收集 Cloud Audit Logs
本文档介绍了如何通过启用 Google Cloud 来导出 Cloud Audit Logs 遥测数据注入到 Google Security Operations 以及 Cloud Audit Logs 字段如何映射到 Google 安全运营统一数据模型 (UDM) 字段。
如需了解详情,请参阅 Google Security Operations 的数据注入概览。
典型的部署包括启用了数据注入功能的 Cloud Audit Logs Google Security Operations,每个客户部署可能与此不同 并且可能更加复杂。
该部署包含以下组件:
Google Cloud:您要从中收集日志的 Google Cloud 服务和产品
Cloud Audit Logs:为注入 Google Security Operations 而启用的 Cloud Audit Logs
Google Workspace 审核日志: 已启用注入 Google Security Operations 的功能
Google Security Operations:保留和分析 Cloud Audit Logs 和 Google Workspace 审核日志
提取标签用于标识将原始日志数据标准化的解析器
结构化 UDM 格式本文档中的信息适用于解析器
提取标签为 GCP_CLOUDAUDIT
。
准备工作
确保您已为组织和资源设置了访问权限控制 使用 Identity and Access Management (IAM)如需详细了解访问权限控制,请参阅 使用 IAM 对组织进行访问权限控制。
配置数据访问审核日志 Google Cloud 资源和服务
确保部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。
验证 Cloud Audit Logs 解析器支持的日志类型。下表 列出了 Cloud Audit Logs 解析器支持的日志源和类型:
日志源 | 日志源类型 |
---|---|
Cloud DNS | NA |
syslog | 无 |
Google Workspace 审核日志 | 登录审核 |
Google Workspace 审核日志 | 管理控制台审核 |
Cloud Audit Logs | 管理员活动 |
Cloud Audit Logs | VPC Service Controls 审核 |
Cloud Audit Logs | Google Kubernetes Engine 数据访问 |
Cloud Audit Logs | Resource Manager 数据访问 |
Cloud Audit Logs | BigQuery Audit Metadata 数据访问 |
Cloud Audit Logs | MySQL 数据访问、管理员活动 |
Cloud Audit Logs | PostgreSQL 数据访问、管理员活动 |
Cloud Audit Logs | SQL Server 数据访问、管理员活动 |
Cloud Load Balancing | Cloud HTTP 负载平衡器 |
Cloud DNS | 管理员活动 |
虚拟私有云流程 | 虚拟私有云流 |
防火墙规则 | 防火墙规则 |
Cloud NAT | Cloud NAT |
配置 Cloud Audit Logs 的注入
如需将 Cloud Audit Logs 注入 Google Security Operations,请按照将 Google Cloud 日志注入 Google Security Operations 页面上的步骤操作。
如果您在注入 Cloud Audit Logs 时遇到问题,请与 Google Security Operations 支持团队联系。
字段映射参考文档
本部分介绍 Google Security Operations 解析器如何将 Cloud Audit Logs 字段映射到 Google Security Operations 统一数据模型 (UDM) 字段。
GCP_CLOUDAUDIT 日志类型与 UDM 事件类型
下表列出了 GCP_CLOUDAUDIT 事件标识符及其对应的事件类型。Event identifier | Event type |
---|---|
dns.managedZones.get |
USER_RESOURCE_ACCESS |
dns.managedZones.list |
USER_RESOURCE_ACCESS |
dns.changes.get |
USER_RESOURCE_ACCESS |
dns.changes.list |
USER_RESOURCE_ACCESS |
dns.activePeeringZones.list |
USER_RESOURCE_ACCESS |
dns.activePeeringZones.getpeeringzoneinfo |
USER_RESOURCE_ACCESS |
dns.resourceRecordSets.get |
USER_RESOURCE_ACCESS |
dns.resourceRecordSets.list |
USER_RESOURCE_ACCESS |
dns.responsePolicies.get |
USER_RESOURCE_ACCESS |
dns.responsePolicies.list |
USER_RESOURCE_ACCESS |
dns.responsePolicyRules.get |
USER_RESOURCE_ACCESS |
dns.responsePolicyRules.list |
USER_RESOURCE_ACCESS |
dns.policies.get |
USER_RESOURCE_ACCESS |
dns.policies.list |
USER_RESOURCE_ACCESS |
dns.projects.get |
USER_RESOURCE_ACCESS |
dns.managedZones.create |
USER_RESOURCE_CREATION |
dns.managedZones.delete |
RESOURCE_DELETION |
dns.managedZones.update |
RESOURCE_WRITTEN |
dns.managedZones.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.changes.create |
USER_RESOURCE_CREATION |
dns.changes.delete |
RESOURCE_DELETION |
dns.activePeeringZones.deactivate |
USER_RESOURCE_UPDATE_CONTENT |
dns.resourceRecordSets.create |
USER_RESOURCE_CREATION |
dns.resourceRecordSets.delete |
RESOURCE_DELETION |
dns.resourceRecordSets.update |
RESOURCE_WRITTEN |
dns.resourceRecordSets.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.responsePolicies.create |
USER_RESOURCE_CREATION |
dns.responsePolicies.delete |
RESOURCE_DELETION |
dns.responsePolicies.update |
RESOURCE_WRITTEN |
dns.responsePolicies.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.responsePolicyRules.create |
USER_RESOURCE_CREATION |
dns.responsePolicyRules.delete |
RESOURCE_DELETION |
dns.responsePolicyRules.update |
RESOURCE_WRITTEN |
dns.responsePolicyRules.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.policies.create |
USER_RESOURCE_CREATION |
dns.policies.delete |
RESOURCE_DELETION |
dns.policies.update |
RESOURCE_WRITTEN |
dns.policies.patch |
USER_RESOURCE_UPDATE_CONTENT |
CreateRole |
USER_UNCATEGORIZED |
DeleteRole |
RESOURCE_DELETION |
UndeleteRole |
RESOURCE_CREATION |
UpdateRole |
RESOURCE_WRITTEN |
google.iam.v2beta.Policies.CreatePolicy |
USER_RESOURCE_CREATION |
google.iam.v2beta.Policies.DeletePolicy |
RESOURCE_DELETION |
google.iam.v2beta.Policies.UpdatePolicy |
RESOURCE_WRITTEN |
CreateServiceAccount |
USER_RESOURCE_CREATION |
DeleteServiceAccount |
RESOURCE_DELETION |
DisableServiceAccount |
STATUS_UPDATE |
EnableServiceAccount |
STATUS_UPDATE |
GetServiceAccount |
USER_RESOURCE_ACCESS |
PatchServiceAccount |
USER_RESOURCE_UPDATE_CONTENT |
SetIAMPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
UndeleteServiceAccount |
RESOURCE_DELETION |
UpdateServiceAccount |
RESOURCE_WRITTEN |
CreateServiceAccountKey |
USER_RESOURCE_CREATION |
DeleteServiceAccountKey |
RESOURCE_DELETION |
UploadServiceAccountKey |
USER_RESOURCE_UPDATE_CONTENT |
CreateWorkloadIdentityPool |
USER_RESOURCE_CREATION |
DeleteWorkloadIdentityPool |
RESOURCE_DELETION |
UndeleteWorkloadIdentityPool |
RESOURCE_DELETION |
UpdateWorkloadIdentityPool |
RESOURCE_WRITTEN |
CreateWorkloadIdentityPoolProvider |
USER_RESOURCE_CREATION |
DeleteWorkloadIdentityPoolProvider |
RESOURCE_DELETION |
UndeleteWorkloadIdentityPoolProvider |
RESOURCE_DELETION |
UpdateWorkloadIdentityPoolProvider |
RESOURCE_WRITTEN |
CreateWorkforcePool |
USER_RESOURCE_CREATION |
DeleteWorkforcePool |
RESOURCE_DELETION |
UndeleteWorkforcePool |
RESOURCE_DELETION |
UpdateWorkforcePool |
RESOURCE_WRITTEN |
CreateWorkforcePoolProvider |
USER_RESOURCE_CREATION |
DeleteWorkforcePoolProvider |
RESOURCE_DELETION |
UndeleteWorkforcePoolProvider |
RESOURCE_DELETION |
UpdateWorkforcePoolProvider |
RESOURCE_WRITTEN |
GetEffectivePolicy1 |
USER_RESOURCE_ACCESS |
google.iam.admin.v1.GetPolicyDetails2 |
USER_RESOURCE_ACCESS |
ExchangeToken |
USER_RESOURCE_ACCESS |
Google Cloud console (federated) sign in |
USER_RESOURCE_UPDATE_PERMISSIONS |
GetRole |
USER_RESOURCE_ACCESS |
ListRoles |
USER_RESOURCE_ACCESS |
google.iam.v2beta.Policies.GetPolicy |
USER_RESOURCE_ACCESS |
google.iam.v2beta.Policies.ListPolicies |
USER_RESOURCE_ACCESS |
QueryGrantableRoles |
USER_RESOURCE_ACCESS |
GenerateAccessToken |
USER_RESOURCE_UPDATE_CONTENT |
GenerateIdToken |
USER_RESOURCE_UPDATE_CONTENT |
ListServiceAccounts |
USER_RESOURCE_ACCESS |
SignBlob |
USER_RESOURCE_UPDATE_CONTENT |
SignJwt |
USER_RESOURCE_UPDATE_CONTENT |
GetServiceAccountKey |
USER_RESOURCE_ACCESS |
ListServiceAccountKeys |
USER_RESOURCE_ACCESS |
GetWorkloadIdentityPool |
USER_RESOURCE_ACCESS |
ListWorkloadIdentityPools |
USER_RESOURCE_ACCESS |
GetWorkloadIdentityPoolProvider |
USER_RESOURCE_ACCESS |
ListWorkloadIdentityPoolProviders |
USER_RESOURCE_ACCESS |
GetWorkforcePool |
USER_RESOURCE_ACCESS |
ListWorkforcePools |
USER_RESOURCE_ACCESS |
GetWorkforcePoolProvider |
USER_RESOURCE_ACCESS |
ListWorkforcePoolProviders |
USER_RESOURCE_ACCESS |
io.k8s.authorization.rbac.v1 |
STATUS_UPDATE |
io.k8s.authorization.rbac.v1.roles |
STATUS_UPDATE |
io.k8s.batch.v1.jobs.create |
RESOURCE_CREATION |
io.k8s.authorization.rbac.v1.clusterroles.create |
RESOURCE_CREATION |
io.k8s.apps.v1.daemonsets.create |
RESOURCE_CREATION |
io.k8s.authorization.v1.selfsubjectaccessreviews.create |
RESOURCE_CREATION |
google.container.v1.ClusterManager.CreateCluster |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.TableService.InsertTable |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.TableService.UpdateTable |
RESOURCE_WRITTEN |
google.cloud.bigquery.v2.TableService.PatchTable |
USER_RESOURCE_UPDATE_CONTENT |
google.cloud.bigquery.v2.TableService.DeleteTable |
RESOURCE_DELETION |
google.cloud.bigquery.v2.DatasetService.InsertDataset |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.DatasetService.UpdateDataset |
RESOURCE_WRITTEN |
google.cloud.bigquery.v2.DatasetService.PatchDataset |
USER_RESOURCE_UPDATE_CONTENT |
google.cloud.bigquery.v2.DatasetService.DeleteDataset |
USER_RESOURCE_DELETION |
google.cloud.bigquery.v2.TableDataService.List |
USER_RESOURCE_ACCESS |
google.cloud.bigquery.v2.JobService.InsertJob |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.JobService.Query |
USER_RESOURCE_ACCESS |
google.cloud.bigquery.v2.JobService.GetQueryResults |
USER_RESOURCE_ACCESS |
InternalTableExpired |
USER_RESOURCE_DELETION |
google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection |
USER_RESOURCE_CREATION |
google.cloud.bigquery.connection.v1.ConnectionService.DeleteConnection |
RESOURCE_DELETION |
google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection |
RESOURCE_WRITTEN |
google.cloud.bigquery.connection.v1.ConnectionService.SetIamPolicy |
RESOURCE_PERMISSIONS_CHANGE |
google.cloud.bigquery.reservation.v1.ReservationService.CreateReservation |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteReservation |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.UpdateReservation |
RESOURCE_WRITTEN |
google.cloud.bigquery.reservation.v1.ReservationService.CreateCapacityCommitment |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteCapacityCommitment |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.CreateAssignment |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteAssignment |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.MoveAssignment |
STATUS_UPDATE |
cloudsql.backupRuns.get |
USER_RESOURCE_ACCESS |
cloudsql.backupRuns.list |
USER_RESOURCE_ACCESS |
cloudsql.databases.create |
USER_RESOURCE_CREATION |
cloudsql.databases.delete |
RESOURCE_DELETION |
cloudsql.databases.get |
USER_RESOURCE_ACCESS |
cloudsql.databases.list |
USER_RESOURCE_ACCESS |
cloudsql.databases.update |
RESOURCE_WRITTEN |
cloudsql.instances.export |
USER_RESOURCE_ACCESS |
cloudsql.instances.get |
USER_RESOURCE_ACCESS |
cloudsql.instances.import |
STATUS_UNCATEGORIZED |
cloudsql.instances.list |
USER_RESOURCE_ACCESS |
cloudsql.instances.listEffectiveTags |
USER_RESOURCE_ACCESS |
cloudsql.instances.listServerCas |
USER_RESOURCE_ACCESS |
cloudsql.instances.listTagBindings |
USER_RESOURCE_ACCESS |
cloudsql.instances.login |
USER_LOGIN |
cloudsql.sslCerts.get |
USER_RESOURCE_ACCESS |
cloudsql.sslCerts.list |
USER_RESOURCE_ACCESS |
cloudsql.users.create |
USER_RESOURCE_CREATION |
cloudsql.users.delete |
RESOURCE_DELETION |
cloudsql.users.get |
USER_RESOURCE_ACCESS |
cloudsql.users.list |
USER_RESOURCE_ACCESS |
cloudsql.users.update |
RESOURCE_WRITTEN |
cloudsql.backupRuns.create |
USER_RESOURCE_CREATION |
cloudsql.backupRuns.delete |
RESOURCE_DELETION |
cloudsql.instances.addServerCa |
USER_RESOURCE_CREATION |
cloudsql.instances.clone |
USER_RESOURCE_CREATION |
cloudsql.instances.connect |
RESOURCE_READ |
cloudsql.instances.create |
USER_RESOURCE_CREATION |
cloudsql.instances.createTagBinding |
USER_RESOURCE_CREATION |
cloudsql.instances.delete |
RESOURCE_DELETION |
cloudsql.instances.deleteTagBinding |
RESOURCE_DELETION |
cloudsql.instances.demoteMaster |
STATUS_UPDATE |
cloudsql.instances.failover |
STATUS_UPDATE |
cloudsql.instances.promoteReplica |
STATUS_UPDATE |
cloudsql.instances.resetSslConfig |
USER_RESOURCE_UPDATE_CONTENT |
cloudsql.instances.restart |
STATUS_STARTUP |
cloudsql.instances.restoreBackup |
STATUS_UPDATE |
cloudsql.instances.rotateServerCa |
STATUS_UPDATE |
cloudsql.instances.startReplica |
STATUS_STARTUP |
cloudsql.instances.stopReplica |
STATUS_UPDATE |
cloudsql.instances.truncateLog |
STATUS_UPDATE |
cloudsql.instances.update |
RESOURCE_WRITTEN |
cloudsql.sslCerts.create |
USER_RESOURCE_CREATION |
cloudsql.sslCerts.createEphemeral |
USER_RESOURCE_CREATION |
cloudsql.sslCerts.delete |
RESOURCE_DELETION |
compute.instances.insert |
RESOURCE_CREATION |
compute.instanceGroups.removeInstances |
RESOURCE_DELETION |
compute.instances.setMetadata |
USER_RESOURCE_UPDATE_CONTENT |
compute.instances.setLabels |
USER_RESOURCE_CREATION |
compute.instances.setTags |
USER_RESOURCE_CREATION |
compute.instances.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
compute.instances.list |
USER_RESOURCE_ACCESS |
compute.images.get |
USER_RESOURCE_ACCESS |
compute.interconnectAttachments.aggregatedList |
USER_RESOURCE_ACCESS |
compute.instance.getSerialPortOutput |
USER_RESOURCE_ACCESS |
compute.instances.migrateOnHostMaintenance |
RESOURCE_CREATION |
compute.instances.automaticRestart |
USER_RESOURCE_UPDATE_CONTENT |
compute.instanceGroupManagers.resizeAdvanced |
USER_RESOURCE_UPDATE_CONTENT |
google.ssh-serialport.v1.connect |
NETWORK_CONNECTION |
firewalls.delete |
RESOURCE_DELETION |
firewalls.insert |
RESOURCE_CREATION |
firewalls.patch |
USER_RESOURCE_UPDATE_CONTENT |
firewalls.update |
RESOURCE_WRITTEN |
forwardingRules.delete |
RESOURCE_DELETION |
forwardingRules.insert |
RESOURCE_CREATION |
forwardingRules.patch |
USER_RESOURCE_UPDATE_CONTENT |
forwardingRules.setTarget |
STATUS_UPDATE |
networks.addPeering |
STATUS_UPDATE |
networks.delete |
RESOURCE_DELETION |
networks.insert |
RESOURCE_CREATION |
networks.patch |
USER_RESOURCE_UPDATE_CONTENT |
networks.removePeering |
RESOURCE_DELETION |
networks.switchToCustomMode |
STATUS_UPDATE |
networks.updatePeering |
RESOURCE_WRITTEN |
routes.delete |
RESOURCE_DELETION |
routes.insert |
USER_RESOURCE_CREATION |
subnetworks.delete |
RESOURCE_DELETION |
subnetworks.expandIpCidrRange |
STATUS_UPDATE |
subnetworks.insert |
RESOURCE_CREATION |
subnetworks.patch |
USER_RESOURCE_UPDATE_CONTENT |
subnetworks.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
subnetworks.setPrivateIpGoogleAccess |
STATUS_UPDATE |
subnetworks.testIamPermissions |
USER_RESOURCE_ACCESS |
firewalls.get |
USER_RESOURCE_ACCESS |
firewalls.list |
USER_RESOURCE_ACCESS |
forwardingRules.aggregatedList |
USER_RESOURCE_ACCESS |
forwardingRules.get |
USER_RESOURCE_ACCESS |
forwardingRules.list |
USER_RESOURCE_ACCESS |
networks.get |
USER_RESOURCE_ACCESS |
networks.list |
USER_RESOURCE_ACCESS |
networks.listPeeringRoutes |
USER_RESOURCE_ACCESS |
routes.get |
USER_RESOURCE_ACCESS |
routes.list |
USER_RESOURCE_ACCESS |
subnetworks.aggregatedList |
USER_RESOURCE_ACCESS |
subnetworks.get |
USER_RESOURCE_ACCESS |
subnetworks.getIamPolicy |
USER_RESOURCE_ACCESS |
subnetworks.list |
USER_RESOURCE_ACCESS |
subnetworks.listUsable |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterBatchDeleteAlerts |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterBatchUndeleteAlerts |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterCreateAlert |
USER_RESOURCE_CREATION |
google.admin.AdminService.alertCenterCreateFeedback |
USER_RESOURCE_CREATION |
google.admin.AdminService.alertCenterDeleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterGetAlertMetadata |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterGetCustomerSettings |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterGetSitLink |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListChange |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListFeedback |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListRelatedAlerts |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterUndeleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterUpdateAlert |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterUpdateAlertMetadata |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterUpdateCustomerSettings |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterView |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createApplicationSetting |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteApplicationSetting |
RESOURCE_DELETION |
google.admin.AdminService.reorderGroupBasedPoliciesEvent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.gplusPremiumFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createManagedConfiguration |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteManagedConfiguration |
RESOURCE_DELETION |
google.admin.AdminService.updateManagedConfiguration |
RESOURCE_WRITTEN |
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createBuilding |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteBuilding |
RESOURCE_DELETION |
google.admin.AdminService.updateBuilding |
RESOURCE_WRITTEN |
google.admin.AdminService.createCalendarResource |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteCalendarResource |
RESOURCE_DELETION |
google.admin.AdminService.createCalendarResourceFeature |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteCalendarResourceFeature |
RESOURCE_DELETION |
google.admin.AdminService.updateCalendarResourceFeature |
RESOURCE_WRITTEN |
google.admin.AdminService.renameCalendarResource |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateCalendarResource |
RESOURCE_WRITTEN |
google.admin.AdminService.changeCalendarSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.cancelCalendarEvents |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.releaseCalendarResources |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.meetInteropCreateGateway |
USER_RESOURCE_CREATION |
google.admin.AdminService.meetInteropDeleteGateway |
RESOURCE_DELETION |
google.admin.AdminService.meetInteropModifyGateway |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChatSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsAndroidApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.sendChromeOsDeviceCommand |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceAnnotation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceState |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsPublicSessionSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.insertChromeOsPrinter |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteChromeOsPrinter |
RESOURCE_DELETION |
google.admin.AdminService.updateChromeOsPrinter |
RESOURCE_WRITTEN |
google.admin.AdminService.changeChromeOsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsUserSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeChromeOsApplicationSettings |
RESOURCE_DELETION |
google.admin.AdminService.changeContactsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.assignRole |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.createRole |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteRole |
RESOURCE_DELETION |
google.admin.AdminService.addPrivilege |
USER_RESOURCE_CREATION |
google.admin.AdminService.removePrivilege |
RESOURCE_DELETION |
google.admin.AdminService.renameRole |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateRole |
RESOURCE_WRITTEN |
google.admin.AdminService.unassignRole |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.deleteDevice |
RESOURCE_DELETION |
google.admin.AdminService.moveDeviceToOrgUnit |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.transferDocumentOwnership |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.driveDataRestore |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDocsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAccountAutoRenewal |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addApplication |
USER_RESOURCE_CREATION |
google.admin.AdminService.addApplicationToWhitelist |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeAdvertisementOption |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createAlert |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeAlertCriteria |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertReceiversChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.renameAlert |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.alertStatusChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addDomainAlias |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeDomainAlias |
RESOURCE_DELETION |
google.admin.AdminService.skipDomainAliasMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifyDomainAliasMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifyDomainAlias |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOauthAccessToAllApis |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAllowAdminPasswordReset |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableApiAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.authorizeApiClientAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeApiClientAccess |
RESOURCE_DELETION |
google.admin.AdminService.chromeLicensesRedeemed |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAutoAddNewService |
USER_RESOURCE_CREATION |
google.admin.AdminService.changePrimaryDomain |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeWhitelistSetting |
USER_RESOURCE_ACCESS |
google.admin.AdminService.communicationPreferencesSettingChange |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeConflictAccountAction |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableFeedbackSolicitation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleContactSharing |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createPlayForWorkToken |
USER_RESOURCE_CREATION |
google.admin.AdminService.toggleUseCustomLogo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCustomLogo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataLocalizationForRussia |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataLocalizationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataProtectionOfficerContactInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deletePlayForWorkToken |
RESOURCE_DELETION |
google.admin.AdminService.viewDnsLoginDetails |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainDefaultLocale |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainDefaultTimezone |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleEnablePreReleaseFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainSupportMessage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addTrustedDomains |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeTrustedDomains |
RESOURCE_DELETION |
google.admin.AdminService.changeEduType |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleEnableOauthConsumerKey |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleSsoEnabled |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleSsl |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeEuRepresentativeContactInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.generateTransferToken |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginBackgroundColor |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginBorderColor |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginActivityTrace |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.playForWorkEnroll |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.playForWorkUnenroll |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.mxRecordVerificationClaim |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleNewAppFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleUseNextGenControlPanel |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.uploadOauthCertificate |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.regenerateOauthConsumerSecret |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOpenIdEnabled |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeOrganizationName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOutboundRelay |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePasswordMaxLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePasswordMinLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateDomainPrimaryAdminEmail |
RESOURCE_WRITTEN |
google.admin.AdminService.enableServiceOrFeatureNotifications |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeApplication |
RESOURCE_DELETION |
google.admin.AdminService.removeApplicationFromWhitelist |
RESOURCE_DELETION |
google.admin.AdminService.changeRenewDomainRegistration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeResellerAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.ruleActionsChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createRule |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeRuleCriteria |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteRule |
RESOURCE_DELETION |
google.admin.AdminService.renameRule |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.ruleStatusChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addSecondaryDomain |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeSecondaryDomain |
RESOURCE_DELETION |
google.admin.AdminService.skipSecondaryDomainMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifySecondaryDomainMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifySecondaryDomain |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateDomainSecondaryEmail |
RESOURCE_WRITTEN |
google.admin.AdminService.changeSsoSettings |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.generatePin |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateRule |
RESOURCE_WRITTEN |
google.admin.AdminService.dropFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.emailLogSearch |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.emailUndelete |
RESOURCE_DELETION |
google.admin.AdminService.changeEmailSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGmailSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createGmailSetting |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteGmailSetting |
RESOURCE_DELETION |
google.admin.AdminService.rejectFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.releaseFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createGroup |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteGroup |
RESOURCE_DELETION |
google.admin.AdminService.changeGroupDescription |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.groupListDownload |
USER_RESOURCE_ACCESS |
google.admin.AdminService.addGroupMember |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeGroupMember |
RESOURCE_DELETION |
google.admin.AdminService.updateGroupMember |
RESOURCE_WRITTEN |
google.admin.AdminService.updateGroupMemberDeliverySettings |
RESOURCE_WRITTEN |
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride |
RESOURCE_WRITTEN |
google.admin.AdminService.groupMemberBulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.groupMembersDownload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGroupName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGroupSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.whitelistedGroupsUpdated |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationAction |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionCancellation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionCompletion |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionRetry |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationConfirmation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationRequest |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationChartCreate |
USER_RESOURCE_CREATION |
google.admin.AdminService.securityInvestigationContentAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationDownloadAttachment |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationExportActionResults |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationExportQuery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation |
USER_RESOURCE_CREATION |
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation |
RESOURCE_DELETION |
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectSaveInvestigation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationQuery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationSettingUpdate |
RESOURCE_WRITTEN |
google.admin.AdminService.addToTrustedOauth2Apps |
USER_RESOURCE_CREATION |
google.admin.AdminService.allowAspWithout2Sv |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.allowServiceForOauth2Access |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.allowStrongAuthentication |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.blockOnDeviceAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAllowedTwoStepVerificationMethods |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAppAccessSettingsCollectionId |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaAppAssignments |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaDefaultAssignments |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaErrorMessage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeSessionLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationFrequency |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationStartDate |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.disallowServiceForOauth2Access |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableNonAdminUserPasswordRecovery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enforceStrongAuthentication |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.removeFromTrustedOauth2Apps |
RESOURCE_DELETION |
google.admin.AdminService.sessionControlSettingsChange |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleCaaEnablement |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.trustDomainOwnedOauth2Apps |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unblockOnDeviceAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.untrustDomainOwnedOauth2Apps |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps |
RESOURCE_WRITTEN |
google.admin.AdminService.weakProgrammaticLoginSettingsChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.delete2SvScratchCodes |
RESOURCE_DELETION |
google.admin.AdminService.generate2SvScratchCodes |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revoke3LoDeviceTokens |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revoke3LoToken |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addRecoveryEmail |
USER_RESOURCE_CREATION |
google.admin.AdminService.addRecoveryPhone |
USER_RESOURCE_CREATION |
google.admin.AdminService.grantAdminPrivilege |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeAdminPrivilege |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeAsp |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAutomaticContactSharing |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.bulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.bulkUploadNotificationSent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.cancelUserInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserCustomField |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserExternalId |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserGender |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserIm |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableUserIpWhitelist |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserKeyword |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserLanguage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserLocation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserOrganization |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserPhoneNumber |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeRecoveryEmail |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeRecoveryPhone |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserRelation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserAddress |
USER_RESOURCE_CREATION |
google.admin.AdminService.createEmailMonitor |
USER_RESOURCE_CREATION |
google.admin.AdminService.createDataTransferRequest |
USER_RESOURCE_CREATION |
google.admin.AdminService.grantDelegatedAdminPrivileges |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteAccountInfoDump |
RESOURCE_DELETION |
google.admin.AdminService.deleteEmailMonitor |
RESOURCE_DELETION |
google.admin.AdminService.deleteMailboxDump |
RESOURCE_DELETION |
google.admin.AdminService.changeFirstName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.gmailResetUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLastName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.mailRoutingDestinationAdded |
USER_RESOURCE_CREATION |
google.admin.AdminService.mailRoutingDestinationRemoved |
RESOURCE_DELETION |
google.admin.AdminService.addNickname |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeNickname |
RESOURCE_DELETION |
google.admin.AdminService.changePassword |
USER_CHANGE_PASSWORD |
google.admin.AdminService.changePasswordOnNextLogin |
USER_CHANGE_PASSWORD |
google.admin.AdminService.downloadPendingInvitesList |
USER_RESOURCE_ACCESS |
google.admin.AdminService.removeRecoveryEmail |
RESOURCE_DELETION |
google.admin.AdminService.removeRecoveryPhone |
RESOURCE_DELETION |
google.admin.AdminService.requestAccountInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.requestMailboxDump |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.resendUserInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.resetSigninCookies |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityKeyRegisteredForUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeSecurityKey |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.viewTempPassword |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.turnOff2StepVerification |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unblockUserSession |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unenrollUserFromTitanium |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.archiveUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateBirthdate |
RESOURCE_WRITTEN |
google.admin.AdminService.createUser |
USER_CREATION |
google.admin.AdminService.deleteUser |
RESOURCE_DELETION |
google.admin.AdminService.downgradeUserFromGplus |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userEnrolledInTwoStepVerification |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.downloadUserlistCsv |
USER_RESOURCE_ACCESS |
google.admin.AdminService.moveUserToOrgUnit |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.renameUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unenrollUserFromStrongAuth |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.suspendUser |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.unarchiveUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.undeleteUser |
RESOURCE_DELETION |
google.admin.AdminService.unsuspendUser |
STATUS_UPDATE |
google.admin.AdminService.upgradeUserToGplus |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.usersBulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.usersBulkUploadNotificationSent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createAccessLevelV2 |
USER_RESOURCE_CREATION |
google.admin.AdminService.systemDefinedRuleUpdated |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.createDeviceEnrollmentToken |
USER_RESOURCE_CREATION |
google.login.LoginService.2svDisable |
STATUS_UPDATE |
google.login.LoginService.2svEnroll |
STATUS_UPDATE |
google.login.LoginService.accountDisabledPasswordLeak |
STATUS_UPDATE |
google.login.LoginService.accountDisabledGeneric |
USER_LOGIN |
google.login.LoginService.accountDisabledSpammingThroughRelay |
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledSpamming |
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledHijacked |
USER_LOGIN
Security category: |
google.login.LoginService.emailForwardingOutOfDomain |
EMAIL_TRANSACTION |
google.login.LoginService.govAttackWarning |
USER_LOGIN
Security category: |
google.login.LoginService.loginChallenge |
USER_LOGIN |
google.login.LoginService.loginFailure |
USER_LOGIN
Security category: |
google.login.LoginService.loginVerification |
USER_LOGIN |
google.login.LoginService.logout |
USER_LOGOUT |
google.login.LoginService.loginSuccess |
USER_LOGIN |
google.login.LoginService.passwordEdit |
USER_CHANGE_PASSWORD |
google.login.LoginService.recoveryEmailEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.recoveryPhoneEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.recoverySecretQaEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.suspiciousLogin |
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousLoginLessSecureApp |
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousProgrammaticLogin |
USER_LOGIN
Security category: |
google.login.LoginService.titaniumEnroll |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.titaniumUnenroll |
USER_RESOURCE_CREATION |
google.identity.accesscontextmanager.v1.AccessContextManager.CreateAccessLevel |
USER_RESOURCE_CREATION |
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.core.v1.pods.create |
RESOURCE_CREATION |
io.k8s.authorization.rbac.v1.clusterrolebindings.create |
RESOURCE_CREATION |
beta.compute.instanceTemplates.insert |
RESOURCE_CREATION |
SetOrgPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
beta.compute.instanceGroupManagers.patch |
RESOURCE_WRITTEN |
beta.compute.autoscalers.update |
RESOURCE_WRITTEN |
compute.v1.InstancesService.Get |
USER_RESOURCE_ACCESS |
google.storage.objects.list |
USER_RESOURCE_ACCESS |
google.cloudresourcemanager.v1.Projects.SetIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
cloudsql.instances.query |
USER_RESOURCE_ACCESS |
cloudtrace.googleapis.com/ListInsights |
RESOURCE_READ |
google.cloud.functions.v1.CloudFunctionsService.CreateFunction |
RESOURCE_CREATION |
google.api.servicemanagement.v1.ServiceManager.ActivateServices |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePassword |
USER_CHANGE_PASSWORD |
google.api.serviceusage.v1.ServiceUsage.DisableService |
USER_RESOURCE_UPDATE_CONTENT |
AuthorizeUser |
USER_LOGIN |
google.cloud.oslogin.v1.OsLoginService.CheckPolicy |
USER_LOGIN |
google.admin.AdminService.unsuspendUser |
STATUS_UPDATE |
jobservice.jobcompleted |
RESOURCE_WRITTEN |
compute.v1.ProjectsService.Get |
USER_RESOURCE_ACCESS |
v1.compute.projects.setCommonInstanceMetadata |
USER_RESOURCE_UPDATE_CONTENT |
CreateCryptoKey |
RESOURCE_CREATION |
storage.buckets.get |
RESOURCE_READ |
google.longrunning.Operations.GetOperation |
RESOURCE_READ |
io.k8s.core.v1.pods.delete |
RESOURCE_DELETION |
v1.compute.disks.delete |
RESOURCE_DELETION |
v1.compute.disks.insert |
RESOURCE_CREATION |
ScheduledSnapshots |
RESOURCE_WRITTEN |
v1.compute.disks.setLabels |
RESOURCE_WRITTEN |
google.cloud.healthcare.v1alpha2.dataset.DatasetService.AccessEhrSearch |
STATUS_UPDATE |
io.k8s.apiextensions.v1.customresourcedefinitions.patch |
RESOURCE_WRITTEN |
io.k8s.post |
USER_UNCATEGORIZED |
v1.compute.instances.delete |
RESOURCE_DELETION |
storage.buckets.list |
RESOURCE_READ |
storage.objects.create |
RESOURCE_CREATION |
google.pubsub.v1.Publisher.CreateTopic |
RESOURCE_CREATION |
google.devtools.cloudbuild.v1.CloudBuild.ListBuilds |
USER_RESOURCE_ACCESS |
google.cloud.asset.v1.AssetService.UpdateFeed |
USER_RESOURCE_UPDATE_PERMISSIONS |
storage.objects.update |
RESOURCE_WRITTEN |
datasetservice.insert |
USER_RESOURCE_CREATION |
storage.setIamPermissions |
USER_RESOURCE_UPDATE_PERMISSIONS |
io.k8s.coordination.v1.leases.update |
RESOURCE_WRITTEN |
datasetservice.delete |
USER_RESOURCE_DELETION |
compute.instances.repair.recreateInstance |
RESOURCE_CREATION |
tableservice.delete |
USER_RESOURCE_DELETION |
io.k8s.core.v1.configmaps.update |
RESOURCE_WRITTEN |
io.k8s.core.v1.nodes.proxy.get |
RESOURCE_READ |
compute.instances.repair.deleteInstance |
RESOURCE_DELETION |
google.cloud.dataproc.v1.JobController.SubmitJob |
RESOURCE_WRITTEN |
google.cloud.dataproc.v1beta2.ClusterController.UpdateCluster |
RESOURCE_WRITTEN |
io.k8s.app.v1beta1.applications.update |
RESOURCE_WRITTEN |
io.gke.networking.v1beta1.managedcertificates.update |
RESOURCE_WRITTEN |
io.k8s.extensions.v1beta1.deployments.patch |
RESOURCE_WRITTEN |
compute.instanceGroupManagers.deleteInstances |
RESOURCE_DELETION |
io.k8s.authorization.rbac.v1.rolebindings.patch |
RESOURCE_WRITTEN |
google.admin.AdminService.toggleServiceEnabled |
USER_UNCATEGORIZED |
io.k8s.core.v1.services.proxy.get |
RESOURCE_READ |
google.datastore.v1.Datastore.RunQuery |
STATUS_UPDATE |
google.appengine.Datastore.Put |
STATUS_UPDATE |
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateSecurityHealthAnalyticsSettings |
RESOURCE_WRITTEN |
v1.compute.securityPolicies.patchRule |
RESOURCE_WRITTEN |
beta.compute.images.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.iam.v1.IAMPolicy.SetIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
io.k8s.certificates.v1.certificatesigningrequests.create |
RESOURCE_CREATION |
io.k8s.core.v0.id.create |
RESOURCE_CREATION |
google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy |
RESOURCE_WRITTEN |
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings |
RESOURCE_DELETION |
UpdateCryptoKeyVersion |
RESOURCE_WRITTEN |
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup |
RESOURCE_WRITTEN |
v1 |
STATUS_UPDATE |
google.cloud.run.v1.Services.ReplaceService |
SERVICE_UNCATEGORIZED |
updatePolicy |
RESOURCE_WRITTEN |
updateBackup |
RESOURCE_WRITTEN |
字段映射参考文档:GCP_CLOUDAUDIT
下表列出了 GCP_CLOUDAUDIT 日志类型的日志字段及其对应的 UDM 字段。日志字段 | UDM 映射 | 逻辑 |
---|---|---|
jsonPayload.accesses[].resourceName |
about.resource.name |
|
protoPayload.response.selfLink |
about.url |
|
protoPayload.metadata.event.eventName.parameter.name[login_challenge_method] |
extensions.auth.auth_details |
如果 protoPayload.metadata.event.eventName 日志字段值等于 login_failure 、login_verification 、login_challenge 或 login_success ,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_challenge_method ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段将映射到 extensions.auth.auth_details UDM 字段。 |
extensions.auth.auth_mechanism |
如果 protoPayload.metadata.event.eventName 等于 login_failure 、login_verification 、login_challenge 或 logic_success ,则 extensions.auth.auth_mechanism UDM 字段为:
|
|
extensions.auth.type |
如果 protoPayload.metadata.event.eventName 日志字段值等于 login_failure 、login_verification 、login_challenge 或 login_success ,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_challenge_method ,则 extensions.auth.type UDM 字段设置为 MACHINE 。 |
|
protoPayload.metadata.event.eventName.parameter.name[GATEWAY_NAME] |
intermediary.resource.name |
|
receiveTimestamp |
metadata.collected_timestamp |
|
protoPayload.response.operationType |
metadata.description |
如果 protoPayload.methodName 日志字段值等于 cloudsql.instances.create ,则 protoPayload.response.operationType - protoPayload.response.kind 日志字段会映射到 metadata.description UDM 字段。 |
protoPayload.response.kind |
target.resource.attribute.labels[response_kind] |
|
protoPayload.status.message |
metadata.description |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_DESCRIPTION] |
metadata.description |
|
timestamp |
metadata.event_timestamp |
|
protoPayload.methodName |
metadata.product_event_type |
|
resource.labels.method |
metadata.product_event_type |
|
jsonPayload.event_subtype |
metadata.product_event_type |
|
insertId |
metadata.product_log_id |
|
protoPayload.metadata.event.eventName.parameter.name[PRODUCT_NAME] |
metadata.product_name |
如果 protoPayload.serviceName 日志字段值与正则表达式 (compute.googleapis.com) 匹配,则 metadata.product_name UDM 字段值与正则表达式 (compute.googleapis.com) 匹配,那么 metadata.product_name UDM 字段值与正则表达式 (compute.googleapis.com) 匹配,那么 metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com) 。metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com) 。metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com) 。metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com) 。metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com) 。metadata.product_name protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName protoPayload.serviceName metadata.product_name metadata.product_name Google Compute Engine (bigquery.googleapis.com) BigQuery (admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com) G Suite (k8s.io) Google Kubernetes Engine (servicemanagement.googleapis.com) Google Service Management (storage.googleapis.com) Google Cloud Storage (cloudsql.googleapis.com) Google Cloud SQL (dataproc.googleapis.com) Google Dataproc (iam.googleapis.com) Google Cloud IAM (accesscontextmanager.googleapis.com) Context Manager API |
logName |
metadata.url_back_to_product |
|
protoPayload.response.selfLinkWithId |
metadata.url_back_to_product |
|
metadata.vendor_name |
metadata.vendor_name UDM 字段设置为 Google Cloud Platform 。 |
|
httpRequest.protocol |
network.application_protocol |
|
protoPayload.metadata.request_id |
network.community_id |
|
protoPayload.resourceOriginalState.direction |
network.direction |
|
protoPayload.request.direction |
network.direction |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SENDER] |
network.email.from |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_MSG_ID] |
network.email.mail_id |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_RECIPIENT] |
network.email.to |
|
httpRequest.requestMethod |
network.http.method |
|
protoPayload.requestMetadata.requestAttributes.method |
network.http.method |
|
httpRequest.referer |
network.http.referral_url |
|
protoPayload.requestMetadata.requestAttributes.path |
network.http.referral_url |
|
httpRequest.requestUrl |
network.http.referral_url |
|
protoPayload.resourceOriginalState.network |
network.http.referral_url |
|
httpRequest.status |
network.http.response_code |
|
protoPayload.response.error.code |
network.http.response_code |
|
protoPayload.status.code |
security_result.detection_fields [status_code] |
|
protoPayload.requestMetadata.callerSuppliedUserAgent |
network.http.user_agent |
如果 protoPayload.requestMetadata.callerSuppliedUserAgent 日志字段值与正则表达式 Group 匹配,则 protoPayload.requestMetadata.callerSuppliedUserAgent 日志字段会映射到 principal.group.group_display_name UDM 字段。 |
httpRequest.userAgent |
network.http.user_agent |
|
protoPayload.resourceOriginalState.alloweds.IPProtocol |
network.ip_protocol |
|
protoPayload.requestMetadata.requestAttributes.protocol |
network.ip_protocol |
|
protoPayload.request.IPProtocol |
network.ip_protocol |
|
protoPayload.request.alloweds.IPProtocol |
network.ip_protocol |
|
jsonPayload.connection.protocol |
network.ip_protocol |
|
protoPayload.metadata.event.eventName.parameter.name[ORG_UNIT_NAME] |
network.organization_name |
|
httpRequest.responseSize |
network.received_bytes |
|
httpRequest.requestSize |
network.sent_bytes |
|
jsonPayload.bytes_sent |
network.sent_bytes |
|
protoPayload.requestMetadata.requestAttributes.id |
network.session_id |
|
ProtoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail |
principal.email |
|
jsonPayload.src_instance.vm_name |
principal.hostname |
|
protoPayload.requestMetadata.callerIp |
principal.ip |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_SENDER_IP] |
principal.ip |
|
jsonPayload.connection.src_ip |
principal.ip |
|
httpRequest.serverIp |
principal.ip |
|
resourceLocation.originalLocations |
principal.location.name |
|
jsonPayload.connection.nat_ip |
principal.nat_ip |
|
jsonPayload.connection.nat_port |
principal.nat_port |
|
jsonPayload.connection.src_port |
principal.port |
|
protoPayload.authorizationInfo.resource |
principal.resource.name |
如果 protoPayload.authorizationInfo.resource 日志字段值不为空,则 protoPayload.authorizationInfo.resource 日志字段会映射到 principal.resource.name UDM 字段。 |
protoPayload.authorizationInfo.resourceAttributes.name |
principal.resource.name |
如果 protoPayload.authorizationInfo.resourceAttributes.name 日志字段值不为空,则 protoPayload.authorizationInfo.resourceAttributes.name 日志字段会映射到 principal.resource.name UDM 字段。 |
protoPayload.authorizationInfo.permission |
target.resource_ancestors.attribute.permissions.name |
|
protoPayload.authorizationInfo.permissionType |
target.resource_ancestors.attribute.permissions.type |
|
protoPayload.authorizationInfo.resourceAttributes.service |
target.resource_ancestors.attribute.labels[resource_attribute_service] |
|
protoPayload.authorizationInfo.granted |
target.resource_ancestors.attribute.labels[authorization_granted] |
|
protoPayload.resourceOriginalState.name |
principal.resource.name |
|
protoPayload.authorizationInfo.resourceAttributes.type |
principal.resource.resource_subtype |
|
principal.user.account_type |
如果 access.principalSubject 日志字段值与正则表达式 serviceAccount 匹配,则 principal.user.account_type UDM 字段会设置为 SERVICE_ACCOUNT_TYPE 。如果 access.principalSubject 日志字段值与正则表达式 user 匹配,则 principal.user.account_type UDM 字段会设置为 CLOUD_ACCOUNT_TYPE 。 |
|
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType |
principal.user.attribute.permissions.description |
|
protoPayload.request.serviceAccounts[].scopes |
principal.user.attribute.permissions.name |
|
protoPayload.authorizationInfo.permission |
principal.user.attribute.permissions.name |
|
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType |
principal.user.attribute.permissions.type |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].action |
principal.user.attribute.roles.description |
|
protoPayload.request.bindings.role |
principal.user.attribute.roles.name |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].role |
principal.user.attribute.roles.name |
|
jsonPayload.location.principalEmployingEntity |
principal.user.company_name |
|
jsonPayload.location.principalOfficeCountry |
principal.user.office_address.country_or_region |
|
protoPayload.authenticationInfo.principalEmail |
principal.user.userid |
如果 protoPayload.authenticationInfo.principalEmail 日志字段值不为空,系统会使用 Grok 模式从 protoPayload.authenticationInfo.principalEmail 日志字段提取 userid_auth ,并映射到 principal.user.userid UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.value |
principal.user.userid |
如果 protoPayload.metadata.event.eventName 日志字段值等于 CREATE_EMAIL_MONITOR 或 CREATE_DATA_TRANSFER_REQUEST :
protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 USER_EMAIL ,则系统会使用 Grok 模式从 protoPayload.metadata.event.eventName.parameter.value 日志字段中提取 userid ,并将其映射到 principal.user.userid UDM 字段。 |
protoPayload.authenticationInfo.authoritySelector |
principal.user.userid |
如果 protoPayload.authenticationInfo.authoritySelector 日志字段值不为空,系统会使用 Grok 模式从 protoPayload.authenticationInfo.authoritySelector 日志字段提取 userid_selector ,并映射到 principal.user.userid UDM 字段。 |
jsonPayload.actor.user |
principal.user.userid |
如果 jsonPayload.actor.user 日志字段值不为空,系统会使用 Grok 模式从 jsonPayload.actor.user 日志字段提取 userid_actor ,并映射到 principal.user.userid UDM 字段。 |
protoPayload.authenticationInfo.principalEmail |
principal.user.email_addresses |
如果 protoPayload.authenticationInfo.principalEmail 日志字段值不为空,且 protoPayload.authenticationInfo.principalEmail 日志字段值与正则表达式 .@. 匹配,则 protoPayload.authenticationInfo.principalEmail 日志字段会映射到 principal.user.email_addresses UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.value |
principal.user.email_addresses |
当满足以下条件时,protoPayload.metadata.event.eventName.parameter.value 会映射到 principal.user.email_addresses :
|
protoPayload.authenticationInfo.authoritySelector |
principal.user.email_addresses |
如果 protoPayload.authenticationInfo.authoritySelector 日志字段值不为空,并且 protoPayload.authenticationInfo.authoritySelector 日志字段值与正则表达式 .@. 匹配,则 protoPayload.authenticationInfo.authoritySelector 日志字段会映射到 principal.user.email_addresses UDM 字段。 |
jsonPayload.actor.user |
principal.user.email_addresses |
如果 jsonPayload.actor.user 日志字段值不为空,并且 jsonPayload.actor.user 日志字段值与正则表达式 .@. 匹配,则 jsonPayload.actor.user 日志字段会映射到 principal.user.email_addresses UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[login_challenge_status] |
security_result.action |
当满足以下条件时,security_result.action 会设为 ALLOW :
security_result.action 会设置为 FAIL :
|
protoPayload.metadata.event.eventName.parameter.name[ACTION_TYPE] |
security_result.action |
当满足以下条件时,security_result.action 会设为 ALLOW :
security_result.action 会设置为 BLOCK :
security_result.action 会设置为 ALLOW_WITH_MODIFICATION :
security_result.action 会设置为 QUARANTINE :
security_result.action 会设置为 QUARANTINE :
|
security_result.action_details |
如果 protoPayload.metadata.event.eventName 日志字段值等于 login_challenge 或 login_verification ,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_challenge_status ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.action_details UDM 字段。如果 protoPayload.metadata.event.eventName 日志字段值等于 ACTION_CANCELLED 或 ACTION_REQUESTED ,如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 ACTION_TYPE ,那么 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.action_details UDM 字段。 |
|
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] |
security_result.category |
如果 protoPayload.metadata.event.eventName 日志字段值等于 login_success ,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 is_suspicious ,那么如果 protoPayload.metadata.event.eventName.parameter.value 日志字段值等于 True ,则 security_result.category UDM 字段会设置为 NETWORK_SUSPICIOUS 。 |
logName |
security_result.category_details |
|
protoPayload.response.status |
security_result.description |
|
protoPayload.response.error.errors[].reason |
security_result.description |
|
protoPayload.metadata.tableCreation.reason |
security_result.description |
|
protoPayload.metadata.tableChange.reason |
security_result.description |
|
protoPayload.metadata.tableDeletion.reason |
security_result.description |
|
protoPayload.metadata.datasetCreation.reason |
security_result.description |
|
protoPayload.metadata.datasetDeletion.reason |
security_result.description |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.errorMessage |
security_result.description |
|
protoPayload.status.message |
security_result.description |
|
protoPayload.request.status |
security_result.description |
|
jsonPayload.reason[].detail |
security_result.description |
|
protoPayload.response.status.state |
security_result.description |
|
protoPayload.response.status.conditions[].message |
security_result.description |
如果 message 日志字段值与正则表达式 response.*status.*conditions.*message 匹配,则 protoPayload.response.status.conditions.0.message 日志字段会映射到 security_result.description UDM 字段。 |
protoPayload.resourceOriginalState.priority |
security_result.priority_details |
|
protoPayload.request.priority |
security_result.priority_details |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.queryPriority |
security_result.priority_details |
|
protoPayload.metadata.vpcServiceControlsUniqueId |
security_result.rule_id |
|
protoPayload.request.body.settings.activationPolicy |
security_result.rule_name |
|
protoPayload.request.policy |
security_result.rule_name |
|
protoPayload.metadata.violationReason |
security_result.rule_name |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.policyType |
security_result.rule_type |
|
protoPayload.metadata.dryRun |
security_result.rule_type |
|
severity |
security_result.severity |
|
security_result.severity_details |
severity severity severity severity severity severity CRITICAL CRITICAL security_result.severity security_result.severity security_result.severity security_result.severity security_result.severity security_result.severity security_result.severity ERROR ERROR ALERT EMERGENCY HIGH INFO NOTICE INFORMATIONAL DEBUG LOW WARNING MEDIUM UNKNOWN_SEVERITY |
|
protoPayload.response.error.message |
security_result.summary |
|
protoPayload.response.error.errors[].message |
security_result.summary |
|
protoPayload.status.details.violations.description |
security_result.summary |
|
protoPayload.response.message |
security_result.summary |
|
protoPayload.request.description |
security_result.summary |
|
jsonPayload.reason[].type |
security_result.summary |
|
sourceLocation.file |
src.file.full_path |
|
protoPayload.serviceName |
target.application |
|
resource.labels.service |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[APP_NAME] |
target.application |
如果 protoPayload.metadata.event.eventName.parameter.name1 日志字段值等于 APP_NAME 且 protoPayload.metadata.event.eventName.parameter.name2 日志字段值等于 APP_ID ,则 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 日志字段会映射到 target.application UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[APP_ID] |
target.application |
如果 protoPayload.metadata.event.eventName.parameter.name1 日志字段值等于 APP_NAME 且 protoPayload.metadata.event.eventName.parameter.name2 日志字段值等于 APP_ID ,则 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 日志字段会映射到 target.application UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[SERVICE_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_SERVICE_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_NAME] |
target.application |
如果 protoPayload.metadata.event.eventName.parameter.name1 日志字段值等于 OAUTH2_APP_NAME ,并且 protoPayload.metadata.event.eventName.parameter.name2 日志字段值等于 OAUTH2_APP_ID ,则 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 日志字段会映射到 target.application UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_ID] |
target.application |
如果 protoPayload.metadata.event.eventName.parameter.name1 日志字段值等于 OAUTH2_APP_NAME 且 protoPayload.metadata.event.eventName.parameter.name2 日志字段值等于 OAUTH2_APP_ID ,则 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 日志字段会映射到 target.application UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[REAUTH_APPLICATION, SITE_NAME] |
target.application |
|
jsonPayload.product |
target.application |
|
protoPayload.metadata.device_id |
target.asset.asset_id |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_SERIAL_NUMBER] |
target.asset.hardware.serial_number |
|
protoPayload.metadata.event.eventName.parameter.name[PRINT_SERVER_NAME] |
target.asset.hostname |
|
protoPayload.metadata.event.eventName.parameter.name[PRINTER_NAME] |
target.asset.hostname |
|
protoPayload.request.instance |
target.asset.product_object_id |
当 protoPayload.request.instance 中的索引值等于 0 时,protoPayload.request.instance 日志字段会映射到 target.asset.product_object_id UDM 字段。对于所有其他索引值, target.asset.labels.key UDM 字段会设置为 request_instance ,protoPayload.request.instance 日志字段会映射到 target.asset.labels.value UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[DEVICE_ID] |
target.asset.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[COMPANY_DEVICE_ID] |
target.asset.product_object_id |
|
target.asset.type |
如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 PRINTER_SERVER_NAME ,则 target.asset.type UDM 字段设置为 SERVER 。如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 PRINTER_NAME ,则 target.asset.type UDM 字段设置为 PRINTER 。如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 DEVICE_TYPE ,则 target.asset.type UDM 字段设置为 ROLE_UNSPECIFIED 。 |
|
protoPayload.metadata.event.eventName.parameter.name[SITE_LOCATION] |
target.file.full_path |
|
protoPayload.metadata.event.eventName.parameter.name[PERMISSION_GROUP_NAME] |
target.group.attribute.permissions.name |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_EMAIL] |
target.group.email_addresses |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_NAME] |
target.hostname |
|
jsonPayload.dest_instance.vm_name |
target.hostname |
|
protoPayload.requestMetadata.requestAttributes.host |
target.hostname |
|
httpRequest.remoteIp |
target.ip |
|
protoPayload.requestMetadata.destinationAttributes.ip |
target.ip |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP] |
target.ip |
|
protoPayload.request.ip |
target.ip |
|
jsonPayload.connection.dest_ip |
target.ip |
|
resource.labels.region |
target.location.country_or_region |
|
protoPayload.response.region |
target.location.country_or_region |
|
protoPayload.request.body.region |
target.location.country_or_region |
|
protoPayload.request.region |
target.location.country_or_region |
|
resource.labels.region |
target.location.country_or_region |
|
jsonPayload.dest_location.country |
target.location.country_or_region |
|
jsonPayload.dest_location.continent |
target.location.country_or_region |
|
protoPayload.request.override.overrideValue |
target.resource.attribute.labels[request_override_value] |
|
protoPayload.response.overrideValue |
target.resource.attribute.labels[response_override_value] |
|
resource.labels.location |
target.location.name |
|
protoPayload.resourceOriginalState.alloweds.ports |
target.port |
|
protoPayload.requestMetadata.destinationAttributes.port |
target.port |
|
jsonPayload.connection.dest_port |
target.port |
|
protoPayload.metadata.tableCreation.table.view.query |
target.process.command_line |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query |
target.process.command_line |
|
protoPayload.serviceData.jobQueryRequest.query |
target.process.command_line |
|
protoPayload.serviceData.tableInsertResponse.resource.view.query |
target.process.command_line |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query |
target.process.command_line |
|
protoPayload.metadata.tableChange.jobName |
target.process.pid |
|
protoPayload.metadata.tableCreation.jobName |
target.process.pid |
|
protoPayload.request.networkInterfaces[].subnetwork |
target.resource_ancestors.name |
|
protoPayload.request.body.instanceUid |
target.resource_ancestors.product_object_id |
|
protoPayload.response.instanceUid |
target.resource_ancestors.product_object_id |
|
protoPayload.request.disk[].mode |
target.resource_ancestors.attributes.permission.name |
|
protoPayload.request.disk[].autoDelete |
target.resource_ancestors.attributes.permission.name |
|
protoPayload.response.project_id |
target.resource_ancestors.id |
|
protoPayload.response.targetProject |
target.resource_ancestors.name |
|
protoPayload.request.target |
target.resource_ancestors.name |
|
protoPayload.resourceName |
target.resource_ancestors.name |
如果 protoPayload.methodName 日志字段值与正则表达式 (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) 匹配,则 protoPayload.resourceName 日志字段会映射到 target.resource_ancestors.name UDM 字段。 |
protoPayload.resource.role_name |
target.resource_ancestors.name |
|
protoPayload.request.parent |
target.resource_ancestors.name |
|
protoPayload.request.disks[].deviceName |
target.resource_ancestors.name |
|
protoPayload.request.network |
target.resource_ancestors.name |
|
resource.labels.project_id |
target.cloud.project.name |
|
resource.labels.project_id |
target.resource_ancestors.name |
|
protoPayload.request.disk[].type |
target.resource_ancestors.resource_subtype |
如果 protoPayload.request.cluster.subnetwork 日志字段值不为空,则 target.resource_ancestors.resource_subtype UDM 字段设置为 subnetwork 。如果 protoPayload.request.cluster.network 日志字段值不为空,则 target.resource_ancestors.resource_subtype UDM 字段设置为 network 。如果 protoPayload.request.cluster.nodePools.name 日志字段值不为空,则 target.resource_ancestors.resource_subtype UDM 字段设置为 nodepool 。 |
resource.location |
target.resource.attribute.cloud.availability_zone |
|
resourceLocation.currentLocations |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.zone |
target.resource.attribute.cloud.availability_zone |
|
protoPayload.request.body.settings.locationPreference.zone |
target.resource.attribute.cloud.availability_zone |
|
protoPayload.metadata.tableChange.table.createTime |
target.resource.attribute.creation_time |
|
protoPayload.metadata.tableCreation.table.createTime |
target.resource.attribute.creation_time |
|
protoPayload.resourceOriginalState.creationTimestamp |
target.resource.attribute.creation_time |
|
protoPayload.response.insertTime |
target.resource.attribute.creation_time |
|
protoPayload.metadata.tableChange.table.updateTime |
target.resource.attribute.last_update_time |
|
protoPayload.metadata.tableCreation.table.updateTime |
target.resource.attribute.last_update_time |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas[].logType |
target.resource.attribute.permissions.type |
|
request.role.title |
target.resource.attribute.roles.name |
|
protoPayload.request.role.included_permissions[] |
target.resource.attributes.permission.name |
|
protoPayload.request.role.description |
target.resource.attributes.roles.description |
|
protoPayload.resource.labels.firewall_rule_id |
target.resource.id |
|
protoPayload.resourceName |
target.resource.name |
如果 protoPayload.resourceName 日志字段值不为空,则 protoPayload.resourceName 日志字段会映射到 target.resource.name UDM 字段。 |
protoPayload.resource.labels.role_name |
target.resource.name |
如果 protoPayload.methodName 日志字段值等于 google.iam.admin.v1.CreateRole ,则 protoPayload.resource.labels.role_name 日志字段会映射到 target.resource.name UDM 字段。 |
protoPayload.resource.role_name |
target.resource.name |
|
protoPayload.request.service_account.display_name |
target.resource.name |
|
protoPayload.request.workloadIdentityPool.displayName |
target.resource.name |
|
protoPayload.request.name |
target.resource.name |
如果 protoPayload.methodName 日志字段值等于 beta.compute.instances.insert ,则 protoPayload.request.name 日志字段会映射到 target.resource.name UDM 字段。 |
protoPayload.request.cluster.name |
target.resource.name |
|
protoPayload.metadata.tableCreation.table.tableName |
target.resource.name |
|
protoPayload.metadata.datasetCreation.dataset.datasetName |
target.resource.name |
|
jsonPayload.accessApprovals[] |
target.resource.name |
|
jsonPayload.resource.name |
target.resource.name |
|
resource.labels.email_id |
target.resource.name |
如果 resource.labels.email_id 日志字段值不为空,则 resource.labels.email_id 日志字段会映射到 target.resource.name UDM 字段。 |
protoPayload.request.accessLevel.title |
target.resource.name |
|
resource.discoveryName |
target.resource.name |
|
protoPayload.response.name |
target.resource.name |
|
protoPayload.request.name |
target.resource.name |
|
resource.labels.network_id |
target.resource.name |
|
request.cluster.name |
target.resource.name |
|
resource.labels.cluster_name |
target.resource.name |
|
protoPayload.metadata.tableChange.table.tableName |
target.resource.name |
|
resource.labels.function_name |
target.resource.name |
如果 resource.type 日志字段值与正则表达式 cloud_function 匹配,则 resource.labels.function_name 日志字段会映射到 target.resource.name UDM 字段。 |
resource.parent |
target.resource.parent |
|
resource.labels.bucket_name |
target.resource.parent |
如果 resource.type 日志字段值等于 gcs_bucket ,则 resource.labels.bucket_name 日志字段会映射到 target.resource.parent UDM 字段。 |
resource.labels.dataset_id |
target.resource.product_object_id |
|
resource.labels.instance_group_id |
target.resource.product_object_id |
|
resource.labels.subnetwork_id |
target.resource.product_object_id |
|
resource.labels.firewall_rule_id |
target.resource.product_object_id |
|
resource.labels.forwarding_rule_id |
target.resource.product_object_id |
|
resource.labels.network_id |
target.resource.product_object_id |
|
resource.labels.unique_id |
target.resource.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[RESOURCE_IDENTIFIER] |
target.resource.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[SHARED_DRIVE_ID] |
target.resource.product_object_id |
|
protoPayload.response.unique_id |
target.resource.product_object_id |
如果 protoPayload.methodName 日志字段值与正则表达式 (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) 匹配,则 protoPayload.response.unique_id 日志字段会映射到 target.resource.product_object_Id UDM 字段。 |
protoPayload.request.account_id |
target.resource.product_object_id |
|
protoPayload.request.role_id |
target.resource.product_object_id |
如果 protoPayload.methodName 日志字段值等于 google.iam.admin.v1.CreateRole ,则 protoPayload.request.role_id 日志字段会映射到 target.resource.product_object_id UDM 字段。 |
protoPayload.request.workloadIdentityPoolId |
target.resource.product_object_id |
|
jsonPayload.resource.id |
target.resource.product_object_id |
|
resource.labels.instance_id |
target.resource.product_object_id |
|
resource.data.uniqueId |
target.resource.product_object_id |
|
protoPayload.request.workloadIdentityPoolProviderId |
target.resource.product_object_id |
|
protoPayload.request.machineType |
target.resource.resource_subtype |
|
resource.type |
target.resource.resource_subtype |
|
target.resource.resource_type |
如果resource.type 日志字段值与正则表达式gce_(firewall or forwarding_rule) 匹配,target.resource.resource_type 1resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type target.resource.resource_type FIREWALL_RULE gce_(subnetwork or network) VPC_NETWORK dataproc CLUSTER CLUSTER k8s or gke_ gce_backend_service BACKEND_SERVICE (gce_ or dns_query) VIRTUAL_MACHINE gcs_bucket STORAGE_BUCKET bigquery DATABASE DATABASE cloudsql service_account SERVICE_ACCOUNT project CLOUD_PROJECT organization CLOUD_ORGANIZATION cloud_function FUNCTION UNSPECIFIED |
|
protoPayload.response.targetLink |
target.url |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ADDRESS] |
target.url |
|
protoPayload.request.httpRequest.url |
target.url |
|
resource.discoveryDocumentUri |
target.url |
|
httpRequest.requestUrl |
target.url |
|
protoPayload.request.role.included_permissions[] |
target.user.attribute.permissions.name |
|
protoPayload.metadata.event.eventName.parameter.name[ROLE_ID] |
target.user.attribute.roles.description |
如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 ROLE_ID ,则 Role_ID - protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.attribute.roles.description UDM 字段。 |
protoPayload.response.bindings[].role |
target.user.attribute.roles.name |
|
protoPayload.metadata.event.eventName.parameter.name[ROLE_NAME] |
target.user.attribute.roles.name |
|
protoPayload.request.serviceAccounts[].email |
target.user.email_addresses |
|
protoPayload.metadata.event.eventName.parameter.value |
target.user.email_addresses |
如果 protoPayload.metadata.event.eventName.parameter.value 日志字段值不为空,并且 protoPayload.metadata.event.eventName 日志字段值等于 USER_EMAIL 、EMAIL_MONITOR_DEST_EMAIL 或 DESTINATION_USER_EMAIL ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.email_addresses UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.first_name |
如果 protoPayload.metadata.event.eventName 日志字段值等于 FIRST_NAME,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 NEW_VALUE ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.first_name UDM 字段。 |
protoPayload.request.personIdentifier.canonicalPersonId |
target.user.group_identifiers |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.last_name |
如果 protoPayload.metadata.event.eventName 日志字段值等于 LAST_NAME,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 NEW_VALUE ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.last_name UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.user_display_name |
如果 protoPayload.metadata.event.eventName 日志字段值等于 RENAME_USER,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 NEW_VALUE ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.user_display_name UDM 字段。 |
protoPayload.response.user |
target.user.userid |
|
protoPayload.metadata.event.eventName.parameter.name[USER_EMAIL] |
target.user.userid |
如果 protoPayload.metadata.event.eventName 日志字段值等于 CREATE_EMAIL_MONITOR 或 CREATE_DATA_TRANSFER_REQUEST ,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 USER_EMAIL ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 principal.user.userid UDM 字段。如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 USER_EMAIL ,那么 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.userid UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_DEST_EMAIL] |
target.user.userid |
|
protoPayload.metadata.event.eventName.parameter.name[DESTINATION_USER_EMAIL] |
target.user.userid |
|
protoPayload.request.user |
target.user.userid |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].member |
target.user.userid |
|
protoPayload.request.objects.db |
about.labels [database_name] (已弃用) |
|
jsonPayload.accesses[].methodName |
about.labels [methodName] (已弃用) |
|
protoPayload.request.objects.name |
about.labels [objects_name] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] |
about.labels[api_client_name] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] |
about.labels[api_scopes] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] |
about.labels[begin_date_time] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] |
about.labels[bulk_upload_fail_users_number] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] |
about.labels[bulk_upload_total_users_number] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] |
about.labels[caa_assignments_new] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] |
about.labels[caa_assignments_old] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] |
about.labels[caa_enforcement_endpoints_new] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] |
about.labels[caa_enforcement_endpoints_old] (已弃用) |
|
protoPayload.requestMetadata.requestAttributes.size |
about.labels[caller_network_request_size] (已弃用) |
|
protoPayload.requestMetadata.requestAttributes.time |
about.labels[caller_network_request_time] (已弃用) |
|
protoPayload.requestMetadata.callerNetwork |
about.labels[caller_network] (已弃用) |
|
protoPayload.requestMetadata.requestAttributes.size |
principal.labels[caller_network_request_size] (已弃用) |
|
protoPayload.requestMetadata.requestAttributes.time |
principal.labels[request_attributes_time] (已弃用) |
|
protoPayload.requestMetadata.callerNetwork |
principal.labels[caller_network] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] |
about.labels[chrome_licenses_enabled] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] |
about.labels[end_date_time] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE] |
about.labels[end_date] (已弃用) |
|
protoType.metadata.event[].eventName |
about.labels[event_name] (已弃用) |
|
protoPayload.metadata.event.parameter[].label |
about.labels[event_param_label] (已弃用) |
|
protoPayload.metadata.event.parameter[].type |
about.labels[event_param_type] (已弃用) |
|
protoType.metadata.event[].eventType |
about.labels[event_type] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] |
about.labels[field_name] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] |
about.labels[full_org_unit_path] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] |
about.labels[grp_member_bulk_upload_failed] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] |
about.labels[grp_member_bulk_upload_total] (已弃用) |
|
httpRequest.cacheFillBytes |
about.labels[httpreq_cache_fill_bytes] (已弃用) |
|
httpRequest.cacheHit |
about.labels[httpreq_cache_hit] (已弃用) |
|
httpRequest.cacheLookup |
about.labels[httpreq_cache_lookup] (已弃用) |
|
httpRequest.cacheValidatedWithOriginServer |
about.labels[httpreq_cache_validated_with_origin_server] (已弃用) |
|
httpRequest.latency |
about.labels[httprequest_latency] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] |
about.labels[info_type] (已弃用) |
|
protoPayload.metadata.activityId.timeUsec |
about.labels[metadata_activityId_time_usec] (已弃用) |
|
protoPayload.metadata.activityId.uniqQualifier |
about.labels[metadata_activityId_uniq_qualifier] (已弃用) |
|
protoPayload.metadata.@type |
about.labels[metadata_type] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] |
about.labels[new_permission_grant_state] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] |
about.labels[num_of_company_owned_device] (已弃用) |
|
protoPayload.numResponseItems |
about.labels[num_response_items] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] |
about.labels[old_permission_grant_state] (已弃用) |
|
operation.first |
about.labels[operation_first] (已弃用) |
|
operation.id |
about.labels[operation_id] (已弃用) |
|
operation.last |
about.labels[operation_last] (已弃用) |
|
operation.producer |
about.labels[operation_producer] (已弃用) |
|
protoPayload.resourceOriginalState.selfLinkWithId |
about.labels[rc_old_selflinkWithId] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] |
about.labels[reauth_setting_new] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] |
about.labels[reauth_setting_old] (已弃用) |
|
protoPayload.request.alloweds[].ports |
about.labels[req_alloweds_ports] (已弃用) |
|
protoPayload.request.body.name |
about.labels[req_body_name] (已弃用) |
|
protoPayload.request.body.settings.activityPolicy |
about.labels[req_body_settings_activity_policy] (已弃用) |
|
protoPayload.request.deletionProtection |
about.labels[req_deletion_protection] (已弃用) |
|
protoPayload.request.disabled |
about.labels[req_disabled] (已弃用) |
|
protoPayload.request.displayDevice.enableDisplay |
about.labels[req_display_device_enable_display] (已弃用) |
|
protoPayload.request.enableFlowLogs |
about.labels[req_enable_flow_logs] (已弃用) |
|
protoPayload.request.fingerprint |
about.labels[req_fingerprint] (已弃用) |
|
protoPayload.request.shieldedInstanceConfig.enableSecureBoot |
about.labels[req_instance_config_enable_secure_boot] (已弃用) |
|
protoPayload.request.shieldedInstanceConfig.enableVtpm |
about.labels[req_instance_config_enable_vtpm] (已弃用) |
|
protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring |
about.labels[req_instance_enable_integrity_monitoring] (已弃用) |
|
protoPayload.request.key_types[] |
about.labels[req_key_types] (已弃用) |
|
protoPayload.request.logconfig.enable |
about.labels[req_logconfig_enable] (已弃用) |
|
protoPayload.request.networkTier |
about.labels[req_network_tier] (已弃用) |
|
protoPayload.request.network |
about.labels[req_network] (已弃用) |
|
protoPayload.request.page_size |
about.labels[req_page_size] (已弃用) |
|
request.pagesize |
about.labels[req_page_size] (已弃用) |
|
protoPayload.request.policy.etag |
about.labels[req_policy_etag] (已弃用) |
|
protoPayload.request.portRange |
about.labels[req_port_range] (已弃用) |
|
protoPayload.request.privateIpGoogleAccess |
about.labels[req_private_ip_google_access] (已弃用) |
|
protoPayload.request.private_key_type |
about.labels[req_private_key_type] (已弃用) |
|
protoPayload.request.remove_deleted_service_accounts |
about.labels[req_remove_deleted_serviceAcc] (已弃用) |
|
protoPayload.request.showDeleted |
about.labels[req_show_deleted] (已弃用) |
|
protoPayload.request.skip_visibility_check |
about.labels[req_skip_visibility_check] (已弃用) |
|
protoPayload.request.stackType |
about.labels[req_stack_type] (已弃用) |
|
protoPayload.request.type |
about.labels[req_type] (已弃用) |
|
protoPayload.request.updateMask |
about.labels[req_update_mask] (已弃用) |
|
protoPayload.request.version |
about.labels[req_version] (已弃用) |
|
protoPayload.response.clientOperationId |
about.labels[res_client_operation_id] (已弃用) |
|
protoPayload.response.endTime |
about.labels[res_end_time] (已弃用) |
|
protoPayload.response.id |
about.labels[res_id] (已弃用) |
|
protoPayload.response.key_algorithm |
about.labels[res_key_algorithm] (已弃用) |
|
protoPayload.response.key_origin |
about.labels[res_key_origin] (已弃用) |
|
protoPayload.response.key_type |
about.labels[res_key_type] (已弃用) |
|
protoPayload.response.kind |
about.labels[res_kind] (已弃用) |
|
protoPayload.response.private_key_type |
about.labels[res_private_key_type] (已弃用) |
|
protoPayload.response.progress |
about.labels[res_progress] (已弃用) |
|
protoPayload.response.startTime |
about.labels[res_start_time] (已弃用) |
|
protoPayload.response.status |
about.labels[res_status] (已弃用) |
如果 protoPayload.methodName 日志字段值等于 cloudsql.instances.create ,则 protoPayload.response.status 日志字段会映射到 security_result.description UDM 字段。 |
protoPayload.response.type |
about.labels[res_type] (已弃用) |
|
protoPayload.response.unique_id |
about.labels[res_unique_id] (已弃用) |
如果 protoPayload.methodName 日志字段值与正则表达式 (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) 匹配,则 protoPayload.response.unique_id 日志字段会映射到 target.resource.product_object_id UDM 字段。 |
protoPayload.response.valid_after_time.seconds |
about.labels[res_valid_after_time] (已弃用) |
|
protoPayload.response.valid_before_time.seconds |
about.labels[res_valid_before_time] (已弃用) |
|
protoPayload.response.version |
about.labels[res_version] (已弃用) |
|
protoPayload.response.zone |
about.labels[res_zone] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] |
about.labels[search_query_for_dump] (已弃用) |
|
spanId |
about.labels[span_id] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[START_DATE] |
about.labels[start_date] (已弃用) |
|
traceSampled |
about.labels[trace_sampled] (已弃用) |
|
Trace |
about.labels[trace] (已弃用) |
|
protoPayload.@type |
about.labels[type] (已弃用) |
|
protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_added] |
|
protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_deletion] |
|
protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_modification] |
|
protoPayload.metadata.projectMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels [AddedMetadataKeys] |
|
protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels [DeletedMetadataKeys] |
|
protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels [ModifiedMetadataKeys] |
|
protoPayload.redactions.reason |
principal.labels [protoPayload.redactions.field] (已弃用) |
|
protoPayload.redactions.type |
principal.labels [protoPayload.redactions.field] (已弃用) |
|
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata |
principal.labels [service_metadata] (已弃用) |
|
jsonPayload.sourceNetwork |
principal.labels [source_network] (已弃用) |
|
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims |
principal.labels [third_party_claims] (已弃用) |
|
protoPayload.requestMetadata.requestAttributes.time |
principal.labels[caller_network_request_time] (已弃用) |
|
protoPayload.request.description |
principal.labels[req_description] (已弃用) |
|
protoPayload.request.ipCidrRange |
principal.labels[req_ip_cidr_range] (已弃用) |
|
protoPayload.request.sourceRanges[] |
principal.labels[req_source_ranges] (已弃用) |
|
protoPayload.requestMetadata.requestAttributes.reason |
principal.labels[request_attributes_reason] (已弃用) |
|
protoPayload.authenticationInfo.thirdPartyPrincipal |
principal.labels[third_party_principal] (已弃用) |
|
protoPayload.authenticationInfo.principalSubject |
principal.user.userid |
如果 protoPayload.authenticationInfo.principalSubject 日志字段值不为空,系统会使用 Grok 模式从 protoPayload.authenticationInfo.principalSubject 日志字段提取 new_user_id ,并映射到 principal.user.userid UDM 字段。 |
protoPayload.authenticationInfo.principalSubject |
principal.user.email_addresses |
如果 protoPayload.authenticationInfo.principalSubject 日志字段值不为空,则系统会使用 Grok 模式从 protoPayload.authenticationInfo.principalSubject 日志字段中提取 new_email_id ,并将其映射到 principal.user.email_addresses UDM 字段。 |
protoPayload.authenticationInfo.serviceAccountDelegationInfo.principalSubject |
principal.user.attribute.labels[access_serviceAcc_principalSubject] |
|
protoPayload.response.oauth2_client_id |
principal.user.attribute.labels[response_oauth2_client_id] |
|
protoPayload.authorizationInfo.resourceAttributes.service |
principal.resource.attribute.labels[authorization_info_rcService] |
|
protoPayload.authorizationInfo.granted |
principal.user.attributes.labels[authorization_granted] |
|
protoPayload.request.cryptoKey.versionTemplate.algorithm |
security_result.detection_fields [algorithm] |
|
protoPayload.response.details[].@type |
security_result.detection_fields [details_type] |
|
protoPayload.request.cryptoKey.nextRotationTime |
security_result.detection_fields [next_rotation_time] |
|
protoPayload.request.cryptoKey.versionTemplate.protectionLevel |
security_result.detection_fields [protection_level] |
|
protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value |
security_result.detection_fields [protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind] |
|
protoPayload.request.cryptoKey.purpose |
security_result.detection_fields [purpose] |
|
protoPayload.resourceName |
security_result.detection_fields [resource_name] |
|
protoPayload.authorizationInfo.resource |
security_result.detection_fields [resource] |
|
protoPayload.response.code |
security_result.detection_fields [response_code] |
|
protoPayload.request.cryptoKey.rotationPeriod |
security_result.detection_fields [rotation_period] |
|
protoPayload.metadata.securityPolicyInfo.organizationId |
security_result.detection_fields [securityPolicyInfo.organizationId] |
|
protoPayload.request.serviceAccounts[].scopes |
security_result.detection_fields [service_account_scope] |
|
protoPayload.response.details[].violations[].subject |
security_result.detection_fields [violation_subject] |
|
protoPayload.response.details[].violations[].type |
security_result.detection_fields [violation_type] |
|
protoPayload.metadata.event.eventName.parameter.name[ACTION_ID] |
security_result.detection_fields[action_id] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas[].action |
security_result.detection_fields[action] |
|
protoPayload.metadata.event.eventName.parameter.name[ALERT_NAME] |
security_result.detection_fields[alert_name] |
|
protoPayload.metadata.event.eventName.parameter.name[ALLOWED_TWO_STEP_VERIFICATION_METHOD] |
security_result.detection_fields[allowed_two_step_verification_method] |
|
protoPayload.requestMetadata.callerNetwork.requestAttributes.reason |
security_result.detection_fields[caller_network_request_reason] |
|
protoPayload.metadata.event.eventName.parameter.name[is_second_factor] |
security_result.detection_fields[is_second_factor] |
如果 protoPayload.metadata.event.eventName 日志字段值等于 login_verification ,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 is_second_factor ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.detection_fields.value UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] |
security_result.detection_fields[is_suspicious] |
如果 protoPayload.metadata.event.eventName 日志字段值等于 login_success ,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 is_suspicious ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.detection_fields.value UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[login_failure_type] |
security_result.detection_fields[login_failure_type] |
如果 protoPayload.metadata.event.eventName 日志字段值等于 login_failure ,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_failure_type ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.detection_fields.value UDM 字段。 |
protoPayload.metadata.event.eventName.parameter.name[login_type] |
security_result.detection_fields[login_type] |
如果 protoPayload.metadata.event.eventName 日志字段值等于 login_failure 、login_challenge 、login_verification 、login_success 或 logout ,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_type ,则 protoPayload.metadata.event.eventName.parameter.value 日志字段将映射到 about.labels.value UDM 字段。 |
protoPayload.request.bindings.members[] |
security_result.detection_fields[members] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.checkedValue |
security_result.detection_fields[policy_violation_checked_value] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.constraint |
security_result.detection_fields[policy_violation_constraint] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags |
security_result.detection_fields[policy_violation_resource_tags] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType |
security_result.detection_fields[policy_violation_resource_type] |
|
protoPayload.metadata.event.eventName.parameter.name[QUARANTINE_NAME] |
security_result.detection_fields[quarantine_name] |
|
protoPayload.resourceOriginalState.logconfig.enable |
security_result.detection_fields[rc_orgState_logconfig_enable] |
|
protoPayload.request.alloweds[].ports |
security_result.detection_fields[req_alloweds_ports] |
|
protoPayload.response.error.errors[].domain |
security_result.detection_fields[res_error_domain] |
|
protoPayload.resourceOriginalState.direction |
security_result.detection_fields[resource_original_state_direction] |
|
protoPayload.authenticationInfo.serviceAccountKeyName |
security_result.detection_fields[service_account_key_name] |
|
Referred this from Default parser. |
security_result.detection_fields[SERVICE] |
|
protoPayload.status.details.type |
security_result.detection_fields[status_details_type] |
|
protoPayload.status.details.violations.subject |
security_result.detection_fields[status_details_violation_subject] |
|
protoPayload.status.details.violations.type |
security_result.detection_fields[status_details_violation_type] |
|
sourceLocation.function |
src.labels[src_location_function] |
|
sourceLocation.line |
src.labels[src_location_line] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_STATE] |
target.asset.attribute.labels[dvc_new_state] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_STATE] |
target.asset.attribute.labels[dvc_previous_state] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_TYPE] |
target.asset.attribute.labels[dvc_type] |
|
protoPayload.metadata.event.eventName.parameter.name[MANAGED_CONFIGURATION_NAME] |
target.asset.attribute.labels[managed_config_name] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_APP_PACKAGE_ID] |
target.asset.attribute.labels[mobile_app_package_id] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_CERTIFICATE_COMMON_NAME] |
target.asset.attribute.labels[mobile_certificate_common_name] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_WIRELESS_NETWORK_NAME] |
target.asset.attribute.labels[mobile_wireless_network_name] |
|
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_MDM_VENDOR_NAME] |
target.asset.attribute.labels[play_for_work_mdm_vendor_name] |
|
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_TOKEN_ID] |
target.asset.attribute.labels[play_for_work_token_id] |
|
resource.labels.instance_id |
target.asset.attribute.labels[rc_instance_id] |
|
protoPayload.metadata.event.eventName.parameter.name[SKU_NAME] |
target.asset.attribute.labels[sku_name] |
|
protoPayload.response.targetId |
target.asset.attribute.labels[target_id] |
如果 protoPayload.methodName 日志字段值不等于 cloudsql.instances.create ,则 protoPayload.response.targetId 日志字段会映射到 target.asset.attribute.labels.value UDM 字段。 |
resource.labels.backend_service_name |
target.labels [backend_service_name] (已弃用) |
|
protoPayload.requestMetadata.requestAttributes.auth.claims |
target.labels [request_auth_claims] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] |
target.labels[application_edition] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] |
target.labels[asp_id] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] |
target.labels[chrome_os_session_type] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] |
target.labels[device_new_org_unit] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] |
target.labels[device_previous_org_unit] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] |
target.labels[domain_alias] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] |
target.labels[email_export_include_deleted] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] |
target.labels[email_export_package_content] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] |
target.labels[email_log_search_end_date] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] |
target.labels[email_log_search_start_date] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] |
target.labels[email_monitor_level_chat] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] |
target.labels[email_monitor_level_draft_email] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] |
target.labels[email_monitor_level_in_email] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] |
target.labels[email_monitor_level_out_email] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] |
target.labels[email_reset_reason] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.labels[new_value] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] |
target.labels[oauth2_app_type] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] |
target.labels[old_value] (已弃用) |
|
protoPayload.requestMetadata.destinationAttributes.principal |
target.labels[peer_principal] (已弃用) |
|
protoPayload.requestMetadata.destinationAttributes.regionCode |
target.labels[peer_region_code] (已弃用) |
|
protoPayload.request.loadBalancingScheme |
target.labels[req_load_balancing_scheme] (已弃用) |
|
protoPayload.request.requestId |
target.labels[request_id] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] |
target.labels[request_id] (已弃用) |
|
protoPayload.resourceOriginalState.description |
target.labels[res_originalState_description] (已弃用) |
|
protoPayload.response.bindings[].members[] |
target.labels[response_bindings_members] (已弃用) |
|
protoPayload.response.description |
target.labels[response_description] (已弃用) |
|
protoPayload.response.display_name |
target.labels[response_display_name] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] |
target.labels[secondary_domain_name] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] |
target.labels[setting_name] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] |
target.labels[user_custom_field] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] |
target.labels[user_defined_setting_name] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] |
target.labels[web_origin] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] |
target.labels[whitelisted_groups] (已弃用) |
|
protoPayload.metadata.event.eventName.parameter.name[APP_LICENSES_ORDER_NUMBER] |
target.asset.labels[app_licenses_order_number] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_NUM_LICENSES_PURCHASED] |
target.asset.labels[chrome_num_licenses_purchased] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_COMMAND_DETAILS] |
target.asset.labels[device_command_details] |
|
protoPayload.metadata.event.eventName.parameter.name[DIRECTORY_API_ID] |
target.asset.labels[directory_api_id] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_PRIORITIES] |
target.group.attribute.labels[group_priorities] |
|
protoPayload.request.cluster.subnetwork |
target.resource_ancestor.attribute.labels[req_cls_subnetwork] |
|
protoPayload.request.cluster.nodePools[].autoscaling.enabled |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_enabled] |
|
protoPayload.request.cluster.nodePools[].autoscaling.maxNodeCount |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_max_node_cnt] |
|
protoPayload.request.cluster.nodePools[].autoscaling.minNodeCount |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_min_node_cnt] |
|
protoPayload.request.cluster.nodePools[].management.autoupgrade |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoupgrade] |
|
protoPayload.request.cluster.nodePools[].config.diskSizeGb |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_disksize] |
|
protoPayload.request.cluster.nodePools[].config.imageType |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_imagetype] |
|
protoPayload.request.cluster.nodePools[].config.machineType |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_machinetype] |
|
protoPayload.request.cluster.nodePools[].config.oauthScopes[] |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_oauth_scopes] |
|
protoPayload.request.cluster.nodePools[].name |
target.resource_ancestor.attribute.labels[req_clsNodePools_name] |
|
protoPayload.request.cluster.nodePools[].initialNodeCount |
target.resource_ancestor.attribute.labels[req_clsterNodePools_autoscaling_initial_node_cnt] |
|
resource.data.oauth2ClientId |
target.resource.attribute.labels [oauth_client_id] |
|
protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute |
target.resource.attribute.labels [ enable_confidential_compute] |
|
protoPayload.request.function.timeout |
target.resource.attribute.labels [ function_time_out] |
|
protoPayload.requestMetadata.requestAttributes.auth.accessLevels |
target.resource.attribute.labels [accessLevel] |
|
protoPayload.request.date |
target.resource.attribute.labels [audit_event_occurred] |
|
protoPayload.request.auditId |
target.resource.attribute.labels [audit_id] |
|
protoPayload.request.autoscalingPolicy.mode |
target.resource.attribute.labels [autoscaling_policy_mode] |
|
protoPayload.request.autoscalingPolicy.coolDownPeriodSec |
target.resource.attribute.labels [cool_down_period] |
|
protoPayload.request.denieds.0.IPProtocol |
target.resource.attribute.labels [Denied Protocol] |
|
protoPayload.request.destinationRanges |
target.resource.attribute.labels [destination_ranges] |
|
protoPayload.request.function.entryPoint |
target.resource.attribute.labels [function_entry_point] |
|
protoPayload.request.function.httpsTrigger.securityLevel |
target.resource.attribute.labels [function_httptrigger_security_level] |
|
protoPayload.request.function.runtime |
target.resource.attribute.labels [function_runtime] |
|
protoPayload.request.function.serviceAccountEmail |
target.resource.attribute.labels [function_service_account_email] |
|
protoPayload.request.function.sourceUploadUrl |
target.resource.attribute.labels [function_source_upload_url] |
|
protoPayload.metadata.iapEnabled |
target.resource.attribute.labels [iapEnabled] |
|
protoPayload.request.listManagedInstancesResults |
target.resource.attribute.labels [managed_instances_result] |
|
protoPayload.request.autoscalingPolicy.maxNumReplicas |
target.resource.attribute.labels [max_replicas] |
|
protoPayload.request.autoscalingPolicy.minNumReplicas |
target.resource.attribute.labels [min_replicas] |
|
protoPayload.request.msgType |
target.resource.attribute.labels [msg_type] |
|
protoPayload.metadata.oauth_client_id |
target.resource.attribute.labels [oauth_client_id] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod |
target.resource.attribute.labels [predictive_method] |
|
protoPayload.request.labels.0.value |
target.resource.attribute.labels [protoPayload.request.labels.0.key] |
|
protoPayload.request.queryId |
target.resource.attribute.labels [query_id] |
|
protoPayload.request.constraint |
target.resource.attribute.labels [request_constraint] |
|
protoPayload.request.dataAccessed |
target.resource.attribute.labels [request_data_accessed] |
|
protoPayload.request.function.labels.deployment-tool |
target.resource.attribute.labels [request_deployment_tool] |
|
protoPayload.request.properties.description |
target.resource.attribute.labels [request_description] |
|
protoPayload.request.function.name |
target.resource.attribute.labels [request_function_name] |
|
protoPayload.request.location |
target.resource.attribute.labels [request_location] |
|
protoPayload.request.policy.constraint |
target.resource.attribute.labels [request_policy_constraint] |
|
protoPayload.request.@type |
target.resource.attribute.labels [request_type] |
|
protoPayload.request.cmd |
target.resource.attribute.labels [sql_operation_type ] |
|
protoPayload.request.threadId |
target.resource.attribute.labels [thread_id] |
|
protoPayload.metadata.unsatisfied_access_levels |
target.resource.attribute.labels [unsatisfied_access_levels] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget |
target.resource.attribute.labels [utilization_target] |
|
protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled |
target.resource.attribute.labels[backup_config_binarylog_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.enabled |
target.resource.attribute.labels[backup_config_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays |
target.resource.attribute.labels[backup_config_logRetention_days] |
|
protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled |
target.resource.attribute.labels[backup_config_point_in_time_recovery_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups |
target.resource.attribute.labels[backup_config_retention_settings_retained_backups] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit |
target.resource.attribute.labels[backup_config_retention_settings_unit] |
|
protoPayload.request.body.settings.backupConfiguration.startTime |
target.resource.attribute.labels[backup_config_start_time] |
|
protoPayload.request.canIpForward |
target.resource.attribute.labels[can_ip_forward] |
|
resource.labels.cluster_name |
target.resource.attribute.labels[cls_name] |
|
request.cluster.name |
target.resource.attribute.labels[cls_name] |
|
protoPayload.request.body.settings.dataDiskSizeGb |
target.resource.attribute.labels[data_disk_size_gb] |
|
protoPayload.request.body.settings.dataDiskType |
target.resource.attribute.labels[data_disk_type] |
|
protoPayload.metadata.tableDataRead.fields |
target.resource.attribute.labels[data_read_fields] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris[] |
target.resource.attribute.labels[destination_uris] |
|
protoPayload.request.direction |
target.resource.attribute.labels[direction] |
|
resource.labels.email_id |
target.resource.attribute.labels[email_id] |
|
resource.email_id |
target.resource.attribute.labels[email_id] |
|
resource.labels.forwarding_rule_name |
target.resource.attribute.labels[forwarding_rule_name] |
|
protoPayload.request.body.settings.ipConfiguration.ipv4Enabled |
target.resource.attribute.labels[ip_config_ipv4_enabled] |
|
protoPayload.request.body.settings.ipconfiguration.privatNetwork |
target.resource.attribute.labels[ip_config_private_network] |
|
protoPayload.request.body.settings.ipconfiguration.requireSsl |
target.resource.attribute.labels[ip_config_require_ssl] |
|
protoPayload.metadata.jobChange.job.jobConfig.type |
target.resource.attribute.labels[job_type] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id |
target.resource.attribute.labels[job_change_looker_studio_report_id] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.requestor |
target.resource.attribute.labels[job_change_requestor] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id |
target.resource.attribute.labels[job_change_looker_studio_datasource_id] |
|
protoPayload.metadata.tableChange.table.tableName |
target.resource.attribute.labels[metadata_changedTable_name] |
|
protoPayload.metadata.tableCreation.table.expireTime |
target.resource.attribute.labels[metadata_creationTable_expire_time] |
|
protoPayload.request.body.settings.pricingPlan |
target.resource.attribute.labels[pricing_plan] |
|
resource.data.projectId |
target.resource.attribute.labels[projectId] |
|
resource.labels.instance_group_name |
target.resource.attribute.labels[rc_instance_groupName] |
|
resource.labels.method |
target.resource.attribute.labels[rc_method] |
|
protoPayload.resourceOriginalState.disabled |
target.resource.attribute.labels[rc_orgState_disabled] |
|
protoPayload.resourceOriginalState.enableLogging |
target.resource.attribute.labels[rc_orgState_enable_logging] |
|
protoPayload.resourceOriginalState.logconfig.enable |
target.resource.attribute.labels[rc_orgState_logconfig_enable] |
|
protoPayload.resourceOriginalState.selfLink |
target.resource.attribute.labels[rc_orgState_selflink] |
|
protoPayload.resourceOriginalState.sourceRanges |
target.resource.attribute.labels[rc_orgState_srcranges] |
|
protoPayload.resourceOriginalState.targetTags |
target.resource.attribute.labels[rc_orgState_target_tags] |
|
protoPayload.resourceOriginalState.@type |
target.resource.attribute.labels[rc_orgState_type] |
|
resource.labels.service |
target.resource.attribute.labels[rc_service] |
|
resource.labels.subnetwork_name |
target.resource.attribute.labels[rc_subnetwork_name] |
|
resource.labels.version |
target.resource.attribute.labels[rc_version] |
|
protoPayload.request.body.databaseVersion |
target.resource.attribute.labels[req_body_dbVersion] |
|
protoPayload.request.cluster.releaseChannel.channel |
target.resource.attribute.labels[req_cls_channel] |
|
protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled |
target.resource.attribute.labels[req_cls_policy_config_disabled] |
|
protoPayload.request.reservationAffinity.consumeReservationType |
target.resource.attribute.labels[req_consumeReservation_type] |
|
protoPayload.request.disabled |
target.resource.attribute.labels[req_disabled] |
|
protoPayload.request.disks[].boot |
target.resource.attribute.labels[req_disk_boot] |
|
protoPayload.request.disks[].initializeParams.diskSizeGb |
target.resource.attribute.labels[req_disk_initialize_disk_size] |
|
protoPayload.request.disks[].initializeParams.diskType |
target.resource.attribute.labels[req_disk_initialize_disk_type] |
|
protoPayload.request.disks[].initializeParams.sourceImage |
target.resource.attribute.labels[req_disk_initialize_source_image] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeCondition |
target.resource.attribute.labels[req_identityPool_attribute_condition] |
|
protoPayload.request.workloadIdentityPoolProvider.aws.accountId |
target.resource.attribute.labels[req_identityPool_aws_accountId] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.attribute.aws_role |
target.resource.attribute.labels[req_identityPool_aws_role] |
|
protoPayload.request.workloadIdentityPool.description |
target.resource.attribute.labels[req_identityPool_description] |
|
protoPayload.request.workloadIdentityPool.disabled |
target.resource.attribute.labels[req_identityPool_disabled] |
|
protoPayload.request.workloadIdentityPoolProvider.displayName |
target.resource.attribute.labels[req_identityPool_displayName] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.google.subject |
target.resource.attribute.labels[req_identityPool_googleSubject] |
|
protoPayload.request.workloadIdentityPoolProvider.disabled |
target.resource.attribute.labels[req_identityPool_provider_disabled] |
|
protoPayload.request.workloadIdentityPoolProviderId |
target.resource.attribute.labels[req_identityPool_providerId] |
|
protoPayload.request.instances[].instance |
target.resource.attribute.labels[req_instance] |
|
protoPayload.request.logconfig.enable |
target.resource.attribute.labels[req_logconfig_enable] |
|
protoPayload.serviceData.tabelDataListRequest.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.serviceData.jobGetQueryResultsRequest.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.request.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.request.name |
target.resource.attribute.labels[req_name] |
|
protoPayload.request.networkInterfaces[].accessConfig.name |
target.resource.attribute.labels[req_network_access_config_name] |
|
protoPayload.request.networkInterfaces[].accessConfig.networkTier |
target.resource.attribute.labels[req_network_access_config_network_tier] |
|
protoPayload.request.networkInterfaces[].accessConfig.type |
target.resource.attribute.labels[req_network_access_config_type] |
|
protoPayload.request.network |
target.resource.attribute.labels[req_network] |
|
protoPayload.request.network |
target.resource.attribute.labels[req_network] |
|
protoPayload.request.priority |
target.resource.attribute.labels[Request Priority] |
|
protoPayload.request.project |
target.resource.attribute.labels[req_project] |
|
protoPayload.request.role.stage |
target.resource.attribute.labels[req_role_stage] |
|
protoPayload.request.scheduling.automaticRestart |
target.resource.attribute.labels[req_scheduling_automatic_restart] |
|
protoPayload.request.scheduling.onHostMaintenance |
target.resource.attribute.labels[req_scheduling_on_host_mainten] |
|
protoPayload.request.scheduling.preemptible |
target.resource.attribute.labels[req_scheduling_preemptible] |
|
protoPayload.request.service_account.description |
target.resource.attribute.labels[req_serviceAcc_description] |
|
protoPayload.request.serviceAccounts[].email |
target.resource.attribute.labels[req_serviceAcc_email] |
|
protoPayload.request.policy.booleanPolicy.enforced |
target.resource.attribute.labels[request_constraint] |
|
protoPayload.response.email |
target.resource.attribute.labels[res_email] |
|
protoPayload.response.etag |
target.resource.attribute.labels[res_etag] |
|
protoPayload.response.name |
target.resource.attribute.labels[res_name] |
|
protoPayload.response.operationType |
target.resource.attribute.labels[response_operation_type] |
|
protoPayload.response.zone |
target.resource.attribute.labels[res_zone] |
|
resource.data.name |
target.resource.attribute.labels[resource_data_name] |
|
protoPayload.response.booleanPolicy.enforced |
target.resource.attribute.labels[response_enforce_policy] |
|
protoPayload.response.status |
target.resource.attribute.labels[response_status] |
|
protoPayload.response.status.conditions.message |
target.resource.attribute.labels[response_status] |
|
protoPayload.serviceData.permissionDelta.addedPermissions[] |
target.resource.attribute.labels[ser_added_perm] |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].action |
target.resource.attribute.labels[ser_binding_deltas_action] |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].member |
target.resource.attribute.labels[ser_binding_deltas_member] |
|
Referred this from default parser. |
target.resource.attribute.labels[ser_binding_deltas_member] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.datasetId |
target.resource.attribute.labels[ser_destTable_datasetId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.projectId |
target.resource.attribute.labels[ser_destTable_projectId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.tableId |
target.resource.attribute.labels[ser_destTable_tableId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime |
target.resource.attribute.labels[ser_jobCreate_time] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.jobId |
target.resource.attribute.labels[ser_req_jobId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.query |
target.resource.attribute.labels[ser_req_query] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.createDisposotion |
target.resource.attribute.labels[ser_reqCreate_disposotion] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.location |
target.resource.attribute.labels[ser_reqJob_location] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.projectId |
target.resource.attribute.labels[ser_reqJob_projectid] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.startTime |
target.resource.attribute.labels[ser_reqJob_start_time] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatus.state |
target.resource.attribute.labels[ser_reqJob_state] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.totalSlotMs |
target.resource.attribute.labels[ser_reqJob_total_slot_ms] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.statementType |
target.resource.attribute.labels[ser_reqStatement_type] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.writeDisposition |
target.resource.attribute.labels[ser_reqWrite_disposition] |
|
protoPayload.serviceData.tableInsertRequest.resource.view.query |
target.resource.attribute.labels[ser_tableInsert_query] |
|
protoPayload.serviceData.@type |
target.resource.attribute.labels[ser_type] |
|
protoPayload.request.sourceRanges[] |
target.resource.attribute.labels[source_ranges] |
|
protoPayload.request.body.settings.storageAutoResize |
target.resource.attribute.labels[storage_auto_resize] |
|
resource.labels.target_proxy_name |
target.resource.attribute.labels[target_proxy_name] |
|
protoPayload.request.body.settings.tier |
target.resource.attribute.labels[tier] |
|
resource.labels.url_map_name |
target.resource.attribute.labels[url_map_name] |
|
protoPayload.request.cluster.network |
target.resource_ancestors.attribute.labels[req_cls_network] |
|
protoPayload.request.cluster.nodePools[].management.autoRepair |
target.resource_ancestors.attribute.labels[req_clsNodePools_autorepair] |
|
protoPayload.request.body.settings.availabilityType |
target.resource.attributes.labels[resource_avaibilitytype] |
|
protoPayload.metadata.tableCreation.table.schemaJSON |
target.resource.attributes.labels[table_schemaJson] |
|
protoPayload.metadata.event.eventName.parameter.name[BIRTHDATE] |
target.user.attribute.labels[birthdate] |
|
protoPayload.metadata.event.eventName.parameter.name[PRIVILEGE_NAME] |
target.user.attribute.labels[privilege_name] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_NICKNAME] |
target.user.attribute.labels[user_nickname] |
|
resource.type |
target.resource_ancestors.resource_type |
如果resource.type 日志字段值与正则表达式gce_(firewall or forwarding_rule) 匹配,target.resource_ancestors.resource_type 1resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type resource.type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type target.resource_ancestors.resource_type FIREWALL_RULE gce_(subnetwork or network) VPC_NETWORK dataproc CLUSTER CLUSTER k8s or gke_ gce_backend_service BACKEND_SERVICE (gce_ or dns_query) target.resource.resource_type VIRTUAL_MACHINE gcs_bucket STORAGE_BUCKET bigquery DATABASE DATABASE cloudsql service_account SERVICE_ACCOUNT project CLOUD_PROJECT CLOUD_PROJECT organization CLOUD_ORGANIZATION UNSPECIFIED resource.labels.project_id |
jsonPayload.end_time |
about.labels[jsonPayload_end_time] (已弃用) |
|
jsonPayload.packets_sent |
network.sent_packets |
|
jsonPayload.reporter |
about.labels[jsonPayload_reporter] (已弃用) |
|
jsonPayload.src_vpc.vpc_name |
principal.resource.name |
|
jsonPayload.src_vpc.project_id |
principal.resource.product_object_id |
|
jsonPayload.src_vpc.subnetwork_name |
principal.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name] |
|
jsonPayload.start_time |
about.labels[jsonPayload_start_time] (已弃用) |
|
jsonPayload.src_instance.region |
principal.location.name |
|
jsonPayload.src_instance.project_id |
principal.labels[jsonPayload_src_instance_project_id] (已弃用) |
|
jsonPayload.src_instance.zone |
principal.cloud.availability_zone |
|
resource.labels.subnetwork_id |
target.resource.attribute.labels[resource_labels_subnetwork_id] |
|
jsonPayload.dest_vpc.project_id |
target.resource.product_object_id |
|
jsonPayload.dest_vpc.subnetwork_name |
target.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name] |
|
jsonPayload.dest_vpc.vpc_name |
target.resource.name |
|
jsonPayload.dest_instance.region |
target.location.name |
|
jsonPayload.dest_instance.project_id |
target.labels[jsonPayload_dest_instance_project_id] (已弃用) |
|
jsonPayload.dest_instance.zone |
target.cloud.availability_zone |
|
jsonPayload.src_location.asn |
principal.labels[jsonPayload_src_location_asn] (已弃用) |
|
jsonPayload.src_location.city |
principal.location.city |
|
jsonPayload.src_location.continent |
principal.labels[jsonPayload_src_location_continent] (已弃用) |
|
jsonPayload.src_location.country |
principal.location.country_or_region |
|
jsonPayload.src_location.region |
principal.labesl[jsonPayload_src_location_region] |
|
jsonPayload.dest_location.asn |
target.labels[jsonPayload_dest_location_asn] (已弃用) |
|
jsonPayload.dest_location.city |
target.location.city |
|
jsonPayload.dest_location.continent |
target.labels[jsonPayload_dest_location_continent] (已弃用) |
|
jsonPayload.dest_location.region |
target.labesl[jsonPayload_dest_location_region] |
|
protoPayload.metadata.ingressViolations.servicePerimeter |
security_result.detection_fields[protoPayload_metadata_ingressViolations_serviceParameter] |
|
protoPayload.metadata.ingressViolations.source |
security_result.detection_fields[protoPayload_metadata_ingressViolations_source] |
|
protoPayload.metadata.ingressViolations.sourceType |
security_result.detection_fields[protoPayload_metadata_ingressViolations_sourceType] |
|
protoPayload.metadata.ingressViolations.targetResource |
security_result.detection_fields[protoPayload_metadata_ingressViolations_targetResource] |
|
protoPayload.request.subjects.name |
target.user.attribute.labels[subject_name] |
|
protoPayload.request.spec.containers.0.image |
target.process.command_line |
|
protoPayload.request.spec.containers.0.name |
target.resource.attribute.labels[name] |
|
protoPayload.request.spec.containers.0.terminationMessagePolicy |
traget.resource.attribute.labels[terminationMessagePolicy] |
|
protoPayload.request.spec.containers.0.terminationMessagePath |
traget.resource.attribute.labels[terminationMessagePath] |
|
protoPayload.request.spec.containers.0.imagePullPolicy |
traget.resource.attribute.labels[imagePullPolicy] |
|
protoPayload.request.spec.dnsPolicy |
target.resource.attribute.labels[imagePullPolicy] |
|
protoPayload.request.spec.enableServiceLinks |
traget.resource.attribute.labels[enableServiceLinks] |
|
protoPayload.request.spec.restartPolicy |
target.resource.attribute.labels[restartPolicy] |
|
protoPayload.request.spec.schedulerName |
target.resource.attribute.labels[schedulerName] |
|
protoPayload.request.spec.terminationGracePeriodSeconds |
traget.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds] |
|
protoPayload.request.metadata.namespace |
principal.namespace |
|
protoPayload.request.apiVersion |
target.resource.attribute.labels [request apiVersion] |
|
protoPayload.request.kind |
target.resource.attribute.labels[request.kind] |
|
protoPayload.request.metadata.name |
target.resource.attribute.labels[request.metadata.name] |
|
labels.mutation.webhook.admission.k8s.io/round_0_index_0 |
security_result.about.resource.attribute.labels[labels_round_0_index_0] |
|
protoPayload.request.spec.containers.0.args |
about.file.capabilities_tags |
|
protoPayload.request.properties.disks.0.initializeParams.diskSizeGb |
principal.resource.attribute.labels[diskSizeGb] |
|
protoPayload.request.properties.disks.0.initializeParams.diskType |
principal.resource.attribute.labels[diskType] |
|
protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type |
principal.resource.attribute.labels[guestOsFeatures type] |
|
protoPayload.request.properties.disks.0.initializeParams.labels.0.key |
principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key] |
|
protoPayload.request.properties.disks.0.initializeParams.sourceImage |
principal.resource.attribute.labels[sourceImage] |
|
protoPayload.request.properties.disks.0.type |
principal.resource.attribute.labels[disks Type] |
|
key_id |
security_result.detection_field[key_id] |
key_id 字段值提取自 message 日志
字段。 |
protoPayload.request.securityHealthAnalyticsSettings.modules.PUBLIC_BUCKET_ACL.moduleEnablementState |
target.resource.attribute.labels[PUBLIC_BUCKET_ACL_module_enablement_state] |
|
protoPayload.response.serviceEnablementState |
target.resource.attribute.labels[service_enablement_state] |
|
protoPayload.request.metadata.creationTimestamp |
target.resource.attribute.creation_time |
|
protoPayload.request.metadata.labels.trivy.automatic.created |
target.resource.attribute.labels[req_metadata_trivy_automatic_created] |
|
protoPayload.request.metadata.labels.trivy.collector.name |
target.resource.attribute.labels[req_metadata_trivy_collector_name] |
|
protoPayload.request.metadata.labels.trivy.resource.kind |
target.resource.attribute.labels[req_metadata_trivy_resource_kind] |
|
protoPayload.request.metadata.labels.trivy.resource.name |
target.resource.attribute.labels[req_metadata_trivy_resource_name] |
|
protoPayload.request.spec.backoffLimit |
target.resource.attribute.labels[req_spec_backoff_limit] |
|
protoPayload.request.spec.completionMode |
target.resource.attribute.labels[req_spec_completion_mode] |
|
protoPayload.request.spec.completions |
target.resource.attribute.labels[req_spec_completions] |
|
protoPayload.request.spec.parallelism |
target.resource.attribute.labels[req_spec_parallelism] |
|
protoPayload.request.spec.suspend |
target.resource.attribute.labels[req_spec_suspend] |
|
protoPayload.request.spec.template.metadata.creationTimestamp |
target.resource.attribute.labels[req_spec_template_metadata_creation_time] |
|
protoPayload.request.spec.template.metadata.labels.app |
target.resource.attribute.labels[req_spec_template_metadata_app] |
|
protoPayload.request.spec.template.spec.automountServiceAccountToken |
target.resource.attribute.labels[req_spec_template_spec_automount_service_account_token] |
|
protoPayload.request.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_command] |
|
protoPayload.request.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image] |
|
protoPayload.request.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image_pull_policy] |
|
protoPayload.request.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.request.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.request.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.request.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.request.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_memory] |
|
protoPayload.request.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_capabilities_drop] |
|
protoPayload.request.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_privileged] |
|
protoPayload.request.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_path] |
|
protoPayload.request.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_policy] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_mount_path] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_name] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_readonly] |
|
protoPayload.request.spec.template.spec.dnsPolicy |
target.resource.attribute.labels[req_spec_template_spec_dns_policy] |
|
protoPayload.request.spec.template.spec.hostPID |
target.resource.attribute.labels[req_spec_template_spec_host_pid] |
|
protoPayload.request.spec.template.spec.restartPolicy |
target.resource.attribute.labels[req_spec_template_spec_restart_policy] |
|
protoPayload.request.spec.template.spec.schedulerName |
target.resource.attribute.labels[req_spec_template_spec_scheduler_name] |
|
protoPayload.request.spec.template.spec.securityContext.runAsGroup |
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_group] |
|
protoPayload.request.spec.template.spec.securityContext.runAsUser |
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_user] |
|
protoPayload.request.spec.template.spec.securityContext.seccompProfile.type |
target.resource.attribute.labels[req_spec_template_spec_security_context_seccomp_profile_type] |
|
protoPayload.request.spec.template.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[req_spec_template_spec_termination_grace_period_seconds] |
|
protoPayload.request.spec.template.spec.volumes.hostPath.path |
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path] |
|
protoPayload.request.spec.template.spec.volumes.hostPath.type |
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path_type] |
|
protoPayload.request.spec.template.spec.volumes.name |
target.resource.attribute.labels[req_spec_template_spec_volumes_name] |
|
protoPayload.request.spec.automountServiceAccountToken |
target.resource.attribute.labels[req_spec_automount_service_account_token] |
|
protoPayload.request.spec.containers.command |
target.resource.attribute.labels[req_spec_container_command] |
|
protoPayload.request.spec.containers.securityContext.privileged |
target.resource.attribute.labels[req_spec_container_security_context_privileged] |
|
protoPayload.request.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource.attribute.labels[req_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource.attribute.labels[req_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.containers.securityContext.capabilities.drop |
target.resource.attribute.labels[req_spec_container_security_context_capabilities_drop] |
|
protoPayload.request.spec.containers.volumeMounts.mountPath |
target.resource.attribute.labels[req_spec_container_volume_mount_path] |
|
protoPayload.request.spec.containers.volumeMounts.name |
target.resource.attribute.labels[req_spec_container_volume_mount_name] |
|
protoPayload.request.spec.containers.volumeMounts.readOnly |
target.resource.attribute.labels[req_spec_container_volume_mount_read_only] |
|
protoPayload.request.metadata.annotations.deprecated.daemonset.template.generation |
target.resource.attribute.labels[req_metadata_annotations_deprecated_daemonset_template_generation] |
|
protoPayload.request.metadata.labels.app |
target.resource.attribute.labels[req_metadata_app] |
|
protoPayload.request.metadata.labels.type |
target.resource.attribute.labels[req_metadata_labels_type] |
|
protoPayload.request.spec.serviceAccount |
target.resource.attribute.labels[req_spec_service_account] |
|
protoPayload.request.spec.serviceAccountName |
target.resource.attribute.labels[req_spec_serivce_account_name] |
|
protoPayload.request.spec.hostIPC |
target.resource.attribute.labels[req_spec_host_ipc] |
|
protoPayload.request.spec.hostNetwork |
target.resource.attribute.labels[req_spec_host_network] |
|
protoPayload.request.spec.hostPID |
target.resource.attribute.labels[req_spec_host_pid] |
|
protoPayload.request.spec.nodeName |
target.resource.attribute.labels[req_spec_node_name] |
|
protoPayload.request.spec.securityContext.privileged |
target.resource.attribute.labels[req_spec_security_context_privileged] |
|
protoPayload.request.spec.securityContext.allowPrivilegeEscalation |
target.resource.attribute.labels[req_spec_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.securityContext.readOnlyRootFilesystem |
target.resource.attribute.labels[req_spec_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.securityContext.capabilities.drop |
target.resource.attribute.labels[req_spec_security_context_capabilities_drop] |
|
protoPayload.request.spec.volumes.hostPath.path |
target.resource.attribute.labels[req_spec_volume_host_path] |
|
protoPayload.request.spec.volumes.hostPath.type |
target.resource.attribute.labels[req_spec_volume_host_path_type] |
|
protoPayload.request.spec.volumes.name |
target.resource.attribute.labels[req_spec_volume_name] |
|
protoPayload.request.spec.revisionHistoryLimit |
target.resource.attribute.labels[req_spec_revision_history_limit] |
|
protoPayload.request.spec.selector.matchLabels.app |
target.resource.attribute.labels[req_spec_selector_match_label_app] |
|
protoPayload.request.spec.selector.matchLabels.type |
target.resource.attribute.labels[req_spec_selector_match_label_type] |
|
protoPayload.request.spec.template.metadata.labels.type |
target.resource.attribute.labels[req_spec_template_metadata_labels_type] |
|
protoPayload.request.spec.template.spec.containers.args |
target.resource.attribute.labels[req_spec_template_spec_container_arg] |
|
protoPayload.request.spec.template.spec.hostIPC |
target.resource.attribute.labels[req_spec_template_spec_host_ipc] |
|
protoPayload.request.spec.template.spec.hostNetwork |
target.resource.attribute.labels[req_spec_template_spec_host_network] |
|
protoPayload.request.spec.updateStrategy.rollingUpdate.maxSurge |
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_surge] |
|
protoPayload.request.spec.updateStrategy.rollingUpdate.maxUnavailable |
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_unavailable] |
|
protoPayload.request.spec.updateStrategy.type |
target.resource.attribute.labels[req_spec_update_strategy_type] |
|
protoPayload.request.status.currentNumberScheduled |
target.resource.attribute.labels[req_status_current_number_scheduled] |
|
protoPayload.request.status.desiredNumberScheduled |
target.resource.attribute.labels[req_status_desired_number_scheduled] |
|
protoPayload.request.status.numberMisscheduled |
target.resource.attribute.labels[req_status_number_miss_scheduled] |
|
protoPayload.request.status.numberReady |
target.resource.attribute.labels[req_status_number_ready] |
|
protoPayload.response.@type |
target.resource.attribute.labels[res_type] |
|
protoPayload.response.apiVersion |
target.resource.attribute.labels[res_api_version] |
|
protoPayload.response.metadata.annotations.deprecated.daemonset.template.generation |
target.resource.attribute.labels[res_metadata_annotations_deprecated_daemonset_template_generation] |
|
protoPayload.response.metadata.generation |
target.resource.attribute.labels[res_metadata_generation] |
|
protoPayload.response.metadata.labels.type |
target.resource.attribute.labels[res_metadata_labels_type] |
|
protoPayload.response.metadata.labels.app |
target.resource.attribute.labels[res_metadata_label_app] |
|
protoPayload.response.metadata.creationTimestamp |
target.resource.attribute.labels[res_metadata_creation_time] |
|
protoPayload.response.metadata.name |
target.resource.attribute.labels[res_metadata_name] |
|
protoPayload.response.metadata.namespace |
target.resource.attribute.labels[res_metadata_namespace] |
|
protoPayload.response.metadata.resourceVersion |
target.resource.attribute.labels[res_metadata_resource_version] |
|
protoPayload.response.metadata.uid |
target.resource.attribute.labels[res_metadata_uid] |
|
protoPayload.response.spec.revisionHistoryLimit |
target.resource.attribute.labels[res_spec_revision_history_limit] |
|
protoPayload.response.spec.selector.matchLabels.app |
target.resource.attribute.labels[res_spec_selector_match_label_app] |
|
protoPayload.response.spec.selector.matchLabels.type |
target.resource.attribute.labels[res_spec_selector_match_label_type] |
|
protoPayload.response.spec.template.metadata.creationTimestamp |
target.resource.attribute.labels[res_spec_template_metadata_creation_time] |
|
protoPayload.response.spec.template.metadata.labels.app |
target.resource.attribute.labels[res_spec_template_metadata_app] |
|
protoPayload.response.spec.template.metadata.labels.type |
target.resource.attribute.labels[res_spec_template_metadata_type] |
|
protoPayload.response.spec.template.spec.containers.args |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_arg] |
|
protoPayload.response.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_command] |
|
protoPayload.response.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image] |
|
protoPayload.response.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image_pull_policy] |
|
protoPayload.response.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.response.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.response.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.response.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.response.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_memory] |
|
protoPayload.response.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_privileged] |
|
protoPayload.response.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.response.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.response.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_capabilities_drop] |
|
protoPayload.response.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_path] |
|
protoPayload.response.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_policy] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_mount_path] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_name] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_read_only] |
|
protoPayload.response.spec.template.spec.dnsPolicy |
target.resource.attribute.labels[res_spec_template_spec_dns_policy] |
|
protoPayload.response.spec.template.spec.hostIPC |
target.resource.attribute.labels[res_spec_template_spec_host_pid] |
|
protoPayload.response.spec.template.spec.hostNetwork |
target.resource.attribute.labels[res_spec_template_spec_host_network] |
|
protoPayload.response.spec.template.spec.hostPID |
target.resource.attribute.labels[res_spec_template_spec_host_ipc] |
|
protoPayload.response.spec.template.spec.nodeName |
target.resource.attribute.labels[res_spec_template_spec_node_name] |
|
protoPayload.response.spec.template.spec.restartPolicy |
target.resource.attribute.labels[res_spec_template_spec_restart_policy] |
|
protoPayload.response.spec.template.spec.schedulerName |
target.resource.attribute.labels[res_spec_template_spec_scheduler_name] |
|
protoPayload.response.spec.template.spec.securityContext.runAsGroup |
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_group] |
|
protoPayload.response.spec.template.spec.securityContext.runAsUser |
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_user] |
|
protoPayload.response.spec.template.spec.securityContext.seccompProfile.type |
target.resource.attribute.labels[res_spec_template_spec_security_context_seccomp_profile_type] |
|
protoPayload.response.spec.template.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[res_spec_template_spec_termination_grace_period_seconds] |
|
protoPayload.response.spec.template.spec.volumes.hostPath.path |
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path] |
|
protoPayload.response.spec.template.spec.volumes.hostPath.type |
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path_type] |
|
protoPayload.response.spec.template.spec.volumes.name |
target.resource.attribute.labels[res_spec_template_spec_volumes_name] |
|
protoPayload.response.spec.updateStrategy.rollingUpdate.maxSurge |
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_surge] |
|
protoPayload.response.spec.updateStrategy.rollingUpdate.maxUnavailable |
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_unavailable] |
|
protoPayload.response.spec.updateStrategy.type |
target.resource.attribute.labels[res_spec_update_strategy_type] |
|
protoPayload.response.spec.containers.args |
target.resource_ancestors.attribute.labels[res_spec_container_arg] |
|
protoPayload.response.spec.containers.command |
target.resource_ancestors.attribute.labels[res_spec_container_command] |
|
protoPayload.response.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_container_image] |
|
protoPayload.response.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[res_spec_container_image_pull_policy] |
|
protoPayload.response.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.response.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_privileged] |
|
protoPayload.response.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.response.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.response.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_drop] |
|
protoPayload.response.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_path] |
|
protoPayload.response.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_policy] |
|
protoPayload.response.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_path] |
|
protoPayload.response.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_name] |
|
protoPayload.response.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_read_only] |
|
protoPayload.response.spec.dnsPolicy |
target.resource.attribute.labels[res_spec_dns_policy] |
|
protoPayload.response.spec.enableServiceLinks |
target.resource.attribute.labels[res_spec_enable_service_links] |
|
protoPayload.response.spec.hostIPC |
target.resource.attribute.labels[res_spec_host_ipc] |
|
protoPayload.response.spec.hostNetwork |
target.resource.attribute.labels[res_spec_host_network] |
|
protoPayload.response.spec.hostPID |
target.resource.attribute.labels[res_spec_host_pid] |
|
protoPayload.response.spec.nodeName |
target.resource.attribute.labels[res_spec_node_name] |
|
protoPayload.response.spec.preemptionPolicy |
target.resource.attribute.labels[res_spec_preemption_policy] |
|
protoPayload.response.spec.priority |
target.resource.attribute.labels[res_spec_priority] |
|
protoPayload.response.spec.restartPolicy |
target.resource.attribute.labels[res_spec_restart_policy] |
|
protoPayload.response.spec.schedulerName |
target.resource.attribute.labels[res_spec_scheduler_name] |
|
protoPayload.response.spec.serviceAccount |
target.resource.attribute.labels[res_spec_service_account] |
|
protoPayload.response.spec.serviceAccountName |
target.resource.attribute.labels[res_spec_serivce_account_name] |
|
protoPayload.response.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[res_spec_termination_grace_period_seconds] |
|
protoPayload.response.spec.tolerations.effect |
target.resource.attribute.labels[res_spec_toleration_effect] |
|
protoPayload.response.spec.tolerations.key |
target.resource.attribute.labels[res_spec_toleration_key] |
|
protoPayload.response.spec.tolerations.operator |
target.resource.attribute.labels[res_spec_toleration_operator] |
|
protoPayload.response.spec.tolerations.tolerationSeconds |
target.resource.attribute.labels[res_spec_toleration_second] |
|
protoPayload.response.spec.volumes.hostPath.path |
target.resource.attribute.labels[res_spec_volume_host_path] |
|
protoPayload.response.spec.volumes.hostPath.type |
target.resource.attribute.labels[res_spec_volume_host_path_type] |
|
protoPayload.response.spec.volumes.name |
target.resource.attribute.labels[res_spec_volume_name] |
|
protoPayload.response.spec.volumes.projected.defaultMode |
target.resource.attribute.labels[res_spec_volume_projected_default_mode] |
|
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.expirationSeconds |
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_ecpiration_sec] |
|
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.path |
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_path] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.items.key |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_key] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.items.path |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_path] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.name |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_name] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.apiVersion |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_api_version] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.fieldPath |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_field_path] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.path |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_path] |
|
protoPayload.response.status.phase |
target.resource.attribute.labels[res_status_phase] |
|
protoPayload.response.status.qosClass |
target.resource.attribute.labels[res_status_qos_class] |
|
protoPayload.response.status.currentNumberScheduled |
target.resource.attribute.labels[res_status_current_number_scheduled] |
|
protoPayload.response.status.desiredNumberScheduled |
target.resource.attribute.labels[res_status_desired_number_scheduled] |
|
protoPayload.response.status.numberMisscheduled |
target.resource.attribute.labels[res_status_number_miss_scheduled] |
|
protoPayload.response.status.numberReady |
target.resource.attribute.labels[res_status_number_ready] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor |
target.resource.attribute.labels[ser_jobconf_requestor] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id |
target.resource.attribute.labels[ser_jobconf_looker_studio_datasource_id] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id |
target.resource.attribute.labels[ser_jobconf_looker_studio_report_id] |
|
labels.authorization.k8s.io/decision |
security_result.action |
如果 labels.authorization.k8s.io/decision 日志字段值等于 allow ,则 security_result.action UDM 字段会设置为 ALLOW 。否则,如果 labels.authorization.k8s.io/decision 日志字段值等于 block ,则 security_result.action UDM 字段会设置为 BLOCK 。 |
labels.pod-security.kubernetes.io/enforce-policy |
security_result.detection_fields[pod_security_kubernetes_io_enforce_policy] |
|
labels.authorization.k8s.io/reason |
security_result.action_details |
|
protoPayload.request.roleRef.apiGroup |
target.user.attribute.labels[req_role_ref_api_group] |
|
protoPayload.request.roleRef.kind |
target.user.attribute.labels[req_role_ref_kind] |
|
protoPayload.request.roleRef.name |
target.user.attribute.roles.name |
|
protoPayload.request.subjects.apiGroup |
target.user.attribute.labels[req_subject_api_group] |
|
protoPayload.request.subjects.kind |
target.user.attribute.labels[req_subject_kind] |
|
protoPayload.request.rules.apiGroups |
security_result.rule_labels[req_rule_api_group] |
|
protoPayload.request.rules.resources |
security_result.rule_labels[req_rule_resource] |
|
protoPayload.request.rules.verbs |
security_result.rule_labels[req_rule_verb] |
|
protoPayload.request.rules.resourceNames |
security_result.rule_labels[req_rule_resource_name] |
|
protoPayload.response.metadata.managedFields.apiVersion |
target.resource.attribute.labels[res_managed_field_api_version] |
|
protoPayload.response.metadata.managedFields.fieldsType |
target.resource.attribute.labels[res_managed_field_type] |
|
protoPayload.response.metadata.managedFields.manager |
target.resource.attribute.labels[res_managed_field_manager] |
|
protoPayload.response.metadata.managedFields.operation |
target.resource.attribute.labels[res_managed_field_operation] |
|
protoPayload.response.metadata.managedFields.time |
target.resource.attribute.labels[res_managed_field_time] |
|
protoPayload.request.spec.containers.securityContext.capabilities.add |
target.resource_ancestors.attribute.labels[req_spec_container_security_context_capabilities_add] |
|
protoPayload.request.spec.containers.securityContext.seccompProfile.type |
target.resource_ancestors.attribute.labels[req_spec_container_security_context_seccomp_profile_type] |
|
protoPayload.request.spec.shareProcessNamespace |
target.resource.attribute.labels[req_spec_share_process_namespace] |
|
protoPayload.response.spec.containers.securityContext.capabilities.add |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_add] |
|
protoPayload.response.spec.containers.securityContext.seccompProfile.type |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_seccomp_profile_type] |
|
protoPayload.response.spec.shareProcessNamespace |
target.resource.attribute.labels[res_spec_share_process_namespace] |
|
protoPayload.metadata.membershipDelta.member |
target.resource.attribute.labels[membership_delta_member] |
|
protoPayload.metadata.membershipDelta.roleDeltas.action |
target.resource.attribute.labels[membership_role_deltas_action] |
|
protoPayload.metadata.membershipDelta.roleDeltas.role |
target.resource.attribute.labels[membership_role_deltas_role] |
|
protoPayload.request.spec.resourceAttributes.namespace |
target.resource.attribute.labels[req_spec_resource_attribute_namespace] |
|
protoPayload.request.spec.resourceAttributes.resource |
target.resource.attribute.labels[req_spec_resource_attribute_resource] |
|
protoPayload.request.spec.resourceAttributes.verb |
target.resource.attribute.labels[req_spec_resource_attribute_verb] |
|
protoPayload.request.status.allowed |
target.resource.attribute.labels[req_status_allowed] |
|
protoPayload.response.spec.resourceAttributes.namespace |
target.resource.attribute.labels[res_spec_resource_attribute_namespace] |
|
protoPayload.response.spec.resourceAttributes.resource |
target.resource.attribute.labels[res_spec_resource_attribute_resource] |
|
protoPayload.response.spec.resourceAttributes.verb |
target.resource.attribute.labels[res_spec_resource_attribute_verb] |
|
protoPayload.response.status.allowed |
target.resource.attribute.labels[res_status_allowed] |
|
protoPayload.request.objects.db |
additional.fields[database_name] |
|
jsonPayload.accesses.methodName |
additional.fields[methodName] |
|
protoPayload.request.objects.name |
additional.fields[objects_name] |
|
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] |
additional.fields[api_client_name] |
|
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] |
additional.fields[api_scopes] |
|
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] |
additional.fields[begin_date_time] |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] |
additional.fields[bulk_upload_fail_users_number] |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] |
additional.fields[bulk_upload_total_users_number] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] |
additional.fields[caa_assignments_new] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] |
additional.fields[caa_assignments_old] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] |
additional.fields[caa_enforcement_endpoints_new] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] |
additional.fields[caa_enforcement_endpoints_old] |
|
protoPayload.requestMetadata.requestAttributes.size |
additional.fields[caller_network_request_size] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[caller_network_request_time] |
|
protoPayload.requestMetadata.callerNetwork |
additional.fields[caller_network] |
|
protoPayload.requestMetadata.requestAttributes.size |
additional.fields[caller_network_request_size] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[request_attributes_time] |
|
protoPayload.requestMetadata.callerNetwork |
additional.fields[caller_network] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] |
additional.fields[chrome_licenses_enabled] |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] |
additional.fields[end_date_time] |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE] |
additional.fields[end_date] |
|
protoType.metadata.event.eventName |
additional.fields[event_name] |
|
protoPayload.metadata.event.parameter.label |
additional.fields[event_param_label] |
|
protoPayload.metadata.event.parameter.type |
additional.fields[event_param_type] |
|
protoType.metadata.event.eventType |
additional.fields[event_type] |
|
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] |
additional.fields[field_name] |
|
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] |
additional.fields[full_org_unit_path] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] |
additional.fields[grp_member_bulk_upload_failed] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] |
additional.fields[grp_member_bulk_upload_total] |
|
httpRequest.cacheFillBytes |
additional.fields[httpreq_cache_fill_bytes] |
|
httpRequest.cacheHit |
additional.fields[httpreq_cache_hit] |
|
httpRequest.cacheLookup |
additional.fields[httpreq_cache_lookup] |
|
httpRequest.cacheValidatedWithOriginServer |
additional.fields[httpreq_cache_validated_with_origin_server] |
|
httpRequest.latency |
additional.fields[httprequest_latency] |
|
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] |
additional.fields[info_type] |
|
protoPayload.metadata.activityId.timeUsec |
additional.fields[metadata_activityId_time_usec] |
|
protoPayload.metadata.activityId.uniqQualifier |
additional.fields[metadata_activityId_uniq_qualifier] |
|
protoPayload.metadata.@type |
additional.fields[metadata_type] |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] |
additional.fields[new_permission_grant_state] |
|
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] |
additional.fields[num_of_company_owned_device] |
|
protoPayload.numResponseItems |
additional.fields[num_response_items] |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] |
additional.fields[old_permission_grant_state] |
|
operation.first |
additional.fields[operation_first] |
|
operation.id |
additional.fields[operation_id] |
|
operation.last |
additional.fields[operation_last] |
|
operation.producer |
additional.fields[operation_producer] |
|
protoPayload.resourceOriginalState.selfLinkWithId |
additional.fields[rc_old_selflinkWithId] |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] |
additional.fields[reauth_setting_new] |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] |
additional.fields[reauth_setting_old] |
|
protoPayload.request.alloweds.ports |
additional.fields[req_alloweds_ports] |
|
protoPayload.request.body.name |
additional.fields[req_body_name] |
|
protoPayload.request.body.settings.activityPolicy |
additional.fields[req_body_settings_activity_policy] |
|
protoPayload.request.deletionProtection |
additional.fields[req_deletion_protection] |
|
protoPayload.request.disabled |
additional.fields[req_disabled] |
|
protoPayload.request.displayDevice.enableDisplay |
additional.fields[req_display_device_enable_display] |
|
protoPayload.request.enableFlowLogs |
additional.fields[req_enable_flow_logs] |
|
protoPayload.request.fingerprint |
additional.fields[req_fingerprint] |
|
protoPayload.request.shieldedInstanceConfig.enableSecureBoot |
additional.fields[req_instance_config_enable_secure_boot] |
|
protoPayload.request.shieldedInstanceConfig.enableVtpm |
additional.fields[req_instance_config_enable_vtpm] |
|
protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring |
additional.fields[req_instance_enable_integrity_monitoring] |
|
protoPayload.request.key_types |
additional.fields[req_key_types] |
|
protoPayload.request.logconfig.enable |
additional.fields[req_logconfig_enable] |
|
protoPayload.request.networkTier |
additional.fields[req_network_tier] |
|
protoPayload.request.network |
additional.fields[req_network] |
|
protoPayload.request.page_size |
additional.fields[req_page_size] |
|
request.pagesize |
additional.fields[req_page_size] |
|
protoPayload.request.policy.etag |
additional.fields[req_policy_etag] |
|
protoPayload.request.portRange |
additional.fields[req_port_range] |
|
protoPayload.request.privateIpGoogleAccess |
additional.fields[req_private_ip_google_access] |
|
protoPayload.request.private_key_type |
additional.fields[req_private_key_type] |
|
protoPayload.request.remove_deleted_service_accounts |
additional.fields[req_remove_deleted_serviceAcc] |
|
protoPayload.request.showDeleted |
additional.fields[req_show_deleted] |
|
protoPayload.request.skip_visibility_check |
additional.fields[req_skip_visibility_check] |
|
protoPayload.request.stackType |
additional.fields[req_stack_type] |
|
protoPayload.request.type |
additional.fields[req_type] |
|
protoPayload.request.updateMask |
additional.fields[req_update_mask] |
|
protoPayload.request.version |
additional.fields[req_version] |
|
protoPayload.response.clientOperationId |
additional.fields[res_client_operation_id] |
|
protoPayload.response.endTime |
additional.fields[res_end_time] |
|
protoPayload.response.id |
additional.fields[res_id] |
|
protoPayload.response.key_algorithm |
additional.fields[res_key_algorithm] |
|
protoPayload.response.key_origin |
additional.fields[res_key_origin] |
|
protoPayload.response.key_type |
additional.fields[res_key_type] |
|
protoPayload.response.kind |
additional.fields[res_kind] |
|
protoPayload.response.private_key_type |
additional.fields[res_private_key_type] |
|
protoPayload.response.progress |
additional.fields[res_progress] |
|
protoPayload.response.startTime |
additional.fields[res_start_time] |
|
protoPayload.response.status |
security_result.action |
当满足以下条件时,security_result.action 会设置为 FAIL :
|
protoPayload.response.status |
additional.fields[res_status] |
|
protoPayload.response.type |
additional.fields[res_type] |
|
protoPayload.response.unique_id |
additional.fields[res_unique_id] |
|
protoPayload.response.valid_after_time.seconds |
additional.fields[res_valid_after_time] |
|
protoPayload.response.valid_before_time.seconds |
additional.fields[res_valid_before_time] |
|
protoPayload.response.version |
additional.fields[res_version] |
|
protoPayload.response.zone |
additional.fields[res_zone] |
|
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] |
additional.fields[search_query_for_dump] |
|
spanId |
additional.fields[span_id] |
|
protoPayload.metadata.event.eventName.parameter.name[START_DATE] |
additional.fields[start_date] |
|
traceSampled |
additional.fields[trace_sampled] |
|
Trace |
additional.fields[trace] |
|
protoPayload.@type |
additional.fields[type] |
|
protoPayload.redactions.reason |
additional.fields[protoPayload.redactions.field] |
|
protoPayload.redactions.type |
additional.fields[protoPayload.redactions.field] |
|
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata |
additional.fields[service_metadata] |
|
jsonPayload.sourceNetwork |
additional.fields[source_network] |
|
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims |
additional.fields[third_party_claims] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[caller_network_request_time] |
|
protoPayload.request.ipCidrRange |
additional.fields[req_ip_cidr_range] |
|
protoPayload.request.description |
additional.labels[req_description] |
|
protoPayload.request.sourceRanges |
additional.fields[req_source_ranges] |
|
protoPayload.requestMetadata.requestAttributes.reason |
additional.fields[request_attributes_reason] |
|
protoPayload.authenticationInfo.thirdPartyPrincipal |
additional.fields[third_party_principal] |
|
sourceLocation.function |
additional.fields[src_location_function] |
|
sourceLocation.line |
additional.fields[src_location_line] |
|
resource.labels.backend_service_name |
additional.fields[backend_service_name] |
|
protoPayload.requestMetadata.requestAttributes.auth.claims |
additional.fields[request_auth_claims] |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] |
additional.fields[application_edition] |
|
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] |
additional.fields[asp_id] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] |
additional.fields[chrome_os_session_type] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] |
additional.fields[device_new_org_unit] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] |
additional.fields[device_previous_org_unit] |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] |
additional.fields[domain_alias] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] |
additional.fields[email_export_include_deleted] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] |
additional.fields[email_export_package_content] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] |
additional.fields[email_log_search_end_date] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] |
additional.fields[email_log_search_start_date] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] |
additional.fields[email_monitor_level_chat] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] |
additional.fields[email_monitor_level_draft_email] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] |
additional.fields[email_monitor_level_in_email] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] |
additional.fields[email_monitor_level_out_email] |
|
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] |
additional.fields[email_reset_reason] |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
additional.fields[new_value] |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] |
additional.fields[oauth2_app_type] |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] |
additional.fields[old_value] |
|
protoPayload.requestMetadata.destinationAttributes.principal |
additional.fields[peer_principal] |
|
protoPayload.requestMetadata.destinationAttributes.regionCode |
additional.fields[peer_region_code] |
|
protoPayload.request.loadBalancingScheme |
additional.fields[req_load_balancing_scheme] |
|
protoPayload.request.requestId |
additional.fields[request_id] |
|
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] |
additional.fields[request_id] |
|
protoPayload.resourceOriginalState.description |
additional.fields[res_originalState_description] |
|
protoPayload.response.bindings.members |
additional.fields[response_bindings_members] |
|
protoPayload.response.description |
additional.fields[response_description] |
|
protoPayload.response.display_name |
additional.fields[response_display_name] |
|
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] |
additional.fields[secondary_domain_name] |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] |
additional.fields[setting_name] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] |
additional.fields[user_custom_field] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] |
additional.fields[user_defined_setting_name] |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] |
additional.fields[web_origin] |
|
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] |
additional.fields[whitelisted_groups] |
|
jsonPayload.end_time |
additional.fields[jsonPayload_end_time] |
|
jsonPayload.reporter |
additional.fields[jsonPayload_reporter] |
|
jsonPayload.start_time |
additional.fields[jsonPayload_start_time] |
|
jsonPayload.src_instance.project_id |
additional.fields[jsonPayload_src_instance_project_id] |
|
jsonPayload.dest_instance.project_id |
additional.fields[jsonPayload_dest_instance_project_id] |
|
jsonPayload.src_location.asn |
additional.fields[jsonPayload_src_location_asn] |
|
jsonPayload.src_location.continent |
additional.fields[jsonPayload_src_location_continent] |
|
jsonPayload.dest_location.asn |
additional.fields[jsonPayload_dest_location_asn] |
|
jsonPayload.dest_location.continent |
additional.fields[jsonPayload_dest_location_continent] |
|
protoPayload.request.spec.expirationSeconds |
target.resource.attribute.labels[req_spec_expiration_seconds] |
|
protoPayload.request.spec.request |
target.resource.attribute.labels[req_spec_request] |
|
protoPayload.request.spec.signerName |
target.resource.attribute.labels[req_spec_signer_name] |
|
protoPayload.request.spec.usages |
target.resource.attribute.labels[req_spec_usage] |
|
protoPayload.response.spec.expirationSeconds |
target.resource.attribute.labels[res_spec_expiration_seconds] |
|
protoPayload.response.spec.extra.iam.gke.io/user-assertion |
target.resource.attribute.labels[res_spec_extra_iam_gke_io/user_assertion] |
|
protoPayload.response.spec.extra.user-assertion.cloud.google.com |
target.resource.attribute.labels[res_spec_extra_user_assertion_cloud_google_com] |
|
protoPayload.response.spec.groups |
target.resource.attribute.labels[res_spec_group] |
|
protoPayload.response.spec.request |
target.resource.attribute.labels[res_spec_request] |
|
protoPayload.response.spec.signerName |
target.resource.attribute.labels[res_spec_signer_name] |
|
protoPayload.response.spec.usages |
target.resource.attribute.labels[res_spec_usage] |
|
protoPayload.response.spec.username |
target.resource.attribute.labels[res_spec_username] |
|
protoPayload.request.cryptoKeyVersion.state |
target.resource.attribute.labels[req_cryptokey_version_state] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.action |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_action] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.service |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_service] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.exemptedMember |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_exempted_member] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.logType |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_log_type] |
|
protoPayload.request.policy.bindings.role |
target.resource.attribute.labels[req_policy_bindings_role] |
|
protoPayload.request.policy.bindings.members |
target.resource.attribute.labels[req_bindings_members] |
|
protoPayload.metadata.tableChange.bindingDeltas.action |
target.resource.attribute.labels[table_change_binding_deltas_action] |
|
protoPayload.metadata.tableChange.bindingDeltas.member |
target.resource.attribute.labels[table_change_binding_deltas_member] |
|
protoPayload.metadata.tableChange.bindingDeltas.role |
target.resource.attribute.labels[table_change_binding_deltas_role] |
|
protoPayload.metadata.datasetChange.bindingDeltas.action |
target.resource.attribute.labels[dataset_change_binding_deltas_action] |
|
protoPayload.metadata.datasetChange.bindingDeltas.member |
target.resource.attribute.labels[dataset_change_binding_deltas_member] |
|
protoPayload.metadata.datasetChange.bindingDeltas.role |
target.resource.attribute.labels[dataset_change_binding_deltas_role] |
|
protoPayload.metadata.tableChange.table.policy.etag |
target.resource.attribute.labels[table_change_table_policy_etag] |
|
protoPayload.metadata.tableChange.table.policy.bindings.role |
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_role] |
|
protoPayload.metadata.tableChange.table.policy.bindings.members |
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_members_{index1}] |
|
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.role |
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_role] |
|
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members |
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_members_{index1}] |
|
protoPayload.request.bindings.role |
target.resource.attribute.labels[request_bindings_{index}_role] |
|
protoPayload.request.bindings.members |
target.resource.attribute.labels[request_bindings_{index}_members_{index1}] |
|
protoPayload.metadata.groupDelta.newGroup.description |
target.group.attribute.labels[metadata_group_delta_new_group_description] |
|
protoPayload.metadata.groupDelta.newGroup.email |
target.group.email_addresses |
|
protoPayload.metadata.groupDelta.newGroup.name |
target.group.group_display_name |
|
protoPayload.metadata.groupDelta.action |
target.group.attribute.labels[metadata_group_delta_action] |
|
protoPayload.response.spec.template.metadata.labels.client.knative.dev/nonce |
target.resource.attribute.labels[res_spec_template_metadata_nonce] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-name |
target.resource.attribute.labels[res_spec_template_metadata_client_name] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-version |
target.resource.attribute.labels[res_spec_template_metadata_client_version] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/execution-environment |
target.resource.attribute.labels[res_spec_template_metadata_exection_environment] |
|
protoPayload.response.spec.template.spec.taskCount |
target.resource.attribute.labels[res_spec_template_spec_taskcount] |
|
protoPayload.response.spec.template.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_image] |
|
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.response.spec.template.spec.template.spec.maxRetries |
target.resource.attribute.labels[res_spec_template_spec_template_spec_max_retries] |
|
protoPayload.response.spec.template.spec.template.spec.timeoutSeconds |
target.resource.attribute.labels[res_spec_template_spec_template_spec_timeout_seconds] |
|
protoPayload.response.spec.template.spec.template.spec.serviceAccountName |
principal.user.email_addresses |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-name |
target.resource_ancestors.attribute.labels[req_service_metadata_client_name] |
|
protoPayload.request.service.metadata.annotations.serving.knative.dev/creator |
target.resource_ancestors.attribute.labels[req_service_metadata_creator] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-version |
target.resource_ancestors.attribute.labels[req_service_metadata_client_version] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/operation-id |
target.resource_ancestors.attribute.labels[req_service_metadata_client_operation_id] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/binary-authorization |
target.resource_ancestors.attribute.labels[req_service_metadata_binary_authorization] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress-status |
target.resource_ancestors.attribute.labels[req_service_metadata_client_ingress_status] |
|
protoPayload.request.service.metadata.annotations.serving.knative.dev/lastModifier |
target.resource_ancestors.attribute.labels[req_service_metadata_last_modifier] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress |
target.resource_ancestors.attribute.labels[req_service_metadata_ingress] |
|
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-name |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_name] |
|
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-version |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_version] |
|
protoPayload.request.service.spec.template.metadata.annotations.autoscaling.knative.dev/maxScale |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_max_scale] |
|
protoPayload.request.New Data |
target.resource_ancestors.attribute.labels[req_new_data] |
|
protoPayload.response.Original Data |
target.resource_ancestors.attribute.labels[req_original_data] |
|
protoPayload.request.timestampRange.startTime |
target.resource.attribute.labels[timestamp_range_start_time] |
|
protoPayload.request.timestampRange.endTime |
target.resource.attribute.labels[timestamp_range_end_time] |
|
protoPayload.request.regexSearch |
target.resource.attribute.labels[request_regex_search] |
|
protoPayload.request.productSources |
target.resource.attribute.labels[request_product_sources] |
|
protoPayload.request.query |
target.resource.attribute.labels[request_query] |
|
protoPayload.request.caseSensitive |
target.resource.attribute.labels[request_case_sensitive] |
|
protoPayload.request.baselineQuery |
target.resource.attribute.labels[baseline_query] |
|
protoPayload.request.baselineTimeRange.startTime |
target.resource.attribute.labels[baseline_time_range_start_time] |
|
protoPayload.request.baselineTimeRange.endTime |
target.resource.attribute.labels[baseline_time_range_end_time] |
|
protoPayload.response.serviceConfig.timeoutSeconds |
target.resource.attribute.labels[response_service_config_timeout_seconds] |
|
labels.execution_id |
additional.fields[execution_id] |
|
labels.instance_id |
additional.fields[instance_id] |
|
labels.runtime_version |
additional.fields[runtime_version] |
|
protoPayload.metadata.updatedGrant.requester |
principal.user.userid |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.updatedGrant.requester 日志字段会映射到 principal.user.userid UDM 字段。 |
protoPayload.metadata.updatedGrant.requestedDuration |
target.resource.attribute.labels[requestedDuration] |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.updatedGrant.requestedDuration 日志字段会映射到 target.resource.attribute.labels UDM 字段。 |
protoPayload.metadata.updatedGrant.justification.unstructuredJustification |
target.resource.attribute.labels[justification] |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.updatedGrant.justification.unstructuredJustification 日志字段会映射到 target.resource.attribute.labels UDM 字段。 |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role |
target.resource.attribute.roles.name |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role 日志字段会映射到 target.resource.attribute.roles.name UDM 字段。 |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType |
target.resource.attribute.labels[resourceType] |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType 日志字段会映射到 target.resource.attribute.labels UDM 字段。 |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource |
target.resource.attribute.labels[resource] |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource 日志字段会映射到 target.resource.attribute.labels UDM 字段。 |
protoPayload.metadata.updatedGrant.state |
target.resource.attribute.labels[state] |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.updatedGrant.state 日志字段会映射到 target.resource.attribute.labels UDM 字段。 |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id |
target.resource.attribute.labels[job_insertion_looker_studio_report_id] |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id 日志字段会映射到 target.resource.attribute.labels UDM 字段。 |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor |
target.resource.attribute.labels[job_insertion_requestor] |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor 日志字段会映射到 target.resource.attribute.labels UDM 字段。 |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id |
target.resource.attribute.labels[job_insertion_looker_studio_datasource_id] |
如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com ,则 protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id 日志字段会映射到 target.resource.attribute.labels UDM 字段。 |
protoPayload.response.displayName |
security_result.associations.name |
如果 protoPayload.response.displayName 日志字段值不为空,则 protoPayload.response.displayName 日志字段会映射到 security_result.associations.name UDM 字段。 |
protoPayload.request.referenceList.displayName |
security_result.associations.name |
如果 protoPayload.response.displayName 日志字段值为空,则 protoPayload.request.referenceList.displayName 日志字段会映射到 security_result.associations.name UDM 字段。 |
protoPayload.resourceName |
security_result.detection_fields[rule_id] |
如果 protoPayload.resourceName 日志字段值不为空,并且 protoPayload.response.@type 日志字段值为 type.googleapis.com/google.cloud.chronicle.v1alpha.Rule ,则系统会使用 Grok 模式从 protoPayload.resourceName 日志字段中提取 new_rule_id ,并将其映射到 security_result.detection_fields[rule_id] UDM 字段。 |
protoPayload.request.projection |
target.resource.attribute.labels[req_projection] |
|
protoPayload.response.items.metageneration |
target.resource.attribute.labels[res_items_metageneration] |
|
protoPayload.response.items.labels.created_date |
target.resource.attribute.labels[res_items_labels_created_date] |
|
protoPayload.response.items.labels.team_email |
target.resource.attribute.labels[res_items_labels_team_email] |
|
protoPayload.response.items.labels.team_name |
target.resource.attribute.labels[res_items_labels_team_name] |
|
protoPayload.response.items.labels.office_number |
target.resource.attribute.labels[res_items_labels_official_number] |
|
protoPayload.response.items.labels.department |
target.resource.attribute.labels[res_items_labels_department] |
|
protoPayload.response.items.labels.business_project_number |
target.resource.attribute.labels[res_items_labels_business_project_number] |
|
protoPayload.response.items.labels.owner_email |
target.resource.attribute.labels[res_items_labels_owner_email] |
|
protoPayload.response.items.labels.purchase_order_number |
target.resource.attribute.labels[res_items_labels_purchase_order_number] |
|
protoPayload.response.items.labels.office_name |
target.resource.attribute.labels[res_items_labels_office_name] |
|
protoPayload.response.items.labels.environment |
target.resource.attribute.labels[res_items_labels_environment] |
|
protoPayload.response.items.labels.created_by |
target.resource.attribute.labels[res_items_labels_created_by] |
|
protoPayload.response.items.labels.project_name |
target.resource.attribute.labels[res_items_labels_project_name] |
|
protoPayload.response.items.labels.finops_tag |
target.resource.attribute.labels[res_items_labels_finops_tag] |
|
protoPayload.response.items.labels.owner_role |
target.resource.attribute.labels[res_items_labels_owner_role] |
|
protoPayload.response.items.versioning.enabled |
target.resource.attribute.labels[res_items_versioning_enabled] |
|
protoPayload.response.items.iamConfiguration.publicAccessPrevention |
target.resource.attribute.labels[res_items_iam_conf_public_access_prevention] |
|
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime |
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_locked_time] |
|
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled |
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_enabled] |
|
protoPayload.response.items.id |
target.resource.attribute.labels[res_items_id] |
|
protoPayload.response.items.updated |
target.resource.attribute.labels[res_items_updated] |
|
protoPayload.response.items.storageClass |
target.resource.attribute.labels[res_items_storage_class] |
|
protoPayload.response.items.timeCreated |
target.resource.attribute.labels[res_items_time_created] |
|
protoPayload.response.items.location |
target.resource.attribute.labels[res_items_location] |
|
protoPayload.response.items.locationType |
target.resource.attribute.labels[res_items_location_type] |
|
protoPayload.response.items.projectNumber |
target.resource.attribute.labels[res_items_project_number] |
|
protoPayload.response.items.name |
target.resource.attribute.labels[res_items_name] |
|
protoPayload.response.items.softDeletePolicy.effectiveTime |
target.resource.attribute.labels[res_items_soft_delete_policy_effective_time] |
|
protoPayload.response.items.softDeletePolicy.retentionDurationSeconds |
target.resource.attribute.labels[res_items_soft_delete_policy_retention_duration_seconds] |
|
protoPayload.response.items.etag |
target.resource.attribute.labels[res_items_etag] |
|
protoPayload.response.code |
network.http.response_code |
|
protoPayload.response.reason |
additional.fields[res_reason] |