name1 gleich APP_NAME und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name2 gleich APP_ID ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 dem UDM-Feld target.application zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[SERVICE_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_SERVICE_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_NAME] |
target.application |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name1 gleich OAUTH2_APP_NAME und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name2 gleich OAUTH2_APP_ID ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 dem UDM-Feld target.application zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_ID] |
target.application |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name1 gleich OAUTH2_APP_NAME und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name2 gleich OAUTH2_APP_ID ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 dem UDM-Feld target.application zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[REAUTH_APPLICATION, SITE_NAME] |
target.application |
|
jsonPayload.product |
target.application |
|
protoPayload.metadata.device_id |
target.asset.asset_id |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_SERIAL_NUMBER] |
target.asset.hardware.serial_number |
|
protoPayload.metadata.event.eventName.parameter.name[PRINT_SERVER_NAME] |
target.asset.hostname |
|
protoPayload.metadata.event.eventName.parameter.name[PRINTER_NAME] |
target.asset.hostname |
|
protoPayload.request.instance |
target.asset.product_object_id |
Das Logfeld protoPayload.request.instance wird dem UDM-Feld target.asset.product_object_id zugeordnet, wenn der Indexwert in protoPayload.request.instance gleich 0 ist.Für jeden anderen Indexwert wird das UDM-Feld target.asset.labels.key auf request_instance festgelegt und das Logfeld protoPayload.request.instance dem UDM-Feld target.asset.labels.value zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[DEVICE_ID] |
target.asset.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[COMPANY_DEVICE_ID] |
target.asset.product_object_id |
|
target.asset.type |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich PRINTER_SERVER_NAME ist, wird das UDM-Feld target.asset.type auf SERVER gesetzt.Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich PRINTER_NAME ist, wird das UDM-Feld target.asset.type auf PRINTER festgelegt.Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich DEVICE_TYPE ist, wird das UDM-Feld target.asset.type auf ROLE_UNSPECIFIED festgelegt. |
|
protoPayload.metadata.event.eventName.parameter.name[SITE_LOCATION] |
target.file.full_path |
|
protoPayload.metadata.event.eventName.parameter.name[PERMISSION_GROUP_NAME] |
target.group.attribute.permissions.name |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_EMAIL] |
target.group.email_addresses |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_NAME] |
target.hostname |
|
jsonPayload.dest_instance.vm_name |
target.hostname |
|
protoPayload.requestMetadata.requestAttributes.host |
target.hostname |
|
httpRequest.remoteIp |
target.ip |
|
protoPayload.requestMetadata.destinationAttributes.ip |
target.ip |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP] |
target.ip |
|
protoPayload.request.ip |
target.ip |
|
jsonPayload.connection.dest_ip |
target.ip |
|
resource.labels.region |
target.location.country_or_region |
|
protoPayload.response.region |
target.location.country_or_region |
|
protoPayload.request.body.region |
target.location.country_or_region |
|
protoPayload.request.region |
target.location.country_or_region |
|
resource.labels.region |
target.location.country_or_region |
|
jsonPayload.dest_location.country |
target.location.country_or_region |
|
jsonPayload.dest_location.continent |
target.location.country_or_region |
|
protoPayload.request.override.overrideValue |
target.resource.attribute.labels[request_override_value] |
|
protoPayload.response.overrideValue |
target.resource.attribute.labels[response_override_value] |
|
resource.labels.location |
target.location.name |
|
protoPayload.resourceOriginalState.alloweds.ports |
target.port |
|
protoPayload.requestMetadata.destinationAttributes.port |
target.port |
|
jsonPayload.connection.dest_port |
target.port |
|
protoPayload.metadata.tableCreation.table.view.query |
target.process.command_line |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query |
target.process.command_line |
|
protoPayload.serviceData.jobQueryRequest.query |
target.process.command_line |
|
protoPayload.serviceData.tableInsertResponse.resource.view.query |
target.process.command_line |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query |
target.process.command_line |
|
protoPayload.metadata.tableChange.jobName |
target.process.pid |
|
protoPayload.metadata.tableCreation.jobName |
target.process.pid |
|
protoPayload.request.networkInterfaces[].subnetwork |
target.resource_ancestors.name |
|
protoPayload.request.body.instanceUid |
target.resource_ancestors.product_object_id |
|
protoPayload.response.instanceUid |
target.resource_ancestors.product_object_id |
|
protoPayload.request.disk[].mode |
target.resource_ancestors.attributes.permission.name |
|
protoPayload.request.disk[].autoDelete |
target.resource_ancestors.attributes.permission.name |
|
protoPayload.response.project_id |
target.resource_ancestors.id |
|
protoPayload.response.targetProject |
target.resource_ancestors.name |
|
protoPayload.request.target |
target.resource_ancestors.name |
|
protoPayload.resourceName |
target.resource_ancestors.name |
Wenn der Wert des Logfelds protoPayload.methodName mit dem regulären Ausdruck (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) übereinstimmt, wird das Logfeld protoPayload.resourceName dem UDM-Feld target.resource_ancestors.name zugeordnet. |
protoPayload.resource.role_name |
target.resource_ancestors.name |
|
protoPayload.request.parent |
target.resource_ancestors.name |
|
protoPayload.request.disks[].deviceName |
target.resource_ancestors.name |
|
protoPayload.request.network |
target.resource_ancestors.name |
|
resource.labels.project_id |
target.cloud.project.name |
|
resource.labels.project_id |
target.resource_ancestors.name |
|
protoPayload.request.disk[].type |
target.resource_ancestors.resource_subtype |
Wenn der Wert des Logfelds protoPayload.request.cluster.subnetwork nicht leer ist, wird das UDM-Feld target.resource_ancestors.resource_subtype auf subnetwork festgelegt.Wenn der Wert des Logfelds protoPayload.request.cluster.network nicht leer ist, wird das UDM-Feld target.resource_ancestors.resource_subtype auf network festgelegt.Wenn der Wert des Logfelds protoPayload.request.cluster.nodePools.name nicht leer ist, wird das UDM-Feld target.resource_ancestors.resource_subtype auf nodepool gesetzt. |
resource.location |
target.resource.attribute.cloud.availability_zone |
|
resourceLocation.currentLocations |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.zone |
target.resource.attribute.cloud.availability_zone |
|
protoPayload.request.body.settings.locationPreference.zone |
target.resource.attribute.cloud.availability_zone |
|
protoPayload.metadata.tableChange.table.createTime |
target.resource.attribute.creation_time |
|
protoPayload.metadata.tableCreation.table.createTime |
target.resource.attribute.creation_time |
|
protoPayload.resourceOriginalState.creationTimestamp |
target.resource.attribute.creation_time |
|
protoPayload.response.insertTime |
target.resource.attribute.creation_time |
|
protoPayload.metadata.tableChange.table.updateTime |
target.resource.attribute.last_update_time |
|
protoPayload.metadata.tableCreation.table.updateTime |
target.resource.attribute.last_update_time |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas[].logType |
target.resource.attribute.permissions.type |
|
request.role.title |
target.resource.attribute.roles.name |
|
protoPayload.request.role.included_permissions[] |
target.resource.attributes.permission.name |
|
protoPayload.request.role.description |
target.resource.attributes.roles.description |
|
protoPayload.resource.labels.firewall_rule_id |
target.resource.id |
|
protoPayload.resourceName |
target.resource.name |
Wenn der Wert des Logfelds protoPayload.resourceName nicht leer ist, wird das Logfeld protoPayload.resourceName dem UDM-Feld target.resource.name zugeordnet. |
protoPayload.resource.labels.role_name |
target.resource.name |
Wenn der Wert des Logfelds protoPayload.methodName gleich google.iam.admin.v1.CreateRole ist, wird das Logfeld protoPayload.resource.labels.role_name dem UDM-Feld target.resource.name zugeordnet. |
protoPayload.resource.role_name |
target.resource.name |
|
protoPayload.request.service_account.display_name |
target.resource.name |
|
protoPayload.request.workloadIdentityPool.displayName |
target.resource.name |
|
protoPayload.request.name |
target.resource.name |
Wenn der Wert des Logfelds protoPayload.methodName gleich beta.compute.instances.insert ist, wird das Logfeld protoPayload.request.name dem UDM-Feld target.resource.name zugeordnet. |
protoPayload.request.cluster.name |
target.resource.name |
|
protoPayload.metadata.tableCreation.table.tableName |
target.resource.name |
|
protoPayload.metadata.datasetCreation.dataset.datasetName |
target.resource.name |
|
jsonPayload.accessApprovals[] |
target.resource.name |
|
jsonPayload.resource.name |
target.resource.name |
|
resource.labels.email_id |
target.resource.name |
Wenn der Wert des Logfelds resource.labels.email_id nicht leer ist, wird das Logfeld resource.labels.email_id dem UDM-Feld target.resource.name zugeordnet. |
protoPayload.request.accessLevel.title |
target.resource.name |
|
resource.discoveryName |
target.resource.name |
|
protoPayload.response.name |
target.resource.name |
|
protoPayload.request.name |
target.resource.name |
|
resource.labels.network_id |
target.resource.name |
|
request.cluster.name |
target.resource.name |
|
resource.labels.cluster_name |
target.resource.name |
|
protoPayload.metadata.tableChange.table.tableName |
target.resource.name |
|
resource.labels.function_name |
target.resource.name |
Wenn der Wert des Logfelds resource.type mit dem regulären Ausdruck cloud_function übereinstimmt, wird das Logfeld resource.labels.function_name dem UDM-Feld target.resource.name zugeordnet. |
resource.parent |
target.resource.parent |
|
resource.labels.bucket_name |
target.resource.parent |
Wenn der Wert des Logfelds resource.type gleich gcs_bucket ist, wird das Logfeld resource.labels.bucket_name dem UDM-Feld target.resource.parent zugeordnet. |
resource.labels.dataset_id |
target.resource.product_object_id |
|
resource.labels.instance_group_id |
target.resource.product_object_id |
|
resource.labels.subnetwork_id |
target.resource.product_object_id |
|
resource.labels.firewall_rule_id |
target.resource.product_object_id |
|
resource.labels.forwarding_rule_id |
target.resource.product_object_id |
|
resource.labels.network_id |
target.resource.product_object_id |
|
resource.labels.unique_id |
target.resource.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[RESOURCE_IDENTIFIER] |
target.resource.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[SHARED_DRIVE_ID] |
target.resource.product_object_id |
|
protoPayload.response.unique_id |
target.resource.product_object_id |
Wenn der Wert des Logfelds protoPayload.methodName mit dem regulären Ausdruck (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) übereinstimmt, wird das Logfeld protoPayload.response.unique_id dem UDM-Feld target.resource.product_object_Id zugeordnet. |
protoPayload.request.account_id |
target.resource.product_object_id |
|
protoPayload.request.role_id |
target.resource.product_object_id |
Wenn der Wert des Logfelds protoPayload.methodName gleich google.iam.admin.v1.CreateRole ist, wird das Logfeld protoPayload.request.role_id dem UDM-Feld target.resource.product_object_id zugeordnet. |
protoPayload.request.workloadIdentityPoolId |
target.resource.product_object_id |
|
jsonPayload.resource.id |
target.resource.product_object_id |
|
resource.labels.instance_id |
target.resource.product_object_id |
|
resource.data.uniqueId |
target.resource.product_object_id |
|
protoPayload.request.workloadIdentityPoolProviderId |
target.resource.product_object_id |
|
protoPayload.request.machineType |
target.resource.resource_subtype |
|
resource.type |
target.resource.resource_subtype |
|
target.resource.resource_type |
Wenn der resource.type -Log-Feldwert mit dem regulären Ausdruck festgelegt wird, ist, ist das target.resource.resource_type UDM2-Feld mit dem regulären Ausdruck mit dem regulären Ausdruck festgelegt, dann ist das target.resource.resource_type UDM2-Feld mit dem regulären Ausdruck / dem regulären Ausdruck 1 Übereinstimmung mit dem regulären Ausdruck gce_(subnetwork or network) ist.Wenn der resource.type -Log-Feldwert mit dem regulären Ausdruck gce_(subnetwork or network) übereinstimmt, dann ist das target.resource.resource_type -UDM-Feld auf VPC_NETWORK gesetzt.Wenn der resource.type -Log-Feldwert mit dem regulären Ausdruck dataproc übereinstimmt, dann wird das target.resource.resource_type UDM-Feld auf CLUSTER festgelegt.Wenn das resource.type -Feld mit dem regulären Ausdruck mit dem regulären Ausdruck k8s or gke_ /Feld mit dem regulären Ausdruck k8s or gke_ übereinstimmt.Wenn der Log-Feldwert resource.type mit dem regulären Ausdruck k8s or gke_ /Feld 1 CLUSTER ist.resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type gce_(firewall or forwarding_rule) target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type FIREWALL_RULE gce_backend_service BACKEND_SERVICE (gce_ or dns_query) VIRTUAL_MACHINE gcs_bucket STORAGE_BUCKET bigquery DATABASE DATABASE cloudsql service_account SERVICE_ACCOUNT project CLOUD_PROJECT organization CLOUD_ORGANIZATION cloud_function FUNCTION UNSPECIFIED |
|
protoPayload.response.targetLink |
target.url |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ADDRESS] |
target.url |
|
protoPayload.request.httpRequest.url |
target.url |
|
resource.discoveryDocumentUri |
target.url |
|
httpRequest.requestUrl |
target.url |
|
protoPayload.request.role.included_permissions[] |
target.user.attribute.permissions.name |
|
protoPayload.metadata.event.eventName.parameter.name[ROLE_ID] |
target.user.attribute.roles.description |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich ROLE_ID ist, wird das Logfeld Role_ID - protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld target.user.attribute.roles.description zugeordnet. |
protoPayload.response.bindings[].role |
target.user.attribute.roles.name |
|
protoPayload.metadata.event.eventName.parameter.name[ROLE_NAME] |
target.user.attribute.roles.name |
|
protoPayload.request.serviceAccounts[].email |
target.user.email_addresses |
|
protoPayload.metadata.event.eventName.parameter.value |
target.user.email_addresses |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.value nicht leer und der Wert des Logfelds protoPayload.metadata.event.eventName gleich USER_EMAIL , EMAIL_MONITOR_DEST_EMAIL oder DESTINATION_USER_EMAIL ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld target.user.email_addresses zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.first_name |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich FIRST_NAME ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich NEW_VALUE ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld target.user.first_name zugeordnet. |
protoPayload.request.personIdentifier.canonicalPersonId |
target.user.group_identifiers |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.last_name |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich LAST_NAME ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich NEW_VALUE ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld target.user.last_name zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.user_display_name |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich RENAME_USER ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich NEW_VALUE ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld target.user.user_display_name zugeordnet. |
protoPayload.response.user |
target.user.userid |
|
protoPayload.metadata.event.eventName.parameter.name[USER_EMAIL] |
target.user.userid |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich CREATE_EMAIL_MONITOR oder CREATE_DATA_TRANSFER_REQUEST ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich USER_EMAIL ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld principal.user.userid zugeordnet.Wenn der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich USER_EMAIL ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld target.user.userid zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_DEST_EMAIL] |
target.user.userid |
|
protoPayload.metadata.event.eventName.parameter.name[DESTINATION_USER_EMAIL] |
target.user.userid |
|
protoPayload.request.user |
target.user.userid |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].member |
target.user.userid |
|
protoPayload.request.objects.db |
about.labels [database_name] (verworfen) |
|
jsonPayload.accesses[].methodName |
about.labels [methodName] (verworfen) |
|
protoPayload.request.objects.name |
about.labels [objects_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] |
about.labels[api_client_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] |
about.labels[api_scopes] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] |
about.labels[begin_date_time] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] |
about.labels[bulk_upload_fail_users_number] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] |
about.labels[bulk_upload_total_users_number] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] |
about.labels[caa_assignments_new] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] |
about.labels[caa_assignments_old] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] |
about.labels[caa_enforcement_endpoints_new] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] |
about.labels[caa_enforcement_endpoints_old] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.size |
about.labels[caller_network_request_size] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.time |
about.labels[caller_network_request_time] (verworfen) |
|
protoPayload.requestMetadata.callerNetwork |
about.labels[caller_network] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.size |
principal.labels[caller_network_request_size] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.time |
principal.labels[request_attributes_time] (verworfen) |
|
protoPayload.requestMetadata.callerNetwork |
principal.labels[caller_network] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] |
about.labels[chrome_licenses_enabled] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] |
about.labels[end_date_time] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE] |
about.labels[end_date] (verworfen) |
|
protoType.metadata.event[].eventName |
about.labels[event_name] (verworfen) |
|
protoPayload.metadata.event.parameter[].label |
about.labels[event_param_label] (verworfen) |
|
protoPayload.metadata.event.parameter[].type |
about.labels[event_param_type] (verworfen) |
|
protoType.metadata.event[].eventType |
about.labels[event_type] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] |
about.labels[field_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] |
about.labels[full_org_unit_path] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] |
about.labels[grp_member_bulk_upload_failed] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] |
about.labels[grp_member_bulk_upload_total] (verworfen) |
|
httpRequest.cacheFillBytes |
about.labels[httpreq_cache_fill_bytes] (verworfen) |
|
httpRequest.cacheHit |
about.labels[httpreq_cache_hit] (verworfen) |
|
httpRequest.cacheLookup |
about.labels[httpreq_cache_lookup] (verworfen) |
|
httpRequest.cacheValidatedWithOriginServer |
about.labels[httpreq_cache_validated_with_origin_server] (verworfen) |
|
httpRequest.latency |
about.labels[httprequest_latency] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] |
about.labels[info_type] (verworfen) |
|
protoPayload.metadata.activityId.timeUsec |
about.labels[metadata_activityId_time_usec] (verworfen) |
|
protoPayload.metadata.activityId.uniqQualifier |
about.labels[metadata_activityId_uniq_qualifier] (verworfen) |
|
protoPayload.metadata.@type |
about.labels[metadata_type] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] |
about.labels[new_permission_grant_state] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] |
about.labels[num_of_company_owned_device] (verworfen) |
|
protoPayload.numResponseItems |
about.labels[num_response_items] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] |
about.labels[old_permission_grant_state] (verworfen) |
|
operation.first |
about.labels[operation_first] (verworfen) |
|
operation.id |
about.labels[operation_id] (verworfen) |
|
operation.last |
about.labels[operation_last] (verworfen) |
|
operation.producer |
about.labels[operation_producer] (verworfen) |
|
protoPayload.resourceOriginalState.selfLinkWithId |
about.labels[rc_old_selflinkWithId] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] |
about.labels[reauth_setting_new] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] |
about.labels[reauth_setting_old] (verworfen) |
|
protoPayload.request.alloweds[].ports |
about.labels[req_alloweds_ports] (verworfen) |
|
protoPayload.request.body.name |
about.labels[req_body_name] (verworfen) |
|
protoPayload.request.body.settings.activityPolicy |
about.labels[req_body_settings_activity_policy] (verworfen) |
|
protoPayload.request.deletionProtection |
about.labels[req_deletion_protection] (verworfen) |
|
protoPayload.request.disabled |
about.labels[req_disabled] (verworfen) |
|
protoPayload.request.displayDevice.enableDisplay |
about.labels[req_display_device_enable_display] (verworfen) |
|
protoPayload.request.enableFlowLogs |
about.labels[req_enable_flow_logs] (verworfen) |
|
protoPayload.request.fingerprint |
about.labels[req_fingerprint] (verworfen) |
|
protoPayload.request.shieldedInstanceConfig.enableSecureBoot |
about.labels[req_instance_config_enable_secure_boot] (verworfen) |
|
protoPayload.request.shieldedInstanceConfig.enableVtpm |
about.labels[req_instance_config_enable_vtpm] (verworfen) |
|
protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring |
about.labels[req_instance_enable_integrity_monitoring] (verworfen) |
|
protoPayload.request.key_types[] |
about.labels[req_key_types] (verworfen) |
|
protoPayload.request.logconfig.enable |
about.labels[req_logconfig_enable] (verworfen) |
|
protoPayload.request.networkTier |
about.labels[req_network_tier] (verworfen) |
|
protoPayload.request.network |
about.labels[req_network] (verworfen) |
|
protoPayload.request.page_size |
about.labels[req_page_size] (verworfen) |
|
request.pagesize |
about.labels[req_page_size] (verworfen) |
|
protoPayload.request.policy.etag |
about.labels[req_policy_etag] (verworfen) |
|
protoPayload.request.portRange |
about.labels[req_port_range] (verworfen) |
|
protoPayload.request.privateIpGoogleAccess |
about.labels[req_private_ip_google_access] (verworfen) |
|
protoPayload.request.private_key_type |
about.labels[req_private_key_type] (verworfen) |
|
protoPayload.request.remove_deleted_service_accounts |
about.labels[req_remove_deleted_serviceAcc] (verworfen) |
|
protoPayload.request.showDeleted |
about.labels[req_show_deleted] (verworfen) |
|
protoPayload.request.skip_visibility_check |
about.labels[req_skip_visibility_check] (verworfen) |
|
protoPayload.request.stackType |
about.labels[req_stack_type] (verworfen) |
|
protoPayload.request.type |
about.labels[req_type] (verworfen) |
|
protoPayload.request.updateMask |
about.labels[req_update_mask] (verworfen) |
|
protoPayload.request.version |
about.labels[req_version] (verworfen) |
|
protoPayload.response.clientOperationId |
about.labels[res_client_operation_id] (verworfen) |
|
protoPayload.response.endTime |
about.labels[res_end_time] (verworfen) |
|
protoPayload.response.id |
about.labels[res_id] (verworfen) |
|
protoPayload.response.key_algorithm |
about.labels[res_key_algorithm] (verworfen) |
|
protoPayload.response.key_origin |
about.labels[res_key_origin] (verworfen) |
|
protoPayload.response.key_type |
about.labels[res_key_type] (verworfen) |
|
protoPayload.response.kind |
about.labels[res_kind] (verworfen) |
|
protoPayload.response.private_key_type |
about.labels[res_private_key_type] (verworfen) |
|
protoPayload.response.progress |
about.labels[res_progress] (verworfen) |
|
protoPayload.response.startTime |
about.labels[res_start_time] (verworfen) |
|
protoPayload.response.status |
about.labels[res_status] (verworfen) |
Wenn der Wert des Logfelds protoPayload.methodName gleich cloudsql.instances.create ist, wird das Logfeld protoPayload.response.status dem UDM-Feld security_result.description zugeordnet. |
protoPayload.response.type |
about.labels[res_type] (verworfen) |
|
protoPayload.response.unique_id |
about.labels[res_unique_id] (verworfen) |
Wenn der Wert des Logfelds protoPayload.methodName mit dem regulären Ausdruck (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) übereinstimmt, wird das Logfeld protoPayload.response.unique_id dem UDM-Feld target.resource.product_object_id zugeordnet. |
protoPayload.response.valid_after_time.seconds |
about.labels[res_valid_after_time] (verworfen) |
|
protoPayload.response.valid_before_time.seconds |
about.labels[res_valid_before_time] (verworfen) |
|
protoPayload.response.version |
about.labels[res_version] (verworfen) |
|
protoPayload.response.zone |
about.labels[res_zone] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] |
about.labels[search_query_for_dump] (verworfen) |
|
spanId |
about.labels[span_id] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[START_DATE] |
about.labels[start_date] (verworfen) |
|
traceSampled |
about.labels[trace_sampled] (verworfen) |
|
Trace |
about.labels[trace] (verworfen) |
|
protoPayload.@type |
about.labels[type] (verworfen) |
|
protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_added] |
|
protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_deletion] |
|
protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_modification] |
|
protoPayload.metadata.projectMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels [AddedMetadataKeys] |
|
protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels [DeletedMetadataKeys] |
|
protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels [ModifiedMetadataKeys] |
|
protoPayload.redactions.reason |
principal.labels [protoPayload.redactions.field] (verworfen) |
|
protoPayload.redactions.type |
principal.labels [protoPayload.redactions.field] (verworfen) |
|
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata |
principal.labels [service_metadata] (verworfen) |
|
jsonPayload.sourceNetwork |
principal.labels [source_network] (verworfen) |
|
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims |
principal.labels [third_party_claims] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.time |
principal.labels[caller_network_request_time] (verworfen) |
|
protoPayload.request.description |
principal.labels[req_description] (verworfen) |
|
protoPayload.request.ipCidrRange |
principal.labels[req_ip_cidr_range] (verworfen) |
|
protoPayload.request.sourceRanges[] |
principal.labels[req_source_ranges] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.reason |
principal.labels[request_attributes_reason] (verworfen) |
|
protoPayload.authenticationInfo.thirdPartyPrincipal |
principal.labels[third_party_principal] (verworfen) |
|
protoPayload.authenticationInfo.principalSubject |
principal.user.userid |
Wenn der Wert des Logfelds protoPayload.authenticationInfo.principalSubject nicht leer ist, wird new_user_id mithilfe eines Grok-Musters aus dem protoPayload.authenticationInfo.principalSubject -Logfeld extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
protoPayload.authenticationInfo.principalSubject |
principal.user.email_addresses |
Wenn der Wert des Logfelds protoPayload.authenticationInfo.principalSubject nicht leer ist, wird new_email_id mithilfe eines Grok-Musters aus dem protoPayload.authenticationInfo.principalSubject -Logfeld extrahiert und dem UDM-Feld principal.user.email_addresses zugeordnet. |
protoPayload.authenticationInfo.serviceAccountDelegationInfo.principalSubject |
principal.user.attribute.labels[access_serviceAcc_principalSubject] |
|
protoPayload.response.oauth2_client_id |
principal.user.attribute.labels[response_oauth2_client_id] |
|
protoPayload.authorizationInfo.resourceAttributes.service |
principal.resource.attribute.labels[authorization_info_rcService] |
|
protoPayload.authorizationInfo.granted |
principal.user.attributes.labels[authorization_granted] |
|
protoPayload.request.cryptoKey.versionTemplate.algorithm |
security_result.detection_fields [algorithm] |
|
protoPayload.response.details[].@type |
security_result.detection_fields [details_type] |
|
protoPayload.request.cryptoKey.nextRotationTime |
security_result.detection_fields [next_rotation_time] |
|
protoPayload.request.cryptoKey.versionTemplate.protectionLevel |
security_result.detection_fields [protection_level] |
|
protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value |
security_result.detection_fields [protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind] |
|
protoPayload.request.cryptoKey.purpose |
security_result.detection_fields [purpose] |
|
protoPayload.resourceName |
security_result.detection_fields [resource_name] |
|
protoPayload.authorizationInfo.resource |
security_result.detection_fields [resource] |
|
protoPayload.response.code |
security_result.detection_fields [response_code] |
|
protoPayload.request.cryptoKey.rotationPeriod |
security_result.detection_fields [rotation_period] |
|
protoPayload.metadata.securityPolicyInfo.organizationId |
security_result.detection_fields [securityPolicyInfo.organizationId] |
|
protoPayload.request.serviceAccounts[].scopes |
security_result.detection_fields [service_account_scope] |
|
protoPayload.response.details[].violations[].subject |
security_result.detection_fields [violation_subject] |
|
protoPayload.response.details[].violations[].type |
security_result.detection_fields [violation_type] |
|
protoPayload.metadata.event.eventName.parameter.name[ACTION_ID] |
security_result.detection_fields[action_id] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas[].action |
security_result.detection_fields[action] |
|
protoPayload.metadata.event.eventName.parameter.name[ALERT_NAME] |
security_result.detection_fields[alert_name] |
|
protoPayload.metadata.event.eventName.parameter.name[ALLOWED_TWO_STEP_VERIFICATION_METHOD] |
security_result.detection_fields[allowed_two_step_verification_method] |
|
protoPayload.requestMetadata.callerNetwork.requestAttributes.reason |
security_result.detection_fields[caller_network_request_reason] |
|
protoPayload.metadata.event.eventName.parameter.name[is_second_factor] |
security_result.detection_fields[is_second_factor] |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich login_verification ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich is_second_factor ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld security_result.detection_fields.value zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] |
security_result.detection_fields[is_suspicious] |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich login_success ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich is_suspicious ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld security_result.detection_fields.value zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[login_failure_type] |
security_result.detection_fields[login_failure_type] |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich login_failure ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich login_failure_type ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld security_result.detection_fields.value zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[login_type] |
security_result.detection_fields[login_type] |
Wenn der Wert des Logfelds protoPayload.metadata.event.eventName gleich login_failure oder login_challenge oder login_verification oder login_success oder logout ist und der Wert des Logfelds protoPayload.metadata.event.eventName.parameter.name gleich login_type ist, wird das Logfeld protoPayload.metadata.event.eventName.parameter.value dem UDM-Feld about.labels.value zugeordnet. |
protoPayload.request.bindings.members[] |
security_result.detection_fields[members] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.checkedValue |
security_result.detection_fields[policy_violation_checked_value] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.constraint |
security_result.detection_fields[policy_violation_constraint] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags |
security_result.detection_fields[policy_violation_resource_tags] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType |
security_result.detection_fields[policy_violation_resource_type] |
|
protoPayload.metadata.event.eventName.parameter.name[QUARANTINE_NAME] |
security_result.detection_fields[quarantine_name] |
|
protoPayload.resourceOriginalState.logconfig.enable |
security_result.detection_fields[rc_orgState_logconfig_enable] |
|
protoPayload.request.alloweds[].ports |
security_result.detection_fields[req_alloweds_ports] |
|
protoPayload.response.error.errors[].domain |
security_result.detection_fields[res_error_domain] |
|
protoPayload.resourceOriginalState.direction |
security_result.detection_fields[resource_original_state_direction] |
|
protoPayload.authenticationInfo.serviceAccountKeyName |
security_result.detection_fields[service_account_key_name] |
|
Referred this from Default parser. |
security_result.detection_fields[SERVICE] |
|
protoPayload.status.details.type |
security_result.detection_fields[status_details_type] |
|
protoPayload.status.details.violations.subject |
security_result.detection_fields[status_details_violation_subject] |
|
protoPayload.status.details.violations.type |
security_result.detection_fields[status_details_violation_type] |
|
sourceLocation.function |
src.labels[src_location_function] |
|
sourceLocation.line |
src.labels[src_location_line] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_STATE] |
target.asset.attribute.labels[dvc_new_state] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_STATE] |
target.asset.attribute.labels[dvc_previous_state] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_TYPE] |
target.asset.attribute.labels[dvc_type] |
|
protoPayload.metadata.event.eventName.parameter.name[MANAGED_CONFIGURATION_NAME] |
target.asset.attribute.labels[managed_config_name] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_APP_PACKAGE_ID] |
target.asset.attribute.labels[mobile_app_package_id] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_CERTIFICATE_COMMON_NAME] |
target.asset.attribute.labels[mobile_certificate_common_name] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_WIRELESS_NETWORK_NAME] |
target.asset.attribute.labels[mobile_wireless_network_name] |
|
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_MDM_VENDOR_NAME] |
target.asset.attribute.labels[play_for_work_mdm_vendor_name] |
|
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_TOKEN_ID] |
target.asset.attribute.labels[play_for_work_token_id] |
|
resource.labels.instance_id |
target.asset.attribute.labels[rc_instance_id] |
|
protoPayload.metadata.event.eventName.parameter.name[SKU_NAME] |
target.asset.attribute.labels[sku_name] |
|
protoPayload.response.targetId |
target.asset.attribute.labels[target_id] |
Wenn der Wert des Logfelds protoPayload.methodName nicht gleich cloudsql.instances.create ist, wird das Logfeld protoPayload.response.targetId dem UDM-Feld target.asset.attribute.labels.value zugeordnet. |
resource.labels.backend_service_name |
target.labels [backend_service_name] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.auth.claims |
target.labels [request_auth_claims] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] |
target.labels[application_edition] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] |
target.labels[asp_id] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] |
target.labels[chrome_os_session_type] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] |
target.labels[device_new_org_unit] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] |
target.labels[device_previous_org_unit] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] |
target.labels[domain_alias] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] |
target.labels[email_export_include_deleted] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] |
target.labels[email_export_package_content] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] |
target.labels[email_log_search_end_date] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] |
target.labels[email_log_search_start_date] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] |
target.labels[email_monitor_level_chat] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] |
target.labels[email_monitor_level_draft_email] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] |
target.labels[email_monitor_level_in_email] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] |
target.labels[email_monitor_level_out_email] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] |
target.labels[email_reset_reason] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.labels[new_value] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] |
target.labels[oauth2_app_type] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] |
target.labels[old_value] (verworfen) |
|
protoPayload.requestMetadata.destinationAttributes.principal |
target.labels[peer_principal] (verworfen) |
|
protoPayload.requestMetadata.destinationAttributes.regionCode |
target.labels[peer_region_code] (verworfen) |
|
protoPayload.request.loadBalancingScheme |
target.labels[req_load_balancing_scheme] (verworfen) |
|
protoPayload.request.requestId |
target.labels[request_id] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] |
target.labels[request_id] (verworfen) |
|
protoPayload.resourceOriginalState.description |
target.labels[res_originalState_description] (verworfen) |
|
protoPayload.response.bindings[].members[] |
target.labels[response_bindings_members] (verworfen) |
|
protoPayload.response.description |
target.labels[response_description] (verworfen) |
|
protoPayload.response.display_name |
target.labels[response_display_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] |
target.labels[secondary_domain_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] |
target.labels[setting_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] |
target.labels[user_custom_field] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] |
target.labels[user_defined_setting_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] |
target.labels[web_origin] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] |
target.labels[whitelisted_groups] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[APP_LICENSES_ORDER_NUMBER] |
target.asset.labels[app_licenses_order_number] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_NUM_LICENSES_PURCHASED] |
target.asset.labels[chrome_num_licenses_purchased] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_COMMAND_DETAILS] |
target.asset.labels[device_command_details] |
|
protoPayload.metadata.event.eventName.parameter.name[DIRECTORY_API_ID] |
target.asset.labels[directory_api_id] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_PRIORITIES] |
target.group.attribute.labels[group_priorities] |
|
protoPayload.request.cluster.subnetwork |
target.resource_ancestor.attribute.labels[req_cls_subnetwork] |
|
protoPayload.request.cluster.nodePools[].autoscaling.enabled |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_enabled] |
|
protoPayload.request.cluster.nodePools[].autoscaling.maxNodeCount |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_max_node_cnt] |
|
protoPayload.request.cluster.nodePools[].autoscaling.minNodeCount |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_min_node_cnt] |
|
protoPayload.request.cluster.nodePools[].management.autoupgrade |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoupgrade] |
|
protoPayload.request.cluster.nodePools[].config.diskSizeGb |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_disksize] |
|
protoPayload.request.cluster.nodePools[].config.imageType |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_imagetype] |
|
protoPayload.request.cluster.nodePools[].config.machineType |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_machinetype] |
|
protoPayload.request.cluster.nodePools[].config.oauthScopes[] |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_oauth_scopes] |
|
protoPayload.request.cluster.nodePools[].name |
target.resource_ancestor.attribute.labels[req_clsNodePools_name] |
|
protoPayload.request.cluster.nodePools[].initialNodeCount |
target.resource_ancestor.attribute.labels[req_clsterNodePools_autoscaling_initial_node_cnt] |
|
resource.data.oauth2ClientId |
target.resource.attribute.labels [oauth_client_id] |
|
protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute |
target.resource.attribute.labels [ enable_confidential_compute] |
|
protoPayload.request.function.timeout |
target.resource.attribute.labels [ function_time_out] |
|
protoPayload.requestMetadata.requestAttributes.auth.accessLevels |
target.resource.attribute.labels [accessLevel] |
|
protoPayload.request.date |
target.resource.attribute.labels [audit_event_occurred] |
|
protoPayload.request.auditId |
target.resource.attribute.labels [audit_id] |
|
protoPayload.request.autoscalingPolicy.mode |
target.resource.attribute.labels [autoscaling_policy_mode] |
|
protoPayload.request.autoscalingPolicy.coolDownPeriodSec |
target.resource.attribute.labels [cool_down_period] |
|
protoPayload.request.denieds.0.IPProtocol |
target.resource.attribute.labels [Denied Protocol] |
|
protoPayload.request.destinationRanges |
target.resource.attribute.labels [destination_ranges] |
|
protoPayload.request.function.entryPoint |
target.resource.attribute.labels [function_entry_point] |
|
protoPayload.request.function.httpsTrigger.securityLevel |
target.resource.attribute.labels [function_httptrigger_security_level] |
|
protoPayload.request.function.runtime |
target.resource.attribute.labels [function_runtime] |
|
protoPayload.request.function.serviceAccountEmail |
target.resource.attribute.labels [function_service_account_email] |
|
protoPayload.request.function.sourceUploadUrl |
target.resource.attribute.labels [function_source_upload_url] |
|
protoPayload.metadata.iapEnabled |
target.resource.attribute.labels [iapEnabled] |
|
protoPayload.request.listManagedInstancesResults |
target.resource.attribute.labels [managed_instances_result] |
|
protoPayload.request.autoscalingPolicy.maxNumReplicas |
target.resource.attribute.labels [max_replicas] |
|
protoPayload.request.autoscalingPolicy.minNumReplicas |
target.resource.attribute.labels [min_replicas] |
|
protoPayload.request.msgType |
target.resource.attribute.labels [msg_type] |
|
protoPayload.metadata.oauth_client_id |
target.resource.attribute.labels [oauth_client_id] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod |
target.resource.attribute.labels [predictive_method] |
|
protoPayload.request.labels.0.value |
target.resource.attribute.labels [protoPayload.request.labels.0.key] |
|
protoPayload.request.queryId |
target.resource.attribute.labels [query_id] |
|
protoPayload.request.constraint |
target.resource.attribute.labels [request_constraint] |
|
protoPayload.request.dataAccessed |
target.resource.attribute.labels [request_data_accessed] |
|
protoPayload.request.function.labels.deployment-tool |
target.resource.attribute.labels [request_deployment_tool] |
|
protoPayload.request.properties.description |
target.resource.attribute.labels [request_description] |
|
protoPayload.request.function.name |
target.resource.attribute.labels [request_function_name] |
|
protoPayload.request.location |
target.resource.attribute.labels [request_location] |
|
protoPayload.request.policy.constraint |
target.resource.attribute.labels [request_policy_constraint] |
|
protoPayload.request.@type |
target.resource.attribute.labels [request_type] |
|
protoPayload.request.cmd |
target.resource.attribute.labels [sql_operation_type ] |
|
protoPayload.request.threadId |
target.resource.attribute.labels [thread_id] |
|
protoPayload.metadata.unsatisfied_access_levels |
target.resource.attribute.labels [unsatisfied_access_levels] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget |
target.resource.attribute.labels [utilization_target] |
|
protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled |
target.resource.attribute.labels[backup_config_binarylog_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.enabled |
target.resource.attribute.labels[backup_config_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays |
target.resource.attribute.labels[backup_config_logRetention_days] |
|
protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled |
target.resource.attribute.labels[backup_config_point_in_time_recovery_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups |
target.resource.attribute.labels[backup_config_retention_settings_retained_backups] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit |
target.resource.attribute.labels[backup_config_retention_settings_unit] |
|
protoPayload.request.body.settings.backupConfiguration.startTime |
target.resource.attribute.labels[backup_config_start_time] |
|
protoPayload.request.canIpForward |
target.resource.attribute.labels[can_ip_forward] |
|
resource.labels.cluster_name |
target.resource.attribute.labels[cls_name] |
|
request.cluster.name |
target.resource.attribute.labels[cls_name] |
|
protoPayload.request.body.settings.dataDiskSizeGb |
target.resource.attribute.labels[data_disk_size_gb] |
|
protoPayload.request.body.settings.dataDiskType |
target.resource.attribute.labels[data_disk_type] |
|
protoPayload.metadata.tableDataRead.fields |
target.resource.attribute.labels[data_read_fields] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris[] |
target.resource.attribute.labels[destination_uris] |
|
protoPayload.request.direction |
target.resource.attribute.labels[direction] |
|
resource.labels.email_id |
target.resource.attribute.labels[email_id] |
|
resource.email_id |
target.resource.attribute.labels[email_id] |
|
resource.labels.forwarding_rule_name |
target.resource.attribute.labels[forwarding_rule_name] |
|
protoPayload.request.body.settings.ipConfiguration.ipv4Enabled |
target.resource.attribute.labels[ip_config_ipv4_enabled] |
|
protoPayload.request.body.settings.ipconfiguration.privatNetwork |
target.resource.attribute.labels[ip_config_private_network] |
|
protoPayload.request.body.settings.ipconfiguration.requireSsl |
target.resource.attribute.labels[ip_config_require_ssl] |
|
protoPayload.metadata.jobChange.job.jobConfig.type |
target.resource.attribute.labels[job_type] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id |
target.resource.attribute.labels[job_change_looker_studio_report_id] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.requestor |
target.resource.attribute.labels[job_change_requestor] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id |
target.resource.attribute.labels[job_change_looker_studio_datasource_id] |
|
protoPayload.metadata.tableChange.table.tableName |
target.resource.attribute.labels[metadata_changedTable_name] |
|
protoPayload.metadata.tableCreation.table.expireTime |
target.resource.attribute.labels[metadata_creationTable_expire_time] |
|
protoPayload.request.body.settings.pricingPlan |
target.resource.attribute.labels[pricing_plan] |
|
resource.data.projectId |
target.resource.attribute.labels[projectId] |
|
resource.labels.instance_group_name |
target.resource.attribute.labels[rc_instance_groupName] |
|
resource.labels.method |
target.resource.attribute.labels[rc_method] |
|
protoPayload.resourceOriginalState.disabled |
target.resource.attribute.labels[rc_orgState_disabled] |
|
protoPayload.resourceOriginalState.enableLogging |
target.resource.attribute.labels[rc_orgState_enable_logging] |
|
protoPayload.resourceOriginalState.logconfig.enable |
target.resource.attribute.labels[rc_orgState_logconfig_enable] |
|
protoPayload.resourceOriginalState.selfLink |
target.resource.attribute.labels[rc_orgState_selflink] |
|
protoPayload.resourceOriginalState.sourceRanges |
target.resource.attribute.labels[rc_orgState_srcranges] |
|
protoPayload.resourceOriginalState.targetTags |
target.resource.attribute.labels[rc_orgState_target_tags] |
|
protoPayload.resourceOriginalState.@type |
target.resource.attribute.labels[rc_orgState_type] |
|
resource.labels.service |
target.resource.attribute.labels[rc_service] |
|
resource.labels.subnetwork_name |
target.resource.attribute.labels[rc_subnetwork_name] |
|
resource.labels.version |
target.resource.attribute.labels[rc_version] |
|
protoPayload.request.body.databaseVersion |
target.resource.attribute.labels[req_body_dbVersion] |
|
protoPayload.request.cluster.releaseChannel.channel |
target.resource.attribute.labels[req_cls_channel] |
|
protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled |
target.resource.attribute.labels[req_cls_policy_config_disabled] |
|
protoPayload.request.reservationAffinity.consumeReservationType |
target.resource.attribute.labels[req_consumeReservation_type] |
|
protoPayload.request.disabled |
target.resource.attribute.labels[req_disabled] |
|
protoPayload.request.disks[].boot |
target.resource.attribute.labels[req_disk_boot] |
|
protoPayload.request.disks[].initializeParams.diskSizeGb |
target.resource.attribute.labels[req_disk_initialize_disk_size] |
|
protoPayload.request.disks[].initializeParams.diskType |
target.resource.attribute.labels[req_disk_initialize_disk_type] |
|
protoPayload.request.disks[].initializeParams.sourceImage |
target.resource.attribute.labels[req_disk_initialize_source_image] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeCondition |
target.resource.attribute.labels[req_identityPool_attribute_condition] |
|
protoPayload.request.workloadIdentityPoolProvider.aws.accountId |
target.resource.attribute.labels[req_identityPool_aws_accountId] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.attribute.aws_role |
target.resource.attribute.labels[req_identityPool_aws_role] |
|
protoPayload.request.workloadIdentityPool.description |
target.resource.attribute.labels[req_identityPool_description] |
|
protoPayload.request.workloadIdentityPool.disabled |
target.resource.attribute.labels[req_identityPool_disabled] |
|
protoPayload.request.workloadIdentityPoolProvider.displayName |
target.resource.attribute.labels[req_identityPool_displayName] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.google.subject |
target.resource.attribute.labels[req_identityPool_googleSubject] |
|
protoPayload.request.workloadIdentityPoolProvider.disabled |
target.resource.attribute.labels[req_identityPool_provider_disabled] |
|
protoPayload.request.workloadIdentityPoolProviderId |
target.resource.attribute.labels[req_identityPool_providerId] |
|
protoPayload.request.instances[].instance |
target.resource.attribute.labels[req_instance] |
|
protoPayload.request.logconfig.enable |
target.resource.attribute.labels[req_logconfig_enable] |
|
protoPayload.serviceData.tabelDataListRequest.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.serviceData.jobGetQueryResultsRequest.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.request.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.request.name |
target.resource.attribute.labels[req_name] |
|
protoPayload.request.networkInterfaces[].accessConfig.name |
target.resource.attribute.labels[req_network_access_config_name] |
|
protoPayload.request.networkInterfaces[].accessConfig.networkTier |
target.resource.attribute.labels[req_network_access_config_network_tier] |
|
protoPayload.request.networkInterfaces[].accessConfig.type |
target.resource.attribute.labels[req_network_access_config_type] |
|
protoPayload.request.network |
target.resource.attribute.labels[req_network] |
|
protoPayload.request.network |
target.resource.attribute.labels[req_network] |
|
protoPayload.request.priority |
target.resource.attribute.labels[Request Priority] |
|
protoPayload.request.project |
target.resource.attribute.labels[req_project] |
|
protoPayload.request.role.stage |
target.resource.attribute.labels[req_role_stage] |
|
protoPayload.request.scheduling.automaticRestart |
target.resource.attribute.labels[req_scheduling_automatic_restart] |
|
protoPayload.request.scheduling.onHostMaintenance |
target.resource.attribute.labels[req_scheduling_on_host_mainten] |
|
protoPayload.request.scheduling.preemptible |
target.resource.attribute.labels[req_scheduling_preemptible] |
|
protoPayload.request.service_account.description |
target.resource.attribute.labels[req_serviceAcc_description] |
|
protoPayload.request.serviceAccounts[].email |
target.resource.attribute.labels[req_serviceAcc_email] |
|
protoPayload.request.policy.booleanPolicy.enforced |
target.resource.attribute.labels[request_constraint] |
|
protoPayload.response.email |
target.resource.attribute.labels[res_email] |
|
protoPayload.response.etag |
target.resource.attribute.labels[res_etag] |
|
protoPayload.response.name |
target.resource.attribute.labels[res_name] |
|
protoPayload.response.operationType |
target.resource.attribute.labels[response_operation_type] |
|
protoPayload.response.zone |
target.resource.attribute.labels[res_zone] |
|
resource.data.name |
target.resource.attribute.labels[resource_data_name] |
|
protoPayload.response.booleanPolicy.enforced |
target.resource.attribute.labels[response_enforce_policy] |
|
protoPayload.response.status |
target.resource.attribute.labels[response_status] |
|
protoPayload.response.status.conditions.message |
target.resource.attribute.labels[response_status] |
|
protoPayload.serviceData.permissionDelta.addedPermissions[] |
target.resource.attribute.labels[ser_added_perm] |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].action |
target.resource.attribute.labels[ser_binding_deltas_action] |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].member |
target.resource.attribute.labels[ser_binding_deltas_member] |
|
Referred this from default parser. |
target.resource.attribute.labels[ser_binding_deltas_member] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.datasetId |
target.resource.attribute.labels[ser_destTable_datasetId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.projectId |
target.resource.attribute.labels[ser_destTable_projectId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.tableId |
target.resource.attribute.labels[ser_destTable_tableId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime |
target.resource.attribute.labels[ser_jobCreate_time] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.jobId |
target.resource.attribute.labels[ser_req_jobId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.query |
target.resource.attribute.labels[ser_req_query] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.createDisposotion |
target.resource.attribute.labels[ser_reqCreate_disposotion] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.location |
target.resource.attribute.labels[ser_reqJob_location] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.projectId |
target.resource.attribute.labels[ser_reqJob_projectid] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.startTime |
target.resource.attribute.labels[ser_reqJob_start_time] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatus.state |
target.resource.attribute.labels[ser_reqJob_state] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.totalSlotMs |
target.resource.attribute.labels[ser_reqJob_total_slot_ms] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.statementType |
target.resource.attribute.labels[ser_reqStatement_type] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.writeDisposition |
target.resource.attribute.labels[ser_reqWrite_disposition] |
|
protoPayload.serviceData.tableInsertRequest.resource.view.query |
target.resource.attribute.labels[ser_tableInsert_query] |
|
protoPayload.serviceData.@type |
target.resource.attribute.labels[ser_type] |
|
protoPayload.request.sourceRanges[] |
target.resource.attribute.labels[source_ranges] |
|
protoPayload.request.body.settings.storageAutoResize |
target.resource.attribute.labels[storage_auto_resize] |
|
resource.labels.target_proxy_name |
target.resource.attribute.labels[target_proxy_name] |
|
protoPayload.request.body.settings.tier |
target.resource.attribute.labels[tier] |
|
resource.labels.url_map_name |
target.resource.attribute.labels[url_map_name] |
|
protoPayload.request.cluster.network |
target.resource_ancestors.attribute.labels[req_cls_network] |
|
protoPayload.request.cluster.nodePools[].management.autoRepair |
target.resource_ancestors.attribute.labels[req_clsNodePools_autorepair] |
|
protoPayload.request.body.settings.availabilityType |
target.resource.attributes.labels[resource_avaibilitytype] |
|
protoPayload.metadata.tableCreation.table.schemaJSON |
target.resource.attributes.labels[table_schemaJson] |
|
protoPayload.metadata.event.eventName.parameter.name[BIRTHDATE] |
target.user.attribute.labels[birthdate] |
|
protoPayload.metadata.event.eventName.parameter.name[PRIVILEGE_NAME] |
target.user.attribute.labels[privilege_name] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_NICKNAME] |
target.user.attribute.labels[user_nickname] |
|
resource.type |
target.resource_ancestors.resource_type |
Wenn der Log-Feldwert resource.type mit dem regulären Ausdruck festgelegt wird, ist, ist das target.resource_ancestors.resource_type UDM2-Feld mit dem regulären Ausdruck mit dem regulären Ausdruck festgelegt, dann ist das target.resource_ancestors.resource_type UDM2-Feld ist mit dem regulären Ausdruck / dem regulären Ausdruck gce_(subnetwork or network) übereinstimmt.Wenn der resource.type -Log-Feldwert mit dem regulären Ausdruck gce_(subnetwork or network) übereinstimmt, wird das target.resource_ancestors.resource_type -UDM-Feld auf den Wert „Regulärer Ausdruck“ festgelegt.Wenn der Log-Feldwert resource.type mit dem regulären Ausdruck dataproc übereinstimmt, dann wird das target.resource_ancestors.resource_type UDM-Feld auf CLUSTER festgelegt.Wenn das resource.type -Feld mit dem regulären Ausdruck mit dem regulären Ausdruck übereinstimmt, dann 1 Log-Feld ist mit dem regulären Ausdruck k8s or gke_ /Log-Feld entspricht dem Feld „ CLUSTER “.Wenn der Log-Feldwert resource.type mit dem regulären Ausdruck/dem regulären Ausdruck k8s or gke_ übereinstimmt1. resource.type resource.type resource.type resource.type resource.type resource.type resource.type gce_(firewall or forwarding_rule) target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type FIREWALL_RULE VPC_NETWORK gce_backend_service BACKEND_SERVICE (gce_ or dns_query) target.resource.resource_type VIRTUAL_MACHINE gcs_bucket STORAGE_BUCKET bigquery DATABASE DATABASE cloudsql service_account SERVICE_ACCOUNT project CLOUD_PROJECT CLOUD_PROJECT organization CLOUD_ORGANIZATION UNSPECIFIED resource.labels.project_id |
jsonPayload.end_time |
about.labels[jsonPayload_end_time] (verworfen) |
|
jsonPayload.packets_sent |
network.sent_packets |
|
jsonPayload.reporter |
about.labels[jsonPayload_reporter] (verworfen) |
|
jsonPayload.src_vpc.vpc_name |
principal.resource.name |
|
jsonPayload.src_vpc.project_id |
principal.resource.product_object_id |
|
jsonPayload.src_vpc.subnetwork_name |
principal.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name] |
|
jsonPayload.start_time |
about.labels[jsonPayload_start_time] (verworfen) |
|
jsonPayload.src_instance.region |
principal.location.name |
|
jsonPayload.src_instance.project_id |
principal.labels[jsonPayload_src_instance_project_id] (verworfen) |
|
jsonPayload.src_instance.zone |
principal.cloud.availability_zone |
|
resource.labels.subnetwork_id |
target.resource.attribute.labels[resource_labels_subnetwork_id] |
|
jsonPayload.dest_vpc.project_id |
target.resource.product_object_id |
|
jsonPayload.dest_vpc.subnetwork_name |
target.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name] |
|
jsonPayload.dest_vpc.vpc_name |
target.resource.name |
|
jsonPayload.dest_instance.region |
target.location.name |
|
jsonPayload.dest_instance.project_id |
target.labels[jsonPayload_dest_instance_project_id] (verworfen) |
|
jsonPayload.dest_instance.zone |
target.cloud.availability_zone |
|
jsonPayload.src_location.asn |
principal.labels[jsonPayload_src_location_asn] (verworfen) |
|
jsonPayload.src_location.city |
principal.location.city |
|
jsonPayload.src_location.continent |
principal.labels[jsonPayload_src_location_continent] (verworfen) |
|
jsonPayload.src_location.country |
principal.location.country_or_region |
|
jsonPayload.src_location.region |
principal.labesl[jsonPayload_src_location_region] |
|
jsonPayload.dest_location.asn |
target.labels[jsonPayload_dest_location_asn] (verworfen) |
|
jsonPayload.dest_location.city |
target.location.city |
|
jsonPayload.dest_location.continent |
target.labels[jsonPayload_dest_location_continent] (verworfen) |
|
jsonPayload.dest_location.region |
target.labesl[jsonPayload_dest_location_region] |
|
protoPayload.metadata.ingressViolations.servicePerimeter |
security_result.detection_fields[protoPayload_metadata_ingressViolations_serviceParameter] |
|
protoPayload.metadata.ingressViolations.source |
security_result.detection_fields[protoPayload_metadata_ingressViolations_source] |
|
protoPayload.metadata.ingressViolations.sourceType |
security_result.detection_fields[protoPayload_metadata_ingressViolations_sourceType] |
|
protoPayload.metadata.ingressViolations.targetResource |
security_result.detection_fields[protoPayload_metadata_ingressViolations_targetResource] |
|
protoPayload.request.subjects.name |
target.user.attribute.labels[subject_name] |
|
protoPayload.request.spec.containers.0.image |
target.process.command_line |
|
protoPayload.request.spec.containers.0.name |
target.resource.attribute.labels[name] |
|
protoPayload.request.spec.containers.0.terminationMessagePolicy |
traget.resource.attribute.labels[terminationMessagePolicy] |
|
protoPayload.request.spec.containers.0.terminationMessagePath |
traget.resource.attribute.labels[terminationMessagePath] |
|
protoPayload.request.spec.containers.0.imagePullPolicy |
traget.resource.attribute.labels[imagePullPolicy] |
|
protoPayload.request.spec.dnsPolicy |
target.resource.attribute.labels[imagePullPolicy] |
|
protoPayload.request.spec.enableServiceLinks |
traget.resource.attribute.labels[enableServiceLinks] |
|
protoPayload.request.spec.restartPolicy |
target.resource.attribute.labels[restartPolicy] |
|
protoPayload.request.spec.schedulerName |
target.resource.attribute.labels[schedulerName] |
|
protoPayload.request.spec.terminationGracePeriodSeconds |
traget.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds] |
|
protoPayload.request.metadata.namespace |
principal.namespace |
|
protoPayload.request.apiVersion |
target.resource.attribute.labels [request apiVersion] |
|
protoPayload.request.kind |
target.resource.attribute.labels[request.kind] |
|
protoPayload.request.metadata.name |
target.resource.attribute.labels[request.metadata.name] |
|
labels.mutation.webhook.admission.k8s.io/round_0_index_0 |
security_result.about.resource.attribute.labels[labels_round_0_index_0] |
|
protoPayload.request.spec.containers.0.args |
about.file.capabilities_tags |
|
protoPayload.request.properties.disks.0.initializeParams.diskSizeGb |
principal.resource.attribute.labels[diskSizeGb] |
|
protoPayload.request.properties.disks.0.initializeParams.diskType |
principal.resource.attribute.labels[diskType] |
|
protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type |
principal.resource.attribute.labels[guestOsFeatures type] |
|
protoPayload.request.properties.disks.0.initializeParams.labels.0.key |
principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key] |
|
protoPayload.request.properties.disks.0.initializeParams.sourceImage |
principal.resource.attribute.labels[sourceImage] |
|
protoPayload.request.properties.disks.0.type |
principal.resource.attribute.labels[disks Type] |
|
key_id |
security_result.detection_field[key_id] |
Der Feldwert key_id wird anhand eines Grok-Musters aus dem Logfeld message extrahiert. |
protoPayload.request.securityHealthAnalyticsSettings.modules.PUBLIC_BUCKET_ACL.moduleEnablementState |
target.resource.attribute.labels[PUBLIC_BUCKET_ACL_module_enablement_state] |
|
protoPayload.response.serviceEnablementState |
target.resource.attribute.labels[service_enablement_state] |
|
protoPayload.request.metadata.creationTimestamp |
target.resource.attribute.creation_time |
|
protoPayload.request.metadata.labels.trivy.automatic.created |
target.resource.attribute.labels[req_metadata_trivy_automatic_created] |
|
protoPayload.request.metadata.labels.trivy.collector.name |
target.resource.attribute.labels[req_metadata_trivy_collector_name] |
|
protoPayload.request.metadata.labels.trivy.resource.kind |
target.resource.attribute.labels[req_metadata_trivy_resource_kind] |
|
protoPayload.request.metadata.labels.trivy.resource.name |
target.resource.attribute.labels[req_metadata_trivy_resource_name] |
|
protoPayload.request.spec.backoffLimit |
target.resource.attribute.labels[req_spec_backoff_limit] |
|
protoPayload.request.spec.completionMode |
target.resource.attribute.labels[req_spec_completion_mode] |
|
protoPayload.request.spec.completions |
target.resource.attribute.labels[req_spec_completions] |
|
protoPayload.request.spec.parallelism |
target.resource.attribute.labels[req_spec_parallelism] |
|
protoPayload.request.spec.suspend |
target.resource.attribute.labels[req_spec_suspend] |
|
protoPayload.request.spec.template.metadata.creationTimestamp |
target.resource.attribute.labels[req_spec_template_metadata_creation_time] |
|
protoPayload.request.spec.template.metadata.labels.app |
target.resource.attribute.labels[req_spec_template_metadata_app] |
|
protoPayload.request.spec.template.spec.automountServiceAccountToken |
target.resource.attribute.labels[req_spec_template_spec_automount_service_account_token] |
|
protoPayload.request.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_command] |
|
protoPayload.request.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image] |
|
protoPayload.request.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image_pull_policy] |
|
protoPayload.request.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.request.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.request.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.request.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.request.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_memory] |
|
protoPayload.request.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_capabilities_drop] |
|
protoPayload.request.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_privileged] |
|
protoPayload.request.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_path] |
|
protoPayload.request.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_policy] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_mount_path] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_name] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_readonly] |
|
protoPayload.request.spec.template.spec.dnsPolicy |
target.resource.attribute.labels[req_spec_template_spec_dns_policy] |
|
protoPayload.request.spec.template.spec.hostPID |
target.resource.attribute.labels[req_spec_template_spec_host_pid] |
|
protoPayload.request.spec.template.spec.restartPolicy |
target.resource.attribute.labels[req_spec_template_spec_restart_policy] |
|
protoPayload.request.spec.template.spec.schedulerName |
target.resource.attribute.labels[req_spec_template_spec_scheduler_name] |
|
protoPayload.request.spec.template.spec.securityContext.runAsGroup |
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_group] |
|
protoPayload.request.spec.template.spec.securityContext.runAsUser |
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_user] |
|
protoPayload.request.spec.template.spec.securityContext.seccompProfile.type |
target.resource.attribute.labels[req_spec_template_spec_security_context_seccomp_profile_type] |
|
protoPayload.request.spec.template.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[req_spec_template_spec_termination_grace_period_seconds] |
|
protoPayload.request.spec.template.spec.volumes.hostPath.path |
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path] |
|
protoPayload.request.spec.template.spec.volumes.hostPath.type |
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path_type] |
|
protoPayload.request.spec.template.spec.volumes.name |
target.resource.attribute.labels[req_spec_template_spec_volumes_name] |
|
protoPayload.request.spec.automountServiceAccountToken |
target.resource.attribute.labels[req_spec_automount_service_account_token] |
|
protoPayload.request.spec.containers.command |
target.resource.attribute.labels[req_spec_container_command] |
|
protoPayload.request.spec.containers.securityContext.privileged |
target.resource.attribute.labels[req_spec_container_security_context_privileged] |
|
protoPayload.request.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource.attribute.labels[req_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource.attribute.labels[req_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.containers.securityContext.capabilities.drop |
target.resource.attribute.labels[req_spec_container_security_context_capabilities_drop] |
|
protoPayload.request.spec.containers.volumeMounts.mountPath |
target.resource.attribute.labels[req_spec_container_volume_mount_path] |
|
protoPayload.request.spec.containers.volumeMounts.name |
target.resource.attribute.labels[req_spec_container_volume_mount_name] |
|
protoPayload.request.spec.containers.volumeMounts.readOnly |
target.resource.attribute.labels[req_spec_container_volume_mount_read_only] |
|
protoPayload.request.metadata.annotations.deprecated.daemonset.template.generation |
target.resource.attribute.labels[req_metadata_annotations_deprecated_daemonset_template_generation] |
|
protoPayload.request.metadata.labels.app |
target.resource.attribute.labels[req_metadata_app] |
|
protoPayload.request.metadata.labels.type |
target.resource.attribute.labels[req_metadata_labels_type] |
|
protoPayload.request.spec.serviceAccount |
target.resource.attribute.labels[req_spec_service_account] |
|
protoPayload.request.spec.serviceAccountName |
target.resource.attribute.labels[req_spec_serivce_account_name] |
|
protoPayload.request.spec.hostIPC |
target.resource.attribute.labels[req_spec_host_ipc] |
|
protoPayload.request.spec.hostNetwork |
target.resource.attribute.labels[req_spec_host_network] |
|
protoPayload.request.spec.hostPID |
target.resource.attribute.labels[req_spec_host_pid] |
|
protoPayload.request.spec.nodeName |
target.resource.attribute.labels[req_spec_node_name] |
|
protoPayload.request.spec.securityContext.privileged |
target.resource.attribute.labels[req_spec_security_context_privileged] |
|
protoPayload.request.spec.securityContext.allowPrivilegeEscalation |
target.resource.attribute.labels[req_spec_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.securityContext.readOnlyRootFilesystem |
target.resource.attribute.labels[req_spec_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.securityContext.capabilities.drop |
target.resource.attribute.labels[req_spec_security_context_capabilities_drop] |
|
protoPayload.request.spec.volumes.hostPath.path |
target.resource.attribute.labels[req_spec_volume_host_path] |
|
protoPayload.request.spec.volumes.hostPath.type |
target.resource.attribute.labels[req_spec_volume_host_path_type] |
|
protoPayload.request.spec.volumes.name |
target.resource.attribute.labels[req_spec_volume_name] |
|
protoPayload.request.spec.revisionHistoryLimit |
target.resource.attribute.labels[req_spec_revision_history_limit] |
|
protoPayload.request.spec.selector.matchLabels.app |
target.resource.attribute.labels[req_spec_selector_match_label_app] |
|
protoPayload.request.spec.selector.matchLabels.type |
target.resource.attribute.labels[req_spec_selector_match_label_type] |
|
protoPayload.request.spec.template.metadata.labels.type |
target.resource.attribute.labels[req_spec_template_metadata_labels_type] |
|
protoPayload.request.spec.template.spec.containers.args |
target.resource.attribute.labels[req_spec_template_spec_container_arg] |
|
protoPayload.request.spec.template.spec.hostIPC |
target.resource.attribute.labels[req_spec_template_spec_host_ipc] |
|
protoPayload.request.spec.template.spec.hostNetwork |
target.resource.attribute.labels[req_spec_template_spec_host_network] |
|
protoPayload.request.spec.updateStrategy.rollingUpdate.maxSurge |
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_surge] |
|
protoPayload.request.spec.updateStrategy.rollingUpdate.maxUnavailable |
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_unavailable] |
|
protoPayload.request.spec.updateStrategy.type |
target.resource.attribute.labels[req_spec_update_strategy_type] |
|
protoPayload.request.status.currentNumberScheduled |
target.resource.attribute.labels[req_status_current_number_scheduled] |
|
protoPayload.request.status.desiredNumberScheduled |
target.resource.attribute.labels[req_status_desired_number_scheduled] |
|
protoPayload.request.status.numberMisscheduled |
target.resource.attribute.labels[req_status_number_miss_scheduled] |
|
protoPayload.request.status.numberReady |
target.resource.attribute.labels[req_status_number_ready] |
|
protoPayload.response.@type |
target.resource.attribute.labels[res_type] |
|
protoPayload.response.apiVersion |
target.resource.attribute.labels[res_api_version] |
|
protoPayload.response.metadata.annotations.deprecated.daemonset.template.generation |
target.resource.attribute.labels[res_metadata_annotations_deprecated_daemonset_template_generation] |
|
protoPayload.response.metadata.generation |
target.resource.attribute.labels[res_metadata_generation] |
|
protoPayload.response.metadata.labels.type |
target.resource.attribute.labels[res_metadata_labels_type] |
|
protoPayload.response.metadata.labels.app |
target.resource.attribute.labels[res_metadata_label_app] |
|
protoPayload.response.metadata.creationTimestamp |
target.resource.attribute.labels[res_metadata_creation_time] |
|
protoPayload.response.metadata.name |
target.resource.attribute.labels[res_metadata_name] |
|
protoPayload.response.metadata.namespace |
target.resource.attribute.labels[res_metadata_namespace] |
|
protoPayload.response.metadata.resourceVersion |
target.resource.attribute.labels[res_metadata_resource_version] |
|
protoPayload.response.metadata.uid |
target.resource.attribute.labels[res_metadata_uid] |
|
protoPayload.response.spec.revisionHistoryLimit |
target.resource.attribute.labels[res_spec_revision_history_limit] |
|
protoPayload.response.spec.selector.matchLabels.app |
target.resource.attribute.labels[res_spec_selector_match_label_app] |
|
protoPayload.response.spec.selector.matchLabels.type |
target.resource.attribute.labels[res_spec_selector_match_label_type] |
|
protoPayload.response.spec.template.metadata.creationTimestamp |
target.resource.attribute.labels[res_spec_template_metadata_creation_time] |
|
protoPayload.response.spec.template.metadata.labels.app |
target.resource.attribute.labels[res_spec_template_metadata_app] |
|
protoPayload.response.spec.template.metadata.labels.type |
target.resource.attribute.labels[res_spec_template_metadata_type] |
|
protoPayload.response.spec.template.spec.containers.args |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_arg] |
|
protoPayload.response.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_command] |
|
protoPayload.response.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image] |
|
protoPayload.response.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image_pull_policy] |
|
protoPayload.response.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.response.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.response.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.response.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.response.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_memory] |
|
protoPayload.response.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_privileged] |
|
protoPayload.response.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.response.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.response.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_capabilities_drop] |
|
protoPayload.response.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_path] |
|
protoPayload.response.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_policy] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_mount_path] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_name] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_read_only] |
|
protoPayload.response.spec.template.spec.dnsPolicy |
target.resource.attribute.labels[res_spec_template_spec_dns_policy] |
|
protoPayload.response.spec.template.spec.hostIPC |
target.resource.attribute.labels[res_spec_template_spec_host_pid] |
|
protoPayload.response.spec.template.spec.hostNetwork |
target.resource.attribute.labels[res_spec_template_spec_host_network] |
|
protoPayload.response.spec.template.spec.hostPID |
target.resource.attribute.labels[res_spec_template_spec_host_ipc] |
|
protoPayload.response.spec.template.spec.nodeName |
target.resource.attribute.labels[res_spec_template_spec_node_name] |
|
protoPayload.response.spec.template.spec.restartPolicy |
target.resource.attribute.labels[res_spec_template_spec_restart_policy] |
|
protoPayload.response.spec.template.spec.schedulerName |
target.resource.attribute.labels[res_spec_template_spec_scheduler_name] |
|
protoPayload.response.spec.template.spec.securityContext.runAsGroup |
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_group] |
|
protoPayload.response.spec.template.spec.securityContext.runAsUser |
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_user] |
|
protoPayload.response.spec.template.spec.securityContext.seccompProfile.type |
target.resource.attribute.labels[res_spec_template_spec_security_context_seccomp_profile_type] |
|
protoPayload.response.spec.template.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[res_spec_template_spec_termination_grace_period_seconds] |
|
protoPayload.response.spec.template.spec.volumes.hostPath.path |
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path] |
|
protoPayload.response.spec.template.spec.volumes.hostPath.type |
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path_type] |
|
protoPayload.response.spec.template.spec.volumes.name |
target.resource.attribute.labels[res_spec_template_spec_volumes_name] |
|
protoPayload.response.spec.updateStrategy.rollingUpdate.maxSurge |
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_surge] |
|
protoPayload.response.spec.updateStrategy.rollingUpdate.maxUnavailable |
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_unavailable] |
|
protoPayload.response.spec.updateStrategy.type |
target.resource.attribute.labels[res_spec_update_strategy_type] |
|
protoPayload.response.spec.containers.args |
target.resource_ancestors.attribute.labels[res_spec_container_arg] |
|
protoPayload.response.spec.containers.command |
target.resource_ancestors.attribute.labels[res_spec_container_command] |
|
protoPayload.response.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_container_image] |
|
protoPayload.response.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[res_spec_container_image_pull_policy] |
|
protoPayload.response.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.response.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_privileged] |
|
protoPayload.response.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.response.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.response.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_drop] |
|
protoPayload.response.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_path] |
|
protoPayload.response.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_policy] |
|
protoPayload.response.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_path] |
|
protoPayload.response.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_name] |
|
protoPayload.response.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_read_only] |
|
protoPayload.response.spec.dnsPolicy |
target.resource.attribute.labels[res_spec_dns_policy] |
|
protoPayload.response.spec.enableServiceLinks |
target.resource.attribute.labels[res_spec_enable_service_links] |
|
protoPayload.response.spec.hostIPC |
target.resource.attribute.labels[res_spec_host_ipc] |
|
protoPayload.response.spec.hostNetwork |
target.resource.attribute.labels[res_spec_host_network] |
|
protoPayload.response.spec.hostPID |
target.resource.attribute.labels[res_spec_host_pid] |
|
protoPayload.response.spec.nodeName |
target.resource.attribute.labels[res_spec_node_name] |
|
protoPayload.response.spec.preemptionPolicy |
target.resource.attribute.labels[res_spec_preemption_policy] |
|
protoPayload.response.spec.priority |
target.resource.attribute.labels[res_spec_priority] |
|
protoPayload.response.spec.restartPolicy |
target.resource.attribute.labels[res_spec_restart_policy] |
|
protoPayload.response.spec.schedulerName |
target.resource.attribute.labels[res_spec_scheduler_name] |
|
protoPayload.response.spec.serviceAccount |
target.resource.attribute.labels[res_spec_service_account] |
|
protoPayload.response.spec.serviceAccountName |
target.resource.attribute.labels[res_spec_serivce_account_name] |
|
protoPayload.response.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[res_spec_termination_grace_period_seconds] |
|
protoPayload.response.spec.tolerations.effect |
target.resource.attribute.labels[res_spec_toleration_effect] |
|
protoPayload.response.spec.tolerations.key |
target.resource.attribute.labels[res_spec_toleration_key] |
|
protoPayload.response.spec.tolerations.operator |
target.resource.attribute.labels[res_spec_toleration_operator] |
|
protoPayload.response.spec.tolerations.tolerationSeconds |
target.resource.attribute.labels[res_spec_toleration_second] |
|
protoPayload.response.spec.volumes.hostPath.path |
target.resource.attribute.labels[res_spec_volume_host_path] |
|
protoPayload.response.spec.volumes.hostPath.type |
target.resource.attribute.labels[res_spec_volume_host_path_type] |
|
protoPayload.response.spec.volumes.name |
target.resource.attribute.labels[res_spec_volume_name] |
|
protoPayload.response.spec.volumes.projected.defaultMode |
target.resource.attribute.labels[res_spec_volume_projected_default_mode] |
|
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.expirationSeconds |
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_ecpiration_sec] |
|
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.path |
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_path] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.items.key |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_key] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.items.path |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_path] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.name |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_name] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.apiVersion |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_api_version] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.fieldPath |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_field_path] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.path |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_path] |
|
protoPayload.response.status.phase |
target.resource.attribute.labels[res_status_phase] |
|
protoPayload.response.status.qosClass |
target.resource.attribute.labels[res_status_qos_class] |
|
protoPayload.response.status.currentNumberScheduled |
target.resource.attribute.labels[res_status_current_number_scheduled] |
|
protoPayload.response.status.desiredNumberScheduled |
target.resource.attribute.labels[res_status_desired_number_scheduled] |
|
protoPayload.response.status.numberMisscheduled |
target.resource.attribute.labels[res_status_number_miss_scheduled] |
|
protoPayload.response.status.numberReady |
target.resource.attribute.labels[res_status_number_ready] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor |
target.resource.attribute.labels[ser_jobconf_requestor] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id |
target.resource.attribute.labels[ser_jobconf_looker_studio_datasource_id] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id |
target.resource.attribute.labels[ser_jobconf_looker_studio_report_id] |
|
labels.authorization.k8s.io/decision |
security_result.action |
Wenn der Wert des Logfelds labels.authorization.k8s.io/decision gleich allow ist, wird das UDM-Feld security_result.action auf ALLOW gesetzt.Else: Wenn der Wert des Logfelds labels.authorization.k8s.io/decision gleich block ist, wird das UDM-Feld security_result.action auf BLOCK gesetzt. |
labels.pod-security.kubernetes.io/enforce-policy |
security_result.detection_fields[pod_security_kubernetes_io_enforce_policy] |
|
labels.authorization.k8s.io/reason |
security_result.action_details |
|
protoPayload.request.roleRef.apiGroup |
target.user.attribute.labels[req_role_ref_api_group] |
|
protoPayload.request.roleRef.kind |
target.user.attribute.labels[req_role_ref_kind] |
|
protoPayload.request.roleRef.name |
target.user.attribute.roles.name |
|
protoPayload.request.subjects.apiGroup |
target.user.attribute.labels[req_subject_api_group] |
|
protoPayload.request.subjects.kind |
target.user.attribute.labels[req_subject_kind] |
|
protoPayload.request.rules.apiGroups |
security_result.rule_labels[req_rule_api_group] |
|
protoPayload.request.rules.resources |
security_result.rule_labels[req_rule_resource] |
|
protoPayload.request.rules.verbs |
security_result.rule_labels[req_rule_verb] |
|
protoPayload.request.rules.resourceNames |
security_result.rule_labels[req_rule_resource_name] |
|
protoPayload.response.metadata.managedFields.apiVersion |
target.resource.attribute.labels[res_managed_field_api_version] |
|
protoPayload.response.metadata.managedFields.fieldsType |
target.resource.attribute.labels[res_managed_field_type] |
|
protoPayload.response.metadata.managedFields.manager |
target.resource.attribute.labels[res_managed_field_manager] |
|
protoPayload.response.metadata.managedFields.operation |
target.resource.attribute.labels[res_managed_field_operation] |
|
protoPayload.response.metadata.managedFields.time |
target.resource.attribute.labels[res_managed_field_time] |
|
protoPayload.request.spec.containers.securityContext.capabilities.add |
target.resource_ancestors.attribute.labels[req_spec_container_security_context_capabilities_add] |
|
protoPayload.request.spec.containers.securityContext.seccompProfile.type |
target.resource_ancestors.attribute.labels[req_spec_container_security_context_seccomp_profile_type] |
|
protoPayload.request.spec.shareProcessNamespace |
target.resource.attribute.labels[req_spec_share_process_namespace] |
|
protoPayload.response.spec.containers.securityContext.capabilities.add |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_add] |
|
protoPayload.response.spec.containers.securityContext.seccompProfile.type |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_seccomp_profile_type] |
|
protoPayload.response.spec.shareProcessNamespace |
target.resource.attribute.labels[res_spec_share_process_namespace] |
|
protoPayload.metadata.membershipDelta.member |
target.resource.attribute.labels[membership_delta_member] |
|
protoPayload.metadata.membershipDelta.roleDeltas.action |
target.resource.attribute.labels[membership_role_deltas_action] |
|
protoPayload.metadata.membershipDelta.roleDeltas.role |
target.resource.attribute.labels[membership_role_deltas_role] |
|
protoPayload.request.spec.resourceAttributes.namespace |
target.resource.attribute.labels[req_spec_resource_attribute_namespace] |
|
protoPayload.request.spec.resourceAttributes.resource |
target.resource.attribute.labels[req_spec_resource_attribute_resource] |
|
protoPayload.request.spec.resourceAttributes.verb |
target.resource.attribute.labels[req_spec_resource_attribute_verb] |
|
protoPayload.request.status.allowed |
target.resource.attribute.labels[req_status_allowed] |
|
protoPayload.response.spec.resourceAttributes.namespace |
target.resource.attribute.labels[res_spec_resource_attribute_namespace] |
|
protoPayload.response.spec.resourceAttributes.resource |
target.resource.attribute.labels[res_spec_resource_attribute_resource] |
|
protoPayload.response.spec.resourceAttributes.verb |
target.resource.attribute.labels[res_spec_resource_attribute_verb] |
|
protoPayload.response.status.allowed |
target.resource.attribute.labels[res_status_allowed] |
|
protoPayload.request.objects.db |
additional.fields[database_name] |
|
jsonPayload.accesses.methodName |
additional.fields[methodName] |
|
protoPayload.request.objects.name |
additional.fields[objects_name] |
|
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] |
additional.fields[api_client_name] |
|
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] |
additional.fields[api_scopes] |
|
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] |
additional.fields[begin_date_time] |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] |
additional.fields[bulk_upload_fail_users_number] |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] |
additional.fields[bulk_upload_total_users_number] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] |
additional.fields[caa_assignments_new] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] |
additional.fields[caa_assignments_old] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] |
additional.fields[caa_enforcement_endpoints_new] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] |
additional.fields[caa_enforcement_endpoints_old] |
|
protoPayload.requestMetadata.requestAttributes.size |
additional.fields[caller_network_request_size] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[caller_network_request_time] |
|
protoPayload.requestMetadata.callerNetwork |
additional.fields[caller_network] |
|
protoPayload.requestMetadata.requestAttributes.size |
additional.fields[caller_network_request_size] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[request_attributes_time] |
|
protoPayload.requestMetadata.callerNetwork |
additional.fields[caller_network] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] |
additional.fields[chrome_licenses_enabled] |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] |
additional.fields[end_date_time] |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE] |
additional.fields[end_date] |
|
protoType.metadata.event.eventName |
additional.fields[event_name] |
|
protoPayload.metadata.event.parameter.label |
additional.fields[event_param_label] |
|
protoPayload.metadata.event.parameter.type |
additional.fields[event_param_type] |
|
protoType.metadata.event.eventType |
additional.fields[event_type] |
|
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] |
additional.fields[field_name] |
|
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] |
additional.fields[full_org_unit_path] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] |
additional.fields[grp_member_bulk_upload_failed] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] |
additional.fields[grp_member_bulk_upload_total] |
|
httpRequest.cacheFillBytes |
additional.fields[httpreq_cache_fill_bytes] |
|
httpRequest.cacheHit |
additional.fields[httpreq_cache_hit] |
|
httpRequest.cacheLookup |
additional.fields[httpreq_cache_lookup] |
|
httpRequest.cacheValidatedWithOriginServer |
additional.fields[httpreq_cache_validated_with_origin_server] |
|
httpRequest.latency |
additional.fields[httprequest_latency] |
|
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] |
additional.fields[info_type] |
|
protoPayload.metadata.activityId.timeUsec |
additional.fields[metadata_activityId_time_usec] |
|
protoPayload.metadata.activityId.uniqQualifier |
additional.fields[metadata_activityId_uniq_qualifier] |
|
protoPayload.metadata.@type |
additional.fields[metadata_type] |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] |
additional.fields[new_permission_grant_state] |
|
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] |
additional.fields[num_of_company_owned_device] |
|
protoPayload.numResponseItems |
additional.fields[num_response_items] |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] |
additional.fields[old_permission_grant_state] |
|
operation.first |
additional.fields[operation_first] |
|
operation.id |
additional.fields[operation_id] |
|
operation.last |
additional.fields[operation_last] |
|
operation.producer |
additional.fields[operation_producer] |
|
protoPayload.resourceOriginalState.selfLinkWithId |
additional.fields[rc_old_selflinkWithId] |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] |
additional.fields[reauth_setting_new] |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] |
additional.fields[reauth_setting_old] |
|
protoPayload.request.alloweds.ports |
additional.fields[req_alloweds_ports] |
|
protoPayload.request.body.name |
additional.fields[req_body_name] |
|
protoPayload.request.body.settings.activityPolicy |
additional.fields[req_body_settings_activity_policy] |
|
protoPayload.request.deletionProtection |
additional.fields[req_deletion_protection] |
|
protoPayload.request.disabled |
additional.fields[req_disabled] |
|
protoPayload.request.displayDevice.enableDisplay |
additional.fields[req_display_device_enable_display] |
|
protoPayload.request.enableFlowLogs |
additional.fields[req_enable_flow_logs] |
|
protoPayload.request.fingerprint |
additional.fields[req_fingerprint] |
|
protoPayload.request.shieldedInstanceConfig.enableSecureBoot |
additional.fields[req_instance_config_enable_secure_boot] |
|
protoPayload.request.shieldedInstanceConfig.enableVtpm |
additional.fields[req_instance_config_enable_vtpm] |
|
protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring |
additional.fields[req_instance_enable_integrity_monitoring] |
|
protoPayload.request.key_types |
additional.fields[req_key_types] |
|
protoPayload.request.logconfig.enable |
additional.fields[req_logconfig_enable] |
|
protoPayload.request.networkTier |
additional.fields[req_network_tier] |
|
protoPayload.request.network |
additional.fields[req_network] |
|
protoPayload.request.page_size |
additional.fields[req_page_size] |
|
request.pagesize |
additional.fields[req_page_size] |
|
protoPayload.request.policy.etag |
additional.fields[req_policy_etag] |
|
protoPayload.request.portRange |
additional.fields[req_port_range] |
|
protoPayload.request.privateIpGoogleAccess |
additional.fields[req_private_ip_google_access] |
|
protoPayload.request.private_key_type |
additional.fields[req_private_key_type] |
|
protoPayload.request.remove_deleted_service_accounts |
additional.fields[req_remove_deleted_serviceAcc] |
|
protoPayload.request.showDeleted |
additional.fields[req_show_deleted] |
|
protoPayload.request.skip_visibility_check |
additional.fields[req_skip_visibility_check] |
|
protoPayload.request.stackType |
additional.fields[req_stack_type] |
|
protoPayload.request.type |
additional.fields[req_type] |
|
protoPayload.request.updateMask |
additional.fields[req_update_mask] |
|
protoPayload.request.version |
additional.fields[req_version] |
|
protoPayload.response.clientOperationId |
additional.fields[res_client_operation_id] |
|
protoPayload.response.endTime |
additional.fields[res_end_time] |
|
protoPayload.response.id |
additional.fields[res_id] |
|
protoPayload.response.key_algorithm |
additional.fields[res_key_algorithm] |
|
protoPayload.response.key_origin |
additional.fields[res_key_origin] |
|
protoPayload.response.key_type |
additional.fields[res_key_type] |
|
protoPayload.response.kind |
additional.fields[res_kind] |
|
protoPayload.response.private_key_type |
additional.fields[res_private_key_type] |
|
protoPayload.response.progress |
additional.fields[res_progress] |
|
protoPayload.response.startTime |
additional.fields[res_start_time] |
|
protoPayload.response.status |
security_result.action |
security_result.action wird auf FAIL gesetzt, wenn die folgenden Bedingungen erfüllt sind:
|
protoPayload.response.status |
additional.fields[res_status] |
|
protoPayload.response.type |
additional.fields[res_type] |
|
protoPayload.response.unique_id |
additional.fields[res_unique_id] |
|
protoPayload.response.valid_after_time.seconds |
additional.fields[res_valid_after_time] |
|
protoPayload.response.valid_before_time.seconds |
additional.fields[res_valid_before_time] |
|
protoPayload.response.version |
additional.fields[res_version] |
|
protoPayload.response.zone |
additional.fields[res_zone] |
|
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] |
additional.fields[search_query_for_dump] |
|
spanId |
additional.fields[span_id] |
|
protoPayload.metadata.event.eventName.parameter.name[START_DATE] |
additional.fields[start_date] |
|
traceSampled |
additional.fields[trace_sampled] |
|
Trace |
additional.fields[trace] |
|
protoPayload.@type |
additional.fields[type] |
|
protoPayload.redactions.reason |
additional.fields[protoPayload.redactions.field] |
|
protoPayload.redactions.type |
additional.fields[protoPayload.redactions.field] |
|
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata |
additional.fields[service_metadata] |
|
jsonPayload.sourceNetwork |
additional.fields[source_network] |
|
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims |
additional.fields[third_party_claims] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[caller_network_request_time] |
|
protoPayload.request.ipCidrRange |
additional.fields[req_ip_cidr_range] |
|
protoPayload.request.description |
additional.labels[req_description] |
|
protoPayload.request.sourceRanges |
additional.fields[req_source_ranges] |
|
protoPayload.requestMetadata.requestAttributes.reason |
additional.fields[request_attributes_reason] |
|
protoPayload.authenticationInfo.thirdPartyPrincipal |
additional.fields[third_party_principal] |
|
sourceLocation.function |
additional.fields[src_location_function] |
|
sourceLocation.line |
additional.fields[src_location_line] |
|
resource.labels.backend_service_name |
additional.fields[backend_service_name] |
|
protoPayload.requestMetadata.requestAttributes.auth.claims |
additional.fields[request_auth_claims] |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] |
additional.fields[application_edition] |
|
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] |
additional.fields[asp_id] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] |
additional.fields[chrome_os_session_type] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] |
additional.fields[device_new_org_unit] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] |
additional.fields[device_previous_org_unit] |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] |
additional.fields[domain_alias] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] |
additional.fields[email_export_include_deleted] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] |
additional.fields[email_export_package_content] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] |
additional.fields[email_log_search_end_date] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] |
additional.fields[email_log_search_start_date] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] |
additional.fields[email_monitor_level_chat] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] |
additional.fields[email_monitor_level_draft_email] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] |
additional.fields[email_monitor_level_in_email] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] |
additional.fields[email_monitor_level_out_email] |
|
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] |
additional.fields[email_reset_reason] |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
additional.fields[new_value] |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] |
additional.fields[oauth2_app_type] |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] |
additional.fields[old_value] |
|
protoPayload.requestMetadata.destinationAttributes.principal |
additional.fields[peer_principal] |
|
protoPayload.requestMetadata.destinationAttributes.regionCode |
additional.fields[peer_region_code] |
|
protoPayload.request.loadBalancingScheme |
additional.fields[req_load_balancing_scheme] |
|
protoPayload.request.requestId |
additional.fields[request_id] |
|
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] |
additional.fields[request_id] |
|
protoPayload.resourceOriginalState.description |
additional.fields[res_originalState_description] |
|
protoPayload.response.bindings.members |
additional.fields[response_bindings_members] |
|
protoPayload.response.description |
additional.fields[response_description] |
|
protoPayload.response.display_name |
additional.fields[response_display_name] |
|
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] |
additional.fields[secondary_domain_name] |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] |
additional.fields[setting_name] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] |
additional.fields[user_custom_field] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] |
additional.fields[user_defined_setting_name] |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] |
additional.fields[web_origin] |
|
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] |
additional.fields[whitelisted_groups] |
|
jsonPayload.end_time |
additional.fields[jsonPayload_end_time] |
|
jsonPayload.reporter |
additional.fields[jsonPayload_reporter] |
|
jsonPayload.start_time |
additional.fields[jsonPayload_start_time] |
|
jsonPayload.src_instance.project_id |
additional.fields[jsonPayload_src_instance_project_id] |
|
jsonPayload.dest_instance.project_id |
additional.fields[jsonPayload_dest_instance_project_id] |
|
jsonPayload.src_location.asn |
additional.fields[jsonPayload_src_location_asn] |
|
jsonPayload.src_location.continent |
additional.fields[jsonPayload_src_location_continent] |
|
jsonPayload.dest_location.asn |
additional.fields[jsonPayload_dest_location_asn] |
|
jsonPayload.dest_location.continent |
additional.fields[jsonPayload_dest_location_continent] |
|
protoPayload.request.spec.expirationSeconds |
target.resource.attribute.labels[req_spec_expiration_seconds] |
|
protoPayload.request.spec.request |
target.resource.attribute.labels[req_spec_request] |
|
protoPayload.request.spec.signerName |
target.resource.attribute.labels[req_spec_signer_name] |
|
protoPayload.request.spec.usages |
target.resource.attribute.labels[req_spec_usage] |
|
protoPayload.response.spec.expirationSeconds |
target.resource.attribute.labels[res_spec_expiration_seconds] |
|
protoPayload.response.spec.extra.iam.gke.io/user-assertion |
target.resource.attribute.labels[res_spec_extra_iam_gke_io/user_assertion] |
|
protoPayload.response.spec.extra.user-assertion.cloud.google.com |
target.resource.attribute.labels[res_spec_extra_user_assertion_cloud_google_com] |
|
protoPayload.response.spec.groups |
target.resource.attribute.labels[res_spec_group] |
|
protoPayload.response.spec.request |
target.resource.attribute.labels[res_spec_request] |
|
protoPayload.response.spec.signerName |
target.resource.attribute.labels[res_spec_signer_name] |
|
protoPayload.response.spec.usages |
target.resource.attribute.labels[res_spec_usage] |
|
protoPayload.response.spec.username |
target.resource.attribute.labels[res_spec_username] |
|
protoPayload.request.cryptoKeyVersion.state |
target.resource.attribute.labels[req_cryptokey_version_state] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.action |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_action] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.service |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_service] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.exemptedMember |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_exempted_member] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.logType |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_log_type] |
|
protoPayload.request.policy.bindings.role |
target.resource.attribute.labels[req_policy_bindings_role] |
|
protoPayload.request.policy.bindings.members |
target.resource.attribute.labels[req_policy_bindings_members] |
|
protoPayload.metadata.tableChange.bindingDeltas.action |
target.resource.attribute.labels[table_change_binding_deltas_action] |
|
protoPayload.metadata.tableChange.bindingDeltas.member |
target.resource.attribute.labels[table_change_binding_deltas_member] |
|
protoPayload.metadata.tableChange.bindingDeltas.role |
target.resource.attribute.labels[table_change_binding_deltas_role] |
|
protoPayload.metadata.datasetChange.bindingDeltas.action |
target.resource.attribute.labels[dataset_change_binding_deltas_action] |
|
protoPayload.metadata.datasetChange.bindingDeltas.member |
target.resource.attribute.labels[dataset_change_binding_deltas_member] |
|
protoPayload.metadata.datasetChange.bindingDeltas.role |
target.resource.attribute.labels[dataset_change_binding_deltas_role] |
|
protoPayload.metadata.tableChange.table.policy.etag |
target.resource.attribute.labels[table_change_table_policy_etag] |
|
protoPayload.metadata.tableChange.table.policy.bindings.role |
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_role] |
|
protoPayload.metadata.tableChange.table.policy.bindings.members |
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_members_{index1}] |
|
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.role |
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_role] |
|
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members |
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_members_{index1}] |
|
protoPayload.request.bindings.role |
target.resource.attribute.labels[request_bindings_{index}_role] |
|
protoPayload.request.bindings.members |
target.resource.attribute.labels[request_bindings_{index}_members_{index1}] |
|
protoPayload.metadata.groupDelta.newGroup.description |
target.group.attribute.labels[metadata_group_delta_new_group_description] |
|
protoPayload.metadata.groupDelta.newGroup.email |
target.group.email_addresses |
|
protoPayload.metadata.groupDelta.newGroup.name |
target.group.group_display_name |
|
protoPayload.metadata.groupDelta.action |
target.group.attribute.labels[metadata_group_delta_action] |
|
protoPayload.response.spec.template.metadata.labels.client.knative.dev/nonce |
target.resource.attribute.labels[res_spec_template_metadata_nonce] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-name |
target.resource.attribute.labels[res_spec_template_metadata_client_name] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-version |
target.resource.attribute.labels[res_spec_template_metadata_client_version] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/execution-environment |
target.resource.attribute.labels[res_spec_template_metadata_exection_environment] |
|
protoPayload.response.spec.template.spec.taskCount |
target.resource.attribute.labels[res_spec_template_spec_taskcount] |
|
protoPayload.response.spec.template.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_image] |
|
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.response.spec.template.spec.template.spec.maxRetries |
target.resource.attribute.labels[res_spec_template_spec_template_spec_max_retries] |
|
protoPayload.response.spec.template.spec.template.spec.timeoutSeconds |
target.resource.attribute.labels[res_spec_template_spec_template_spec_timeout_seconds] |
|
protoPayload.response.spec.template.spec.template.spec.serviceAccountName |
principal.user.email_addresses |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-name |
target.resource_ancestors.attribute.labels[req_service_metadata_client_name] |
|
protoPayload.request.service.metadata.annotations.serving.knative.dev/creator |
target.resource_ancestors.attribute.labels[req_service_metadata_creator] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-version |
target.resource_ancestors.attribute.labels[req_service_metadata_client_version] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/operation-id |
target.resource_ancestors.attribute.labels[req_service_metadata_client_operation_id] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/binary-authorization |
target.resource_ancestors.attribute.labels[req_service_metadata_binary_authorization] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress-status |
target.resource_ancestors.attribute.labels[req_service_metadata_client_ingress_status] |
|
protoPayload.request.service.metadata.annotations.serving.knative.dev/lastModifier |
target.resource_ancestors.attribute.labels[req_service_metadata_last_modifier] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress |
target.resource_ancestors.attribute.labels[req_service_metadata_ingress] |
|
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-name |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_name] |
|
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-version |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_version] |
|
protoPayload.request.service.spec.template.metadata.annotations.autoscaling.knative.dev/maxScale |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_max_scale] |
|
protoPayload.request.New Data |
target.resource_ancestors.attribute.labels[req_new_data] |
|
protoPayload.response.Original Data |
target.resource_ancestors.attribute.labels[req_original_data] |
|
protoPayload.request.timestampRange.startTime |
target.resource.attribute.labels[timestamp_range_start_time] |
|
protoPayload.request.timestampRange.endTime |
target.resource.attribute.labels[timestamp_range_end_time] |
|
protoPayload.request.regexSearch |
target.resource.attribute.labels[request_regex_search] |
|
protoPayload.request.productSources |
target.resource.attribute.labels[request_product_sources] |
|
protoPayload.request.query |
target.resource.attribute.labels[request_query] |
|
protoPayload.request.caseSensitive |
target.resource.attribute.labels[request_case_sensitive] |
|
protoPayload.request.baselineQuery |
target.resource.attribute.labels[baseline_query] |
|
protoPayload.request.baselineTimeRange.startTime |
target.resource.attribute.labels[baseline_time_range_start_time] |
|
protoPayload.request.baselineTimeRange.endTime |
target.resource.attribute.labels[baseline_time_range_end_time] |
|
protoPayload.response.serviceConfig.timeoutSeconds |
target.resource.attribute.labels[response_service_config_timeout_seconds] |
|
labels.execution_id |
additional.fields[execution_id] |
|
labels.instance_id |
additional.fields[instance_id] |
|
labels.runtime_version |
additional.fields[runtime_version] |
|
protoPayload.metadata.updatedGrant.requester |
principal.user.userid |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.updatedGrant.requester dem UDM-Feld principal.user.userid zugeordnet. |
protoPayload.metadata.updatedGrant.requestedDuration |
target.resource.attribute.labels[requestedDuration] |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.updatedGrant.requestedDuration dem UDM-Feld target.resource.attribute.labels zugeordnet. |
protoPayload.metadata.updatedGrant.justification.unstructuredJustification |
target.resource.attribute.labels[justification] |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.updatedGrant.justification.unstructuredJustification dem UDM-Feld target.resource.attribute.labels zugeordnet. |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role |
target.resource.attribute.roles.name |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role dem UDM-Feld target.resource.attribute.roles.name zugeordnet. |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType |
target.resource.attribute.labels[resourceType] |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType dem UDM-Feld target.resource.attribute.labels zugeordnet. |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource |
target.resource.attribute.labels[resource] |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource dem UDM-Feld target.resource.attribute.labels zugeordnet. |
protoPayload.metadata.updatedGrant.state |
target.resource.attribute.labels[state] |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.updatedGrant.state dem UDM-Feld target.resource.attribute.labels zugeordnet. |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id |
target.resource.attribute.labels[job_insertion_looker_studio_report_id] |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id dem UDM-Feld target.resource.attribute.labels zugeordnet. |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor |
target.resource.attribute.labels[job_insertion_requestor] |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor dem UDM-Feld target.resource.attribute.labels zugeordnet. |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id |
target.resource.attribute.labels[job_insertion_looker_studio_datasource_id] |
Wenn der Wert des Logfelds protoPayload.serviceName gleich privilegedaccessmanager.googleapis.com ist, wird das Logfeld protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id dem UDM-Feld target.resource.attribute.labels zugeordnet. |
protoPayload.response.displayName |
security_result.associations.name |
Wenn der Wert des Logfelds protoPayload.response.displayName nicht leer ist, wird das Logfeld protoPayload.response.displayName dem UDM-Feld security_result.associations.name zugeordnet. |
protoPayload.request.referenceList.displayName |
security_result.associations.name |
Wenn der Wert des Logfelds protoPayload.response.displayName leer ist, wird das Logfeld protoPayload.request.referenceList.displayName dem UDM-Feld security_result.associations.name zugeordnet. |
protoPayload.resourceName |
security_result.detection_fields[rule_id] |
Wenn der Wert des Logfelds protoPayload.resourceName nicht leer und der Wert des Logfelds protoPayload.response.@type type.googleapis.com/google.cloud.chronicle.v1alpha.Rule ist, wird new_rule_id mithilfe eines Grok-Musters aus dem Logfeld protoPayload.resourceName extrahiert und dem UDM-Feld security_result.detection_fields[rule_id] zugeordnet. |
protoPayload.request.projection |
target.resource.attribute.labels[req_projection] |
|
protoPayload.response.items.metageneration |
target.resource.attribute.labels[res_items_metageneration] |
|
protoPayload.response.items.labels.created_date |
target.resource.attribute.labels[res_items_labels_created_date] |
|
protoPayload.response.items.labels.team_email |
target.resource.attribute.labels[res_items_labels_team_email] |
|
protoPayload.response.items.labels.team_name |
target.resource.attribute.labels[res_items_labels_team_name] |
|
protoPayload.response.items.labels.office_number |
target.resource.attribute.labels[res_items_labels_official_number] |
|
protoPayload.response.items.labels.department |
target.resource.attribute.labels[res_items_labels_department] |
|
protoPayload.response.items.labels.business_project_number |
target.resource.attribute.labels[res_items_labels_business_project_number] |
|
protoPayload.response.items.labels.owner_email |
target.resource.attribute.labels[res_items_labels_owner_email] |
|
protoPayload.response.items.labels.purchase_order_number |
target.resource.attribute.labels[res_items_labels_purchase_order_number] |
|
protoPayload.response.items.labels.office_name |
target.resource.attribute.labels[res_items_labels_office_name] |
|
protoPayload.response.items.labels.environment |
target.resource.attribute.labels[res_items_labels_environment] |
|
protoPayload.response.items.labels.created_by |
target.resource.attribute.labels[res_items_labels_created_by] |
|
protoPayload.response.items.labels.project_name |
target.resource.attribute.labels[res_items_labels_project_name] |
|
protoPayload.response.items.labels.finops_tag |
target.resource.attribute.labels[res_items_labels_finops_tag] |
|
protoPayload.response.items.labels.owner_role |
target.resource.attribute.labels[res_items_labels_owner_role] |
|
protoPayload.response.items.versioning.enabled |
target.resource.attribute.labels[res_items_versioning_enabled] |
|
protoPayload.response.items.iamConfiguration.publicAccessPrevention |
target.resource.attribute.labels[res_items_iam_conf_public_access_prevention] |
|
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime |
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_locked_time] |
|
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled |
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_enabled] |
|
protoPayload.response.items.id |
target.resource.attribute.labels[res_items_id] |
|
protoPayload.response.items.updated |
target.resource.attribute.labels[res_items_updated] |
|
protoPayload.response.items.storageClass |
target.resource.attribute.labels[res_items_storage_class] |
|
protoPayload.response.items.timeCreated |
target.resource.attribute.labels[res_items_time_created] |
|
protoPayload.response.items.location |
target.resource.attribute.labels[res_items_location] |
|
protoPayload.response.items.locationType |
target.resource.attribute.labels[res_items_location_type] |
|
protoPayload.response.items.projectNumber |
target.resource.attribute.labels[res_items_project_number] |
|
protoPayload.response.items.name |
target.resource.attribute.labels[res_items_name] |
|
protoPayload.response.items.softDeletePolicy.effectiveTime |
target.resource.attribute.labels[res_items_soft_delete_policy_effective_time] |
|
protoPayload.response.items.softDeletePolicy.retentionDurationSeconds |
target.resource.attribute.labels[res_items_soft_delete_policy_retention_duration_seconds] |
|
protoPayload.response.items.etag |
target.resource.attribute.labels[res_items_etag] |