收集 Cloud Audit Logs

支持的平台:

本文档介绍了如何通过启用 Google Cloud 来导出 Cloud Audit Logs 遥测数据注入到 Google Security Operations 以及 Cloud Audit Logs 字段如何映射到 Google 安全运营统一数据模型 (UDM) 字段。

如需了解详情,请参阅 Google Security Operations 的数据注入概览

典型的部署包括启用了数据注入功能的 Cloud Audit Logs Google Security Operations,每个客户部署可能与此不同 并且可能更加复杂。

该部署包含以下组件:

  • Google Cloud:您要从中收集日志的 Google Cloud 服务和产品

  • Cloud Audit Logs:为注入 Google Security Operations 而启用的 Cloud Audit Logs

  • Google Workspace 审核日志: 已启用注入 Google Security Operations 的功能

  • Google Security Operations:保留和分析 Cloud Audit Logs 和 Google Workspace 审核日志

提取标签用于标识将原始日志数据标准化的解析器 结构化 UDM 格式本文档中的信息适用于解析器 提取标签为 GCP_CLOUDAUDIT

准备工作

  • 确保您已为组织和资源设置了访问权限控制 使用 Identity and Access Management (IAM)如需详细了解访问权限控制,请参阅 使用 IAM 对组织进行访问权限控制

  • 配置数据访问审核日志 Google Cloud 资源和服务

  • 确保部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。

  • 验证 Cloud Audit Logs 解析器支持的日志类型。下表 列出了 Cloud Audit Logs 解析器支持的日志源和类型:

日志源 日志源类型
Cloud DNS NA
syslog
Google Workspace 审核日志 登录审核
Google Workspace 审核日志 管理控制台审核
Cloud Audit Logs 管理员活动
Cloud Audit Logs VPC Service Controls 审核
Cloud Audit Logs Google Kubernetes Engine 数据访问
Cloud Audit Logs Resource Manager 数据访问
Cloud Audit Logs BigQuery Audit Metadata 数据访问
Cloud Audit Logs MySQL 数据访问、管理员活动
Cloud Audit Logs PostgreSQL 数据访问、管理员活动
Cloud Audit Logs SQL Server 数据访问、管理员活动
Cloud Load Balancing Cloud HTTP 负载平衡器
Cloud DNS 管理员活动
虚拟私有云流程 虚拟私有云流
防火墙规则 防火墙规则
Cloud NAT Cloud NAT

配置 Cloud Audit Logs 的注入

如需将 Cloud Audit Logs 注入 Google Security Operations,请按照将 Google Cloud 日志注入 Google Security Operations 页面上的步骤操作。

如果您在注入 Cloud Audit Logs 时遇到问题,请与 Google Security Operations 支持团队联系

字段映射参考文档

本部分介绍 Google Security Operations 解析器如何将 Cloud Audit Logs 字段映射到 Google Security Operations 统一数据模型 (UDM) 字段。

GCP_CLOUDAUDIT 日志类型与 UDM 事件类型

下表列出了 GCP_CLOUDAUDIT 事件标识符及其对应的事件类型。

Event identifier Event type
dns.managedZones.get USER_RESOURCE_ACCESS
dns.managedZones.list USER_RESOURCE_ACCESS
dns.changes.get USER_RESOURCE_ACCESS
dns.changes.list USER_RESOURCE_ACCESS
dns.activePeeringZones.list USER_RESOURCE_ACCESS
dns.activePeeringZones.getpeeringzoneinfo USER_RESOURCE_ACCESS
dns.resourceRecordSets.get USER_RESOURCE_ACCESS
dns.resourceRecordSets.list USER_RESOURCE_ACCESS
dns.responsePolicies.get USER_RESOURCE_ACCESS
dns.responsePolicies.list USER_RESOURCE_ACCESS
dns.responsePolicyRules.get USER_RESOURCE_ACCESS
dns.responsePolicyRules.list USER_RESOURCE_ACCESS
dns.policies.get USER_RESOURCE_ACCESS
dns.policies.list USER_RESOURCE_ACCESS
dns.projects.get USER_RESOURCE_ACCESS
dns.managedZones.create USER_RESOURCE_CREATION
dns.managedZones.delete RESOURCE_DELETION
dns.managedZones.update RESOURCE_WRITTEN
dns.managedZones.patch USER_RESOURCE_UPDATE_CONTENT
dns.changes.create USER_RESOURCE_CREATION
dns.changes.delete RESOURCE_DELETION
dns.activePeeringZones.deactivate USER_RESOURCE_UPDATE_CONTENT
dns.resourceRecordSets.create USER_RESOURCE_CREATION
dns.resourceRecordSets.delete RESOURCE_DELETION
dns.resourceRecordSets.update RESOURCE_WRITTEN
dns.resourceRecordSets.patch USER_RESOURCE_UPDATE_CONTENT
dns.responsePolicies.create USER_RESOURCE_CREATION
dns.responsePolicies.delete RESOURCE_DELETION
dns.responsePolicies.update RESOURCE_WRITTEN
dns.responsePolicies.patch USER_RESOURCE_UPDATE_CONTENT
dns.responsePolicyRules.create USER_RESOURCE_CREATION
dns.responsePolicyRules.delete RESOURCE_DELETION
dns.responsePolicyRules.update RESOURCE_WRITTEN
dns.responsePolicyRules.patch USER_RESOURCE_UPDATE_CONTENT
dns.policies.create USER_RESOURCE_CREATION
dns.policies.delete RESOURCE_DELETION
dns.policies.update RESOURCE_WRITTEN
dns.policies.patch USER_RESOURCE_UPDATE_CONTENT
CreateRole USER_UNCATEGORIZED
DeleteRole RESOURCE_DELETION
UndeleteRole RESOURCE_CREATION
UpdateRole RESOURCE_WRITTEN
google.iam.v2beta.Policies.CreatePolicy USER_RESOURCE_CREATION
google.iam.v2beta.Policies.DeletePolicy RESOURCE_DELETION
google.iam.v2beta.Policies.UpdatePolicy RESOURCE_WRITTEN
CreateServiceAccount USER_RESOURCE_CREATION
DeleteServiceAccount RESOURCE_DELETION
DisableServiceAccount STATUS_UPDATE
EnableServiceAccount STATUS_UPDATE
GetServiceAccount USER_RESOURCE_ACCESS
PatchServiceAccount USER_RESOURCE_UPDATE_CONTENT
SetIAMPolicy USER_RESOURCE_UPDATE_PERMISSIONS
UndeleteServiceAccount RESOURCE_DELETION
UpdateServiceAccount RESOURCE_WRITTEN
CreateServiceAccountKey USER_RESOURCE_CREATION
DeleteServiceAccountKey RESOURCE_DELETION
UploadServiceAccountKey USER_RESOURCE_UPDATE_CONTENT
CreateWorkloadIdentityPool USER_RESOURCE_CREATION
DeleteWorkloadIdentityPool RESOURCE_DELETION
UndeleteWorkloadIdentityPool RESOURCE_DELETION
UpdateWorkloadIdentityPool RESOURCE_WRITTEN
CreateWorkloadIdentityPoolProvider USER_RESOURCE_CREATION
DeleteWorkloadIdentityPoolProvider RESOURCE_DELETION
UndeleteWorkloadIdentityPoolProvider RESOURCE_DELETION
UpdateWorkloadIdentityPoolProvider RESOURCE_WRITTEN
CreateWorkforcePool USER_RESOURCE_CREATION
DeleteWorkforcePool RESOURCE_DELETION
UndeleteWorkforcePool RESOURCE_DELETION
UpdateWorkforcePool RESOURCE_WRITTEN
CreateWorkforcePoolProvider USER_RESOURCE_CREATION
DeleteWorkforcePoolProvider RESOURCE_DELETION
UndeleteWorkforcePoolProvider RESOURCE_DELETION
UpdateWorkforcePoolProvider RESOURCE_WRITTEN
GetEffectivePolicy1 USER_RESOURCE_ACCESS
google.iam.admin.v1.GetPolicyDetails2 USER_RESOURCE_ACCESS
ExchangeToken USER_RESOURCE_ACCESS
Google Cloud console (federated) sign in USER_RESOURCE_UPDATE_PERMISSIONS
GetRole USER_RESOURCE_ACCESS
ListRoles USER_RESOURCE_ACCESS
google.iam.v2beta.Policies.GetPolicy USER_RESOURCE_ACCESS
google.iam.v2beta.Policies.ListPolicies USER_RESOURCE_ACCESS
QueryGrantableRoles USER_RESOURCE_ACCESS
GenerateAccessToken USER_RESOURCE_UPDATE_CONTENT
GenerateIdToken USER_RESOURCE_UPDATE_CONTENT
ListServiceAccounts USER_RESOURCE_ACCESS
SignBlob USER_RESOURCE_UPDATE_CONTENT
SignJwt USER_RESOURCE_UPDATE_CONTENT
GetServiceAccountKey USER_RESOURCE_ACCESS
ListServiceAccountKeys USER_RESOURCE_ACCESS
GetWorkloadIdentityPool USER_RESOURCE_ACCESS
ListWorkloadIdentityPools USER_RESOURCE_ACCESS
GetWorkloadIdentityPoolProvider USER_RESOURCE_ACCESS
ListWorkloadIdentityPoolProviders USER_RESOURCE_ACCESS
GetWorkforcePool USER_RESOURCE_ACCESS
ListWorkforcePools USER_RESOURCE_ACCESS
GetWorkforcePoolProvider USER_RESOURCE_ACCESS
ListWorkforcePoolProviders USER_RESOURCE_ACCESS
io.k8s.authorization.rbac.v1 STATUS_UPDATE
io.k8s.authorization.rbac.v1.roles STATUS_UPDATE
io.k8s.batch.v1.jobs.create RESOURCE_CREATION
io.k8s.authorization.rbac.v1.clusterroles.create RESOURCE_CREATION
io.k8s.apps.v1.daemonsets.create RESOURCE_CREATION
io.k8s.authorization.v1.selfsubjectaccessreviews.create RESOURCE_CREATION
google.container.v1.ClusterManager.CreateCluster USER_RESOURCE_CREATION
google.cloud.bigquery.v2.TableService.InsertTable USER_RESOURCE_CREATION
google.cloud.bigquery.v2.TableService.UpdateTable RESOURCE_WRITTEN
google.cloud.bigquery.v2.TableService.PatchTable USER_RESOURCE_UPDATE_CONTENT
google.cloud.bigquery.v2.TableService.DeleteTable RESOURCE_DELETION
google.cloud.bigquery.v2.DatasetService.InsertDataset USER_RESOURCE_CREATION
google.cloud.bigquery.v2.DatasetService.UpdateDataset RESOURCE_WRITTEN
google.cloud.bigquery.v2.DatasetService.PatchDataset USER_RESOURCE_UPDATE_CONTENT
google.cloud.bigquery.v2.DatasetService.DeleteDataset USER_RESOURCE_DELETION
google.cloud.bigquery.v2.TableDataService.List USER_RESOURCE_ACCESS
google.cloud.bigquery.v2.JobService.InsertJob USER_RESOURCE_CREATION
google.cloud.bigquery.v2.JobService.Query USER_RESOURCE_ACCESS
google.cloud.bigquery.v2.JobService.GetQueryResults USER_RESOURCE_ACCESS
InternalTableExpired USER_RESOURCE_DELETION
google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection USER_RESOURCE_CREATION
google.cloud.bigquery.connection.v1.ConnectionService.DeleteConnection RESOURCE_DELETION
google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection RESOURCE_WRITTEN
google.cloud.bigquery.connection.v1.ConnectionService.SetIamPolicy RESOURCE_PERMISSIONS_CHANGE
google.cloud.bigquery.reservation.v1.ReservationService.CreateReservation USER_RESOURCE_CREATION
google.cloud.bigquery.reservation.v1.ReservationService.DeleteReservation RESOURCE_DELETION
google.cloud.bigquery.reservation.v1.ReservationService.UpdateReservation RESOURCE_WRITTEN
google.cloud.bigquery.reservation.v1.ReservationService.CreateCapacityCommitment USER_RESOURCE_CREATION
google.cloud.bigquery.reservation.v1.ReservationService.DeleteCapacityCommitment RESOURCE_DELETION
google.cloud.bigquery.reservation.v1.ReservationService.CreateAssignment USER_RESOURCE_CREATION
google.cloud.bigquery.reservation.v1.ReservationService.DeleteAssignment RESOURCE_DELETION
google.cloud.bigquery.reservation.v1.ReservationService.MoveAssignment STATUS_UPDATE
cloudsql.backupRuns.get USER_RESOURCE_ACCESS
cloudsql.backupRuns.list USER_RESOURCE_ACCESS
cloudsql.databases.create USER_RESOURCE_CREATION
cloudsql.databases.delete RESOURCE_DELETION
cloudsql.databases.get USER_RESOURCE_ACCESS
cloudsql.databases.list USER_RESOURCE_ACCESS
cloudsql.databases.update RESOURCE_WRITTEN
cloudsql.instances.export USER_RESOURCE_ACCESS
cloudsql.instances.get USER_RESOURCE_ACCESS
cloudsql.instances.import STATUS_UNCATEGORIZED
cloudsql.instances.list USER_RESOURCE_ACCESS
cloudsql.instances.listEffectiveTags USER_RESOURCE_ACCESS
cloudsql.instances.listServerCas USER_RESOURCE_ACCESS
cloudsql.instances.listTagBindings USER_RESOURCE_ACCESS
cloudsql.instances.login USER_LOGIN
cloudsql.sslCerts.get USER_RESOURCE_ACCESS
cloudsql.sslCerts.list USER_RESOURCE_ACCESS
cloudsql.users.create USER_RESOURCE_CREATION
cloudsql.users.delete RESOURCE_DELETION
cloudsql.users.get USER_RESOURCE_ACCESS
cloudsql.users.list USER_RESOURCE_ACCESS
cloudsql.users.update RESOURCE_WRITTEN
cloudsql.backupRuns.create USER_RESOURCE_CREATION
cloudsql.backupRuns.delete RESOURCE_DELETION
cloudsql.instances.addServerCa USER_RESOURCE_CREATION
cloudsql.instances.clone USER_RESOURCE_CREATION
cloudsql.instances.connect RESOURCE_READ
cloudsql.instances.create USER_RESOURCE_CREATION
cloudsql.instances.createTagBinding USER_RESOURCE_CREATION
cloudsql.instances.delete RESOURCE_DELETION
cloudsql.instances.deleteTagBinding RESOURCE_DELETION
cloudsql.instances.demoteMaster STATUS_UPDATE
cloudsql.instances.failover STATUS_UPDATE
cloudsql.instances.promoteReplica STATUS_UPDATE
cloudsql.instances.resetSslConfig USER_RESOURCE_UPDATE_CONTENT
cloudsql.instances.restart STATUS_STARTUP
cloudsql.instances.restoreBackup STATUS_UPDATE
cloudsql.instances.rotateServerCa STATUS_UPDATE
cloudsql.instances.startReplica STATUS_STARTUP
cloudsql.instances.stopReplica STATUS_UPDATE
cloudsql.instances.truncateLog STATUS_UPDATE
cloudsql.instances.update RESOURCE_WRITTEN
cloudsql.sslCerts.create USER_RESOURCE_CREATION
cloudsql.sslCerts.createEphemeral USER_RESOURCE_CREATION
cloudsql.sslCerts.delete RESOURCE_DELETION
compute.instances.insert RESOURCE_CREATION
compute.instanceGroups.removeInstances RESOURCE_DELETION
compute.instances.setMetadata USER_RESOURCE_UPDATE_CONTENT
compute.instances.setLabels USER_RESOURCE_CREATION
compute.instances.setTags USER_RESOURCE_CREATION
compute.instances.setIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
compute.instances.list USER_RESOURCE_ACCESS
compute.images.get USER_RESOURCE_ACCESS
compute.interconnectAttachments.aggregatedList USER_RESOURCE_ACCESS
compute.instance.getSerialPortOutput USER_RESOURCE_ACCESS
compute.instances.migrateOnHostMaintenance RESOURCE_CREATION
compute.instances.automaticRestart USER_RESOURCE_UPDATE_CONTENT
compute.instanceGroupManagers.resizeAdvanced USER_RESOURCE_UPDATE_CONTENT
google.ssh-serialport.v1.connect NETWORK_CONNECTION
firewalls.delete RESOURCE_DELETION
firewalls.insert RESOURCE_CREATION
firewalls.patch USER_RESOURCE_UPDATE_CONTENT
firewalls.update RESOURCE_WRITTEN
forwardingRules.delete RESOURCE_DELETION
forwardingRules.insert RESOURCE_CREATION
forwardingRules.patch USER_RESOURCE_UPDATE_CONTENT
forwardingRules.setTarget STATUS_UPDATE
networks.addPeering STATUS_UPDATE
networks.delete RESOURCE_DELETION
networks.insert RESOURCE_CREATION
networks.patch USER_RESOURCE_UPDATE_CONTENT
networks.removePeering RESOURCE_DELETION
networks.switchToCustomMode STATUS_UPDATE
networks.updatePeering RESOURCE_WRITTEN
routes.delete RESOURCE_DELETION
routes.insert USER_RESOURCE_CREATION
subnetworks.delete RESOURCE_DELETION
subnetworks.expandIpCidrRange STATUS_UPDATE
subnetworks.insert RESOURCE_CREATION
subnetworks.patch USER_RESOURCE_UPDATE_CONTENT
subnetworks.setIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
subnetworks.setPrivateIpGoogleAccess STATUS_UPDATE
subnetworks.testIamPermissions USER_RESOURCE_ACCESS
firewalls.get USER_RESOURCE_ACCESS
firewalls.list USER_RESOURCE_ACCESS
forwardingRules.aggregatedList USER_RESOURCE_ACCESS
forwardingRules.get USER_RESOURCE_ACCESS
forwardingRules.list USER_RESOURCE_ACCESS
networks.get USER_RESOURCE_ACCESS
networks.list USER_RESOURCE_ACCESS
networks.listPeeringRoutes USER_RESOURCE_ACCESS
routes.get USER_RESOURCE_ACCESS
routes.list USER_RESOURCE_ACCESS
subnetworks.aggregatedList USER_RESOURCE_ACCESS
subnetworks.get USER_RESOURCE_ACCESS
subnetworks.getIamPolicy USER_RESOURCE_ACCESS
subnetworks.list USER_RESOURCE_ACCESS
subnetworks.listUsable USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterBatchDeleteAlerts RESOURCE_DELETION
google.admin.AdminService.alertCenterBatchUndeleteAlerts RESOURCE_DELETION
google.admin.AdminService.alertCenterCreateAlert USER_RESOURCE_CREATION
google.admin.AdminService.alertCenterCreateFeedback USER_RESOURCE_CREATION
google.admin.AdminService.alertCenterDeleteAlert RESOURCE_DELETION
google.admin.AdminService.alertCenterGetAlertMetadata USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterGetCustomerSettings USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterGetSitLink USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterListChange USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterListFeedback USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterListRelatedAlerts USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterUndeleteAlert RESOURCE_DELETION
google.admin.AdminService.alertCenterUpdateAlert RESOURCE_WRITTEN
google.admin.AdminService.alertCenterUpdateAlertMetadata RESOURCE_WRITTEN
google.admin.AdminService.alertCenterUpdateCustomerSettings RESOURCE_WRITTEN
google.admin.AdminService.alertCenterView USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeApplicationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createApplicationSetting USER_RESOURCE_CREATION
google.admin.AdminService.deleteApplicationSetting RESOURCE_DELETION
google.admin.AdminService.reorderGroupBasedPoliciesEvent USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.gplusPremiumFeatures USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createManagedConfiguration USER_RESOURCE_CREATION
google.admin.AdminService.deleteManagedConfiguration RESOURCE_DELETION
google.admin.AdminService.updateManagedConfiguration RESOURCE_WRITTEN
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createBuilding USER_RESOURCE_CREATION
google.admin.AdminService.deleteBuilding RESOURCE_DELETION
google.admin.AdminService.updateBuilding RESOURCE_WRITTEN
google.admin.AdminService.createCalendarResource USER_RESOURCE_CREATION
google.admin.AdminService.deleteCalendarResource RESOURCE_DELETION
google.admin.AdminService.createCalendarResourceFeature USER_RESOURCE_CREATION
google.admin.AdminService.deleteCalendarResourceFeature RESOURCE_DELETION
google.admin.AdminService.updateCalendarResourceFeature RESOURCE_WRITTEN
google.admin.AdminService.renameCalendarResource USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateCalendarResource RESOURCE_WRITTEN
google.admin.AdminService.changeCalendarSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.cancelCalendarEvents USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.releaseCalendarResources USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.meetInteropCreateGateway USER_RESOURCE_CREATION
google.admin.AdminService.meetInteropDeleteGateway RESOURCE_DELETION
google.admin.AdminService.meetInteropModifyGateway USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChatSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsAndroidApplicationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsApplicationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.sendChromeOsDeviceCommand USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsDeviceAnnotation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsDeviceSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsDeviceState USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsPublicSessionSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.insertChromeOsPrinter USER_RESOURCE_CREATION
google.admin.AdminService.deleteChromeOsPrinter RESOURCE_DELETION
google.admin.AdminService.updateChromeOsPrinter RESOURCE_WRITTEN
google.admin.AdminService.changeChromeOsSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsUserSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.removeChromeOsApplicationSettings RESOURCE_DELETION
google.admin.AdminService.changeContactsSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.assignRole USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.createRole USER_RESOURCE_CREATION
google.admin.AdminService.deleteRole RESOURCE_DELETION
google.admin.AdminService.addPrivilege USER_RESOURCE_CREATION
google.admin.AdminService.removePrivilege RESOURCE_DELETION
google.admin.AdminService.renameRole USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateRole RESOURCE_WRITTEN
google.admin.AdminService.unassignRole USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.deleteDevice RESOURCE_DELETION
google.admin.AdminService.moveDeviceToOrgUnit USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.transferDocumentOwnership USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.driveDataRestore USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDocsSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAccountAutoRenewal USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addApplication USER_RESOURCE_CREATION
google.admin.AdminService.addApplicationToWhitelist USER_RESOURCE_CREATION
google.admin.AdminService.changeAdvertisementOption USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createAlert USER_RESOURCE_CREATION
google.admin.AdminService.changeAlertCriteria USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.deleteAlert RESOURCE_DELETION
google.admin.AdminService.alertReceiversChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.renameAlert USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.alertStatusChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addDomainAlias USER_RESOURCE_CREATION
google.admin.AdminService.removeDomainAlias RESOURCE_DELETION
google.admin.AdminService.skipDomainAliasMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifyDomainAliasMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifyDomainAlias USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleOauthAccessToAllApis USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleAllowAdminPasswordReset USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableApiAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.authorizeApiClientAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.removeApiClientAccess RESOURCE_DELETION
google.admin.AdminService.chromeLicensesRedeemed USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleAutoAddNewService USER_RESOURCE_CREATION
google.admin.AdminService.changePrimaryDomain USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeWhitelistSetting USER_RESOURCE_ACCESS
google.admin.AdminService.communicationPreferencesSettingChange USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeConflictAccountAction USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableFeedbackSolicitation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleContactSharing USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createPlayForWorkToken USER_RESOURCE_CREATION
google.admin.AdminService.toggleUseCustomLogo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCustomLogo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDataLocalizationForRussia USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDataLocalizationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDataProtectionOfficerContactInfo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.deletePlayForWorkToken RESOURCE_DELETION
google.admin.AdminService.viewDnsLoginDetails USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainDefaultLocale USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainDefaultTimezone USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleEnablePreReleaseFeatures USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainSupportMessage USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addTrustedDomains USER_RESOURCE_CREATION
google.admin.AdminService.removeTrustedDomains RESOURCE_DELETION
google.admin.AdminService.changeEduType USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleEnableOauthConsumerKey USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleSsoEnabled USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleSsl USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeEuRepresentativeContactInfo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.generateTransferToken USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLoginBackgroundColor USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLoginBorderColor USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLoginActivityTrace USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.playForWorkEnroll USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.playForWorkUnenroll USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.mxRecordVerificationClaim USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleNewAppFeatures USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleUseNextGenControlPanel USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.uploadOauthCertificate USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.regenerateOauthConsumerSecret USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleOpenIdEnabled USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeOrganizationName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleOutboundRelay USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changePasswordMaxLength USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changePasswordMinLength USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateDomainPrimaryAdminEmail RESOURCE_WRITTEN
google.admin.AdminService.enableServiceOrFeatureNotifications USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.removeApplication RESOURCE_DELETION
google.admin.AdminService.removeApplicationFromWhitelist RESOURCE_DELETION
google.admin.AdminService.changeRenewDomainRegistration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeResellerAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.ruleActionsChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createRule USER_RESOURCE_CREATION
google.admin.AdminService.changeRuleCriteria USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.deleteRule RESOURCE_DELETION
google.admin.AdminService.renameRule USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.ruleStatusChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addSecondaryDomain USER_RESOURCE_CREATION
google.admin.AdminService.removeSecondaryDomain RESOURCE_DELETION
google.admin.AdminService.skipSecondaryDomainMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifySecondaryDomainMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifySecondaryDomain USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateDomainSecondaryEmail RESOURCE_WRITTEN
google.admin.AdminService.changeSsoSettings USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.generatePin USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateRule RESOURCE_WRITTEN
google.admin.AdminService.dropFromQuarantine USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.emailLogSearch USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.emailUndelete RESOURCE_DELETION
google.admin.AdminService.changeEmailSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGmailSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createGmailSetting USER_RESOURCE_CREATION
google.admin.AdminService.deleteGmailSetting RESOURCE_DELETION
google.admin.AdminService.rejectFromQuarantine USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.releaseFromQuarantine USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createGroup USER_RESOURCE_CREATION
google.admin.AdminService.deleteGroup RESOURCE_DELETION
google.admin.AdminService.changeGroupDescription USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.groupListDownload USER_RESOURCE_ACCESS
google.admin.AdminService.addGroupMember USER_RESOURCE_CREATION
google.admin.AdminService.removeGroupMember RESOURCE_DELETION
google.admin.AdminService.updateGroupMember RESOURCE_WRITTEN
google.admin.AdminService.updateGroupMemberDeliverySettings RESOURCE_WRITTEN
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride RESOURCE_WRITTEN
google.admin.AdminService.groupMemberBulkUpload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.groupMembersDownload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGroupName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGroupSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.whitelistedGroupsUpdated RESOURCE_WRITTEN
google.admin.AdminService.securityInvestigationAction USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionCancellation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionCompletion USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionRetry USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionVerificationConfirmation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionVerificationRequest USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationChartCreate USER_RESOURCE_CREATION
google.admin.AdminService.securityInvestigationContentAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationDownloadAttachment USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationExportActionResults USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationExportQuery USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation USER_RESOURCE_CREATION
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation RESOURCE_DELETION
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectSaveInvestigation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing RESOURCE_WRITTEN
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing RESOURCE_WRITTEN
google.admin.AdminService.securityInvestigationQuery USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationSettingUpdate RESOURCE_WRITTEN
google.admin.AdminService.addToTrustedOauth2Apps USER_RESOURCE_CREATION
google.admin.AdminService.allowAspWithout2Sv USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.allowServiceForOauth2Access USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.allowStrongAuthentication USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.blockOnDeviceAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAllowedTwoStepVerificationMethods USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAppAccessSettingsCollectionId USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCaaAppAssignments USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCaaDefaultAssignments USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCaaErrorMessage USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeSessionLength USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeTwoStepVerificationFrequency USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeTwoStepVerificationStartDate USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.disallowServiceForOauth2Access USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableNonAdminUserPasswordRecovery USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enforceStrongAuthentication USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.removeFromTrustedOauth2Apps RESOURCE_DELETION
google.admin.AdminService.sessionControlSettingsChange USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleCaaEnablement USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.trustDomainOwnedOauth2Apps USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unblockOnDeviceAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.untrustDomainOwnedOauth2Apps USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps RESOURCE_WRITTEN
google.admin.AdminService.weakProgrammaticLoginSettingsChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.delete2SvScratchCodes RESOURCE_DELETION
google.admin.AdminService.generate2SvScratchCodes USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revoke3LoDeviceTokens USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revoke3LoToken USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addRecoveryEmail USER_RESOURCE_CREATION
google.admin.AdminService.addRecoveryPhone USER_RESOURCE_CREATION
google.admin.AdminService.grantAdminPrivilege USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revokeAdminPrivilege USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revokeAsp USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleAutomaticContactSharing USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.bulkUpload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.bulkUploadNotificationSent USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.cancelUserInvite USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserCustomField USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserExternalId USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserGender USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserIm USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableUserIpWhitelist USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserKeyword USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserLanguage USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserLocation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserOrganization USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserPhoneNumber USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeRecoveryEmail USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeRecoveryPhone USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserRelation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserAddress USER_RESOURCE_CREATION
google.admin.AdminService.createEmailMonitor USER_RESOURCE_CREATION
google.admin.AdminService.createDataTransferRequest USER_RESOURCE_CREATION
google.admin.AdminService.grantDelegatedAdminPrivileges USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.deleteAccountInfoDump RESOURCE_DELETION
google.admin.AdminService.deleteEmailMonitor RESOURCE_DELETION
google.admin.AdminService.deleteMailboxDump RESOURCE_DELETION
google.admin.AdminService.changeFirstName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.gmailResetUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLastName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.mailRoutingDestinationAdded USER_RESOURCE_CREATION
google.admin.AdminService.mailRoutingDestinationRemoved RESOURCE_DELETION
google.admin.AdminService.addNickname USER_RESOURCE_CREATION
google.admin.AdminService.removeNickname RESOURCE_DELETION
google.admin.AdminService.changePassword USER_CHANGE_PASSWORD
google.admin.AdminService.changePasswordOnNextLogin USER_CHANGE_PASSWORD
google.admin.AdminService.downloadPendingInvitesList USER_RESOURCE_ACCESS
google.admin.AdminService.removeRecoveryEmail RESOURCE_DELETION
google.admin.AdminService.removeRecoveryPhone RESOURCE_DELETION
google.admin.AdminService.requestAccountInfo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.requestMailboxDump USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.resendUserInvite USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.resetSigninCookies USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityKeyRegisteredForUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revokeSecurityKey USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.userInvite USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.viewTempPassword USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.turnOff2StepVerification USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unblockUserSession USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unenrollUserFromTitanium USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.archiveUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateBirthdate RESOURCE_WRITTEN
google.admin.AdminService.createUser USER_CREATION
google.admin.AdminService.deleteUser RESOURCE_DELETION
google.admin.AdminService.downgradeUserFromGplus USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.userEnrolledInTwoStepVerification USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.downloadUserlistCsv USER_RESOURCE_ACCESS
google.admin.AdminService.moveUserToOrgUnit USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.renameUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unenrollUserFromStrongAuth USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.suspendUser USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.unarchiveUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.undeleteUser RESOURCE_DELETION
google.admin.AdminService.unsuspendUser STATUS_UPDATE
google.admin.AdminService.upgradeUserToGplus USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.usersBulkUpload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.usersBulkUploadNotificationSent USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createAccessLevelV2 USER_RESOURCE_CREATION
google.admin.AdminService.systemDefinedRuleUpdated USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.createDeviceEnrollmentToken USER_RESOURCE_CREATION
google.login.LoginService.2svDisable STATUS_UPDATE
google.login.LoginService.2svEnroll STATUS_UPDATE
google.login.LoginService.accountDisabledPasswordLeak STATUS_UPDATE
google.login.LoginService.accountDisabledGeneric USER_LOGIN
google.login.LoginService.accountDisabledSpammingThroughRelay USER_LOGIN

Security category: NETWORK_SUSPICIOUS

google.login.LoginService.accountDisabledSpamming USER_LOGIN

Security category: NETWORK_SUSPICIOUS

google.login.LoginService.accountDisabledHijacked USER_LOGIN

Security category: NETWORK_SUSPICIOUS

google.login.LoginService.emailForwardingOutOfDomain EMAIL_TRANSACTION
google.login.LoginService.govAttackWarning USER_LOGIN

Security category: NETWORK_MALICIOUS

google.login.LoginService.loginChallenge USER_LOGIN
google.login.LoginService.loginFailure USER_LOGIN

Security category: AUTH_VIOLATION

google.login.LoginService.loginVerification USER_LOGIN
google.login.LoginService.logout USER_LOGOUT
google.login.LoginService.loginSuccess USER_LOGIN
google.login.LoginService.passwordEdit USER_CHANGE_PASSWORD
google.login.LoginService.recoveryEmailEdit USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.recoveryPhoneEdit USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.recoverySecretQaEdit USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.suspiciousLogin USER_LOGIN

Security category: ACL_VIOLATION

google.login.LoginService.suspiciousLoginLessSecureApp USER_LOGIN

Security category: ACL_VIOLATION

google.login.LoginService.suspiciousProgrammaticLogin USER_LOGIN

Security category: ACL_VIOLATION

google.login.LoginService.titaniumEnroll USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.titaniumUnenroll USER_RESOURCE_CREATION
google.identity.accesscontextmanager.v1.AccessContextManager.CreateAccessLevel USER_RESOURCE_CREATION
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership USER_RESOURCE_UPDATE_CONTENT
io.k8s.core.v1.pods.create RESOURCE_CREATION
io.k8s.authorization.rbac.v1.clusterrolebindings.create RESOURCE_CREATION
beta.compute.instanceTemplates.insert RESOURCE_CREATION
SetOrgPolicy USER_RESOURCE_UPDATE_PERMISSIONS
beta.compute.instanceGroupManagers.patch RESOURCE_WRITTEN
beta.compute.autoscalers.update RESOURCE_WRITTEN
compute.v1.InstancesService.Get USER_RESOURCE_ACCESS
google.storage.objects.list USER_RESOURCE_ACCESS
google.cloudresourcemanager.v1.Projects.SetIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
cloudsql.instances.query USER_RESOURCE_ACCESS
cloudtrace.googleapis.com/ListInsights RESOURCE_READ
google.cloud.functions.v1.CloudFunctionsService.CreateFunction RESOURCE_CREATION
google.api.servicemanagement.v1.ServiceManager.ActivateServices USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changePassword USER_CHANGE_PASSWORD
google.api.serviceusage.v1.ServiceUsage.DisableService USER_RESOURCE_UPDATE_CONTENT
AuthorizeUser USER_LOGIN
google.cloud.oslogin.v1.OsLoginService.CheckPolicy USER_LOGIN
google.admin.AdminService.unsuspendUser STATUS_UPDATE
jobservice.jobcompleted RESOURCE_WRITTEN
compute.v1.ProjectsService.Get USER_RESOURCE_ACCESS
v1.compute.projects.setCommonInstanceMetadata USER_RESOURCE_UPDATE_CONTENT
CreateCryptoKey RESOURCE_CREATION
storage.buckets.get RESOURCE_READ
google.longrunning.Operations.GetOperation RESOURCE_READ
io.k8s.core.v1.pods.delete RESOURCE_DELETION
v1.compute.disks.delete RESOURCE_DELETION
v1.compute.disks.insert RESOURCE_CREATION
ScheduledSnapshots RESOURCE_WRITTEN
v1.compute.disks.setLabels RESOURCE_WRITTEN
google.cloud.healthcare.v1alpha2.dataset.DatasetService.AccessEhrSearch STATUS_UPDATE
io.k8s.apiextensions.v1.customresourcedefinitions.patch RESOURCE_WRITTEN
io.k8s.post USER_UNCATEGORIZED
v1.compute.instances.delete RESOURCE_DELETION
storage.buckets.list RESOURCE_READ
storage.objects.create RESOURCE_CREATION
google.pubsub.v1.Publisher.CreateTopic RESOURCE_CREATION
google.devtools.cloudbuild.v1.CloudBuild.ListBuilds USER_RESOURCE_ACCESS
google.cloud.asset.v1.AssetService.UpdateFeed USER_RESOURCE_UPDATE_PERMISSIONS
storage.objects.update RESOURCE_WRITTEN
datasetservice.insert USER_RESOURCE_CREATION
storage.setIamPermissions USER_RESOURCE_UPDATE_PERMISSIONS
io.k8s.coordination.v1.leases.update RESOURCE_WRITTEN
datasetservice.delete USER_RESOURCE_DELETION
compute.instances.repair.recreateInstance RESOURCE_CREATION
tableservice.delete USER_RESOURCE_DELETION
io.k8s.core.v1.configmaps.update RESOURCE_WRITTEN
io.k8s.core.v1.nodes.proxy.get RESOURCE_READ
compute.instances.repair.deleteInstance RESOURCE_DELETION
google.cloud.dataproc.v1.JobController.SubmitJob RESOURCE_WRITTEN
google.cloud.dataproc.v1beta2.ClusterController.UpdateCluster RESOURCE_WRITTEN
io.k8s.app.v1beta1.applications.update RESOURCE_WRITTEN
io.gke.networking.v1beta1.managedcertificates.update RESOURCE_WRITTEN
io.k8s.extensions.v1beta1.deployments.patch RESOURCE_WRITTEN
compute.instanceGroupManagers.deleteInstances RESOURCE_DELETION
io.k8s.authorization.rbac.v1.rolebindings.patch RESOURCE_WRITTEN
google.admin.AdminService.toggleServiceEnabled USER_UNCATEGORIZED
io.k8s.core.v1.services.proxy.get RESOURCE_READ
google.datastore.v1.Datastore.RunQuery STATUS_UPDATE
google.appengine.Datastore.Put STATUS_UPDATE
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateSecurityHealthAnalyticsSettings RESOURCE_WRITTEN
v1.compute.securityPolicies.patchRule RESOURCE_WRITTEN
beta.compute.images.setIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
google.iam.v1.IAMPolicy.SetIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
io.k8s.certificates.v1.certificatesigningrequests.create RESOURCE_CREATION
io.k8s.core.v0.id.create RESOURCE_CREATION
google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy RESOURCE_WRITTEN
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings RESOURCE_DELETION
UpdateCryptoKeyVersion RESOURCE_WRITTEN
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup RESOURCE_WRITTEN
v1 STATUS_UPDATE
google.cloud.run.v1.Services.ReplaceService SERVICE_UNCATEGORIZED
updatePolicy RESOURCE_WRITTEN
updateBackup RESOURCE_WRITTEN

字段映射参考文档:GCP_CLOUDAUDIT

下表列出了 GCP_CLOUDAUDIT 日志类型的日志字段及其对应的 UDM 字段。
日志字段 UDM 映射 逻辑
jsonPayload.accesses[].resourceName about.resource.name
protoPayload.response.selfLink about.url
protoPayload.metadata.event.eventName.parameter.name[login_challenge_method] extensions.auth.auth_details 如果 protoPayload.metadata.event.eventName 日志字段值等于 login_failurelogin_verificationlogin_challengelogin_success,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_challenge_method,则 protoPayload.metadata.event.eventName.parameter.value 日志字段将映射到 extensions.auth.auth_details UDM 字段。
extensions.auth.auth_mechanism 如果 protoPayload.metadata.event.eventName 等于 login_failurelogin_verificationlogin_challengelogic_success,则 extensions.auth.auth_mechanism UDM 字段为:
  • 当满足以下条件时,设置为 MECHANISM_OTHER
    • protoPayload.metadata.event.eventName.parameter.name 中的值等于 is_second_factor
    • value protoPayload.metadata.event.eventName.parameter.value 等于 True
  • 当满足以下条件时,设置为 USERNAME_PASSWORD
    • protoPayload.metadata.event.eventName.parameter.name 中的值等于 login_challenge_methodlogin_type
    • protoPayload.metadata.event.eventName.parameter.value 等于 exchangepasswordgoogle_passwordsaml
  • 当满足以下条件时,设置为 OTP
    • protoPayload.metadata.event.eventName.parameter.name 中的值等于 login_challenge_methodlogin_type
    • value protoPayload.metadata.event.eventName.parameter.value 等于 backup_codegoogle_authenticatoridv_any_phoneidv_preregistered_phoneoffline_otpsecurity_key_otp
  • 如果满足以下任一条件,则设置为 INTERACTIVE
    • protoPayload.metadata.event.eventName.parameter.name 中的值等于 is_second_factor,值 protoPayload.metadata.event.eventName.parameter.value 等于 True
    • protoPayload.metadata.event.eventName.parameter.name 中的值等于 login_challenge_methodlogin_type,值 protoPayload.metadata.event.eventName.parameter.value 等于 internal_two_factorlogin_location
  • 当满足以下条件时,设置为 MECHANISM_OTHER
    • protoPayload.metadata.event.eventName.parameter.name 中的值等于 login_challenge_methodlogin_type
    • protoPayload.metadata.event.eventName.parameter.value 等于 google_promptknowledge_employee_idknowledge_preregistered_emailknowledge_preregistered_phone or other
  • 当满足以下条件时,设置为 HARDWARE_KEY
    • protoPayload.metadata.event.eventName.parameter.name 中的值等于 login_challenge_methodlogin_type
    • protoPayload.metadata.event.eventName.parameter.value 等于 security_key
  • 当满足以下条件时,设置为 MECHANISM_UNSPECIFIED
    • protoPayload.metadata.event.eventName.parameter.name 中的值等于 login_challenge_methodlogin_type
    • protoPayload.metadata.event.eventName.parameter.value 等于 reauthunknown
extensions.auth.type 如果 protoPayload.metadata.event.eventName 日志字段值等于 login_failurelogin_verificationlogin_challengelogin_success,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_challenge_method,则 extensions.auth.type UDM 字段设置为 MACHINE
protoPayload.metadata.event.eventName.parameter.name[GATEWAY_NAME] intermediary.resource.name
receiveTimestamp metadata.collected_timestamp
protoPayload.response.operationType metadata.description 如果 protoPayload.methodName 日志字段值等于 cloudsql.instances.create,则 protoPayload.response.operationType - protoPayload.response.kind 日志字段会映射到 metadata.description UDM 字段。
protoPayload.response.kind target.resource.attribute.labels[response_kind]
protoPayload.status.message metadata.description
protoPayload.metadata.event.eventName.parameter.name[SETTING_DESCRIPTION] metadata.description
timestamp metadata.event_timestamp
protoPayload.methodName metadata.product_event_type
resource.labels.method metadata.product_event_type
jsonPayload.event_subtype metadata.product_event_type
insertId metadata.product_log_id
protoPayload.metadata.event.eventName.parameter.name[PRODUCT_NAME] metadata.product_name 如果 protoPayload.serviceName 日志字段值与正则表达式 (compute.googleapis.com) 匹配,则 metadata.product_name UDM 字段值与正则表达式 (compute.googleapis.com) 匹配,那么 metadata.product_name UDM 字段值与正则表达式 (compute.googleapis.com) 匹配,那么 metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com)metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com)metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com)metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com)metadata.product_name UDM 字段值匹配正则表达式 (compute.googleapis.com)metadata.product_nameprotoPayload.serviceNameprotoPayload.serviceNameprotoPayload.serviceNameprotoPayload.serviceNameprotoPayload.serviceNameprotoPayload.serviceNameprotoPayload.serviceNameprotoPayload.serviceNameprotoPayload.serviceNamemetadata.product_namemetadata.product_nameGoogle Compute Engine

















(bigquery.googleapis.com)BigQuery(admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com)G Suite(k8s.io)Google Kubernetes Engine(servicemanagement.googleapis.com)Google Service Management(storage.googleapis.com)Google Cloud Storage(cloudsql.googleapis.com)Google Cloud SQL(dataproc.googleapis.com)Google Dataproc(iam.googleapis.com)Google Cloud IAM(accesscontextmanager.googleapis.com)Context Manager API
logName metadata.url_back_to_product
protoPayload.response.selfLinkWithId metadata.url_back_to_product
metadata.vendor_name metadata.vendor_name UDM 字段设置为 Google Cloud Platform
httpRequest.protocol network.application_protocol
protoPayload.metadata.request_id network.community_id
protoPayload.resourceOriginalState.direction network.direction
protoPayload.request.direction network.direction
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SENDER] network.email.from
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_MSG_ID] network.email.mail_id
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_RECIPIENT] network.email.to
httpRequest.requestMethod network.http.method
protoPayload.requestMetadata.requestAttributes.method network.http.method
httpRequest.referer network.http.referral_url
protoPayload.requestMetadata.requestAttributes.path network.http.referral_url
httpRequest.requestUrl network.http.referral_url
protoPayload.resourceOriginalState.network network.http.referral_url
httpRequest.status network.http.response_code
protoPayload.response.error.code network.http.response_code
protoPayload.status.code security_result.detection_fields [status_code]
protoPayload.requestMetadata.callerSuppliedUserAgent network.http.user_agent 如果 protoPayload.requestMetadata.callerSuppliedUserAgent 日志字段值与正则表达式 Group 匹配,则 protoPayload.requestMetadata.callerSuppliedUserAgent 日志字段会映射到 principal.group.group_display_name UDM 字段。
httpRequest.userAgent network.http.user_agent
protoPayload.resourceOriginalState.alloweds.IPProtocol network.ip_protocol
protoPayload.requestMetadata.requestAttributes.protocol network.ip_protocol
protoPayload.request.IPProtocol network.ip_protocol
protoPayload.request.alloweds.IPProtocol network.ip_protocol
jsonPayload.connection.protocol network.ip_protocol
protoPayload.metadata.event.eventName.parameter.name[ORG_UNIT_NAME] network.organization_name
httpRequest.responseSize network.received_bytes
httpRequest.requestSize network.sent_bytes
jsonPayload.bytes_sent network.sent_bytes
protoPayload.requestMetadata.requestAttributes.id network.session_id
ProtoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail principal.email
jsonPayload.src_instance.vm_name principal.hostname
protoPayload.requestMetadata.callerIp principal.ip
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_SENDER_IP] principal.ip
jsonPayload.connection.src_ip principal.ip
httpRequest.serverIp principal.ip
resourceLocation.originalLocations principal.location.name
jsonPayload.connection.nat_ip principal.nat_ip
jsonPayload.connection.nat_port principal.nat_port
jsonPayload.connection.src_port principal.port
protoPayload.authorizationInfo.resource principal.resource.name 如果 protoPayload.authorizationInfo.resource 日志字段值不为空,则 protoPayload.authorizationInfo.resource 日志字段会映射到 principal.resource.name UDM 字段。
protoPayload.authorizationInfo.resourceAttributes.name principal.resource.name 如果 protoPayload.authorizationInfo.resourceAttributes.name 日志字段值不为空,则 protoPayload.authorizationInfo.resourceAttributes.name 日志字段会映射到 principal.resource.name UDM 字段。
protoPayload.authorizationInfo.permission target.resource_ancestors.attribute.permissions.name
protoPayload.authorizationInfo.permissionType target.resource_ancestors.attribute.permissions.type
protoPayload.authorizationInfo.resourceAttributes.service target.resource_ancestors.attribute.labels[resource_attribute_service]
protoPayload.authorizationInfo.granted target.resource_ancestors.attribute.labels[authorization_granted]
protoPayload.resourceOriginalState.name principal.resource.name
protoPayload.authorizationInfo.resourceAttributes.type principal.resource.resource_subtype
principal.user.account_type 如果 access.principalSubject 日志字段值与正则表达式 serviceAccount 匹配,则 principal.user.account_type UDM 字段会设置为 SERVICE_ACCOUNT_TYPE

如果 access.principalSubject 日志字段值与正则表达式 user 匹配,则 principal.user.account_type UDM 字段会设置为 CLOUD_ACCOUNT_TYPE
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType principal.user.attribute.permissions.description
protoPayload.request.serviceAccounts[].scopes principal.user.attribute.permissions.name
protoPayload.authorizationInfo.permission principal.user.attribute.permissions.name
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType principal.user.attribute.permissions.type
protoPayload.serviceData.policyDelta.bindingDeltas[].action principal.user.attribute.roles.description
protoPayload.request.bindings.role principal.user.attribute.roles.name
protoPayload.serviceData.policyDelta.bindingDeltas[].role principal.user.attribute.roles.name
jsonPayload.location.principalEmployingEntity principal.user.company_name
jsonPayload.location.principalOfficeCountry principal.user.office_address.country_or_region
protoPayload.authenticationInfo.principalEmail principal.user.userid 如果 protoPayload.authenticationInfo.principalEmail 日志字段值不为空,系统会使用 Grok 模式从 protoPayload.authenticationInfo.principalEmail 日志字段提取 userid_auth,并映射到 principal.user.userid UDM 字段。
protoPayload.metadata.event.eventName.parameter.value principal.user.userid 如果 protoPayload.metadata.event.eventName 日志字段值等于 CREATE_EMAIL_MONITORCREATE_DATA_TRANSFER_REQUEST
  • 如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 USER_EMAIL,则系统会使用 Grok 模式从 protoPayload.metadata.event.eventName.parameter.value 日志字段中提取 userid,并将其映射到 principal.user.userid UDM 字段。
  • protoPayload.authenticationInfo.authoritySelector principal.user.userid 如果 protoPayload.authenticationInfo.authoritySelector 日志字段值不为空,系统会使用 Grok 模式从 protoPayload.authenticationInfo.authoritySelector 日志字段提取 userid_selector,并映射到 principal.user.userid UDM 字段。
    jsonPayload.actor.user principal.user.userid 如果 jsonPayload.actor.user 日志字段值不为空,系统会使用 Grok 模式从 jsonPayload.actor.user 日志字段提取 userid_actor,并映射到 principal.user.userid UDM 字段。
    protoPayload.authenticationInfo.principalEmail principal.user.email_addresses 如果 protoPayload.authenticationInfo.principalEmail 日志字段值不为空,且 protoPayload.authenticationInfo.principalEmail 日志字段值与正则表达式 .@. 匹配,则 protoPayload.authenticationInfo.principalEmail 日志字段会映射到 principal.user.email_addresses UDM 字段。
    protoPayload.metadata.event.eventName.parameter.value principal.user.email_addresses 当满足以下条件时,protoPayload.metadata.event.eventName.parameter.value 会映射到 principal.user.email_addresses
    • protoPayload.metadata.event.eventName 日志字段值的值等于 CREATE_EMAIL_MONITORCREATE_DATA_TRANSFER_REQUEST
    • protoPayload.metadata.event.eventName.parameter.name 日志字段值中的值等于 USER_EMAIL
    • protoPayload.metadata.event.eventName.parameter.name 日志字段值中的值与正则表达式 .@. 匹配
    protoPayload.authenticationInfo.authoritySelector principal.user.email_addresses 如果 protoPayload.authenticationInfo.authoritySelector 日志字段值为空,并且 protoPayload.authenticationInfo.authoritySelector 日志字段值与正则表达式 .@. 匹配,则 protoPayload.authenticationInfo.authoritySelector 日志字段会映射到 principal.user.email_addresses UDM 字段。
    jsonPayload.actor.user principal.user.email_addresses 如果 jsonPayload.actor.user 日志字段值为空,并且 jsonPayload.actor.user 日志字段值与正则表达式 .@. 匹配,则 jsonPayload.actor.user 日志字段会映射到 principal.user.email_addresses UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[login_challenge_status] security_result.action 当满足以下条件时,security_result.action 会设为 ALLOW
    • protoPayload.metadata.event.eventName 日志字段值的值等于 login_challengelogin_verification
    • protoPayload.metadata.event.eventName.parameter.name 日志字段值中的值等于 login_challenge_status
    • protoPayload.metadata.event.parameter.value 日志字段值中的值等于 Challenge Passed
    当满足以下条件时,security_result.action 会设置为 FAIL
    • protoPayload.metadata.event.eventName 日志字段值中的值等于 login_challengelogin_verification
    • protoPayload.metadata.event.eventName.parameter.name 日志字段值中的值等于 login_challenge_status
    • protoPayload.metadata.event.parameter.value 日志字段值中的值等于 Challenge Failed
    protoPayload.metadata.event.eventName.parameter.name[ACTION_TYPE] security_result.action 当满足以下条件时,security_result.action 会设为 ALLOW
    • protoPayload.metadata.event.eventName 日志字段值的值等于 ACTION_CANCELLEDACTION_REQUESTED
    • protoPayload.metadata.event.eventName.parameter.name 日志字段值中的值等于 ACTION_TYPE
    • protoPayload.metadata.event.parameter.value 日志字段值中的值等于 ALLOW_ACCESSAPPROVE
    当满足以下条件时,security_result.action 会设置为 BLOCK
    • protoPayload.metadata.event.eventName 日志字段值的值等于 ACTION_CANCELLEDACTION_REQUESTED
    • protoPayload.metadata.event.eventName.parameter.name 日志字段值中的值等于 ACTION_TYPE
    • protoPayload.metadata.event.parameter.value 日志字段值中的值等于 DISALLOW_ACCESSBLOCK
    • protoPayload.response.error.errors 日志字段值不为空。
    当满足以下条件时,security_result.action 会设置为 ALLOW_WITH_MODIFICATION
    • protoPayload.metadata.event.eventName 日志字段值中的值等于 ACTION_CANCELLEDACTION_REQUESTED
    • protoPayload.metadata.event.eventName.parameter.name 日志字段值中的值等于 ACTION_TYPE
    • protoPayload.metadata.event.parameter.value 日志字段值的值等于 RESET_PINREVOKE_TOKEN
    当满足以下条件时,security_result.action 会设置为 QUARANTINE
    • protoPayload.metadata.event.eventName 日志字段值的值等于 ACTION_CANCELLEDACTION_REQUESTED
    • protoPayload.metadata.event.eventName.parameter.name 日志字段值中的值等于 ACTION_TYPE
    • protoPayload.metadata.event.parameter.value 日志字段值中的值等于 LOCK_DEVICE
    当满足以下条件时,security_result.action 会设置为 QUARANTINE
    • protoPayload.metadata.event.eventName 日志字段值的值等于 ACTION_CANCELLEDACTION_REQUESTED
    • protoPayload.metadata.event.eventName.parameter.name 日志字段值中的值等于 ACTION_TYPE
    • protoPayload.metadata.event.parameter.value 日志字段值中的值等于 ACCOUNT_WIPECOLLECT_BUGREPORTDEVICE_WIPELOCATE_DEVICEREMOVE_APP_FROM_DEVICEREMOVE_IOS_PROFILERING_DEVICESYNC_DEVICEUNKNOWN
    security_result.action_details 如果 protoPayload.metadata.event.eventName 日志字段值等于 login_challengelogin_verification,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_challenge_status,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.action_details UDM 字段。

    如果 protoPayload.metadata.event.eventName 日志字段值等于 ACTION_CANCELLEDACTION_REQUESTED,如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 ACTION_TYPE,那么 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.action_details UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[is_suspicious] security_result.category 如果 protoPayload.metadata.event.eventName 日志字段值等于 login_success,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 is_suspicious,那么如果 protoPayload.metadata.event.eventName.parameter.value 日志字段值等于 True,则 security_result.category UDM 字段会设置为 NETWORK_SUSPICIOUS
    logName security_result.category_details
    protoPayload.response.status security_result.description
    protoPayload.response.error.errors[].reason security_result.description
    protoPayload.metadata.tableCreation.reason security_result.description
    protoPayload.metadata.tableChange.reason security_result.description
    protoPayload.metadata.tableDeletion.reason security_result.description
    protoPayload.metadata.datasetCreation.reason security_result.description
    protoPayload.metadata.datasetDeletion.reason security_result.description
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.errorMessage security_result.description
    protoPayload.status.message security_result.description
    protoPayload.request.status security_result.description
    jsonPayload.reason[].detail security_result.description
    protoPayload.response.status.state security_result.description
    protoPayload.response.status.conditions[].message security_result.description 如果 message 日志字段值与正则表达式 response.*status.*conditions.*message 匹配,则 protoPayload.response.status.conditions.0.message 日志字段会映射到 security_result.description UDM 字段。
    protoPayload.resourceOriginalState.priority security_result.priority_details
    protoPayload.request.priority security_result.priority_details
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.queryPriority security_result.priority_details
    protoPayload.metadata.vpcServiceControlsUniqueId security_result.rule_id
    protoPayload.request.body.settings.activationPolicy security_result.rule_name
    protoPayload.request.policy security_result.rule_name
    protoPayload.metadata.violationReason security_result.rule_name
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.policyType security_result.rule_type
    protoPayload.metadata.dryRun security_result.rule_type
    severity security_result.severity
    security_result.severity_details severityseverityseverityseverityseverityseverityCRITICALCRITICALsecurity_result.severitysecurity_result.severitysecurity_result.severitysecurity_result.severitysecurity_result.severitysecurity_result.severitysecurity_result.severity











    ERRORERRORALERTEMERGENCYHIGHINFONOTICEINFORMATIONALDEBUGLOWWARNINGMEDIUMUNKNOWN_SEVERITY
    protoPayload.response.error.message security_result.summary
    protoPayload.response.error.errors[].message security_result.summary
    protoPayload.status.details.violations.description security_result.summary
    protoPayload.response.message security_result.summary
    protoPayload.request.description security_result.summary
    jsonPayload.reason[].type security_result.summary
    sourceLocation.file src.file.full_path
    protoPayload.serviceName target.application
    resource.labels.service target.application
    protoPayload.metadata.event.eventName.parameter.name[APPLICATION_NAME] target.application
    protoPayload.metadata.event.eventName.parameter.name[APP_NAME] target.application 如果 protoPayload.metadata.event.eventName.parameter.name1 日志字段值等于 APP_NAMEprotoPayload.metadata.event.eventName.parameter.name2 日志字段值等于 APP_ID,则 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 日志字段会映射到 target.application UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[APP_ID] target.application 如果 protoPayload.metadata.event.eventName.parameter.name1 日志字段值等于 APP_NAMEprotoPayload.metadata.event.eventName.parameter.name2 日志字段值等于 APP_ID,则 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 日志字段会映射到 target.application UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[SERVICE_NAME] target.application
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_SERVICE_NAME] target.application
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_NAME] target.application 如果 protoPayload.metadata.event.eventName.parameter.name1 日志字段值等于 OAUTH2_APP_NAME,并且 protoPayload.metadata.event.eventName.parameter.name2 日志字段值等于 OAUTH2_APP_ID,则 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 日志字段会映射到 target.application UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_ID] target.application 如果 protoPayload.metadata.event.eventName.parameter.name1 日志字段值等于 OAUTH2_APP_NAMEprotoPayload.metadata.event.eventName.parameter.name2 日志字段值等于 OAUTH2_APP_ID,则 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 日志字段会映射到 target.application UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_APPLICATION, SITE_NAME] target.application
    jsonPayload.product target.application
    protoPayload.metadata.device_id target.asset.asset_id
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_SERIAL_NUMBER] target.asset.hardware.serial_number
    protoPayload.metadata.event.eventName.parameter.name[PRINT_SERVER_NAME] target.asset.hostname
    protoPayload.metadata.event.eventName.parameter.name[PRINTER_NAME] target.asset.hostname
    protoPayload.request.instance target.asset.product_object_id protoPayload.request.instance 中的索引值等于 0 时,protoPayload.request.instance 日志字段会映射到 target.asset.product_object_id UDM 字段。

    对于所有其他索引值,target.asset.labels.key UDM 字段会设置为 request_instanceprotoPayload.request.instance 日志字段会映射到 target.asset.labels.value UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_ID] target.asset.product_object_id
    protoPayload.metadata.event.eventName.parameter.name[COMPANY_DEVICE_ID] target.asset.product_object_id
    target.asset.type 如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 PRINTER_SERVER_NAME,则 target.asset.type UDM 字段设置为 SERVER

    如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 PRINTER_NAME,则 target.asset.type UDM 字段设置为 PRINTER

    如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 DEVICE_TYPE,则 target.asset.type UDM 字段设置为 ROLE_UNSPECIFIED
    protoPayload.metadata.event.eventName.parameter.name[SITE_LOCATION] target.file.full_path
    protoPayload.metadata.event.eventName.parameter.name[PERMISSION_GROUP_NAME] target.group.attribute.permissions.name
    protoPayload.metadata.event.eventName.parameter.name[GROUP_EMAIL] target.group.email_addresses
    protoPayload.metadata.event.eventName.parameter.name[DOMAIN_NAME] target.hostname
    jsonPayload.dest_instance.vm_name target.hostname
    protoPayload.requestMetadata.requestAttributes.host target.hostname
    httpRequest.remoteIp target.ip
    protoPayload.requestMetadata.destinationAttributes.ip target.ip
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP] target.ip
    protoPayload.request.ip target.ip
    jsonPayload.connection.dest_ip target.ip
    resource.labels.region target.location.country_or_region
    protoPayload.response.region target.location.country_or_region
    protoPayload.request.body.region target.location.country_or_region
    protoPayload.request.region target.location.country_or_region
    resource.labels.region target.location.country_or_region
    jsonPayload.dest_location.country target.location.country_or_region
    jsonPayload.dest_location.continent target.location.country_or_region
    protoPayload.request.override.overrideValue target.resource.attribute.labels[request_override_value]
    protoPayload.response.overrideValue target.resource.attribute.labels[response_override_value]
    resource.labels.location target.location.name
    protoPayload.resourceOriginalState.alloweds.ports target.port
    protoPayload.requestMetadata.destinationAttributes.port target.port
    jsonPayload.connection.dest_port target.port
    protoPayload.metadata.tableCreation.table.view.query target.process.command_line
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query target.process.command_line
    protoPayload.serviceData.jobQueryRequest.query target.process.command_line
    protoPayload.serviceData.tableInsertResponse.resource.view.query target.process.command_line
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query target.process.command_line
    protoPayload.metadata.tableChange.jobName target.process.pid
    protoPayload.metadata.tableCreation.jobName target.process.pid
    protoPayload.request.networkInterfaces[].subnetwork target.resource_ancestors.name
    protoPayload.request.body.instanceUid target.resource_ancestors.product_object_id
    protoPayload.response.instanceUid target.resource_ancestors.product_object_id
    protoPayload.request.disk[].mode target.resource_ancestors.attributes.permission.name
    protoPayload.request.disk[].autoDelete target.resource_ancestors.attributes.permission.name
    protoPayload.response.project_id target.resource_ancestors.id
    protoPayload.response.targetProject target.resource_ancestors.name
    protoPayload.request.target target.resource_ancestors.name
    protoPayload.resourceName target.resource_ancestors.name 如果 protoPayload.methodName 日志字段值与正则表达式 (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) 匹配,则 protoPayload.resourceName 日志字段会映射到 target.resource_ancestors.name UDM 字段。
    protoPayload.resource.role_name target.resource_ancestors.name
    protoPayload.request.parent target.resource_ancestors.name
    protoPayload.request.disks[].deviceName target.resource_ancestors.name
    protoPayload.request.network target.resource_ancestors.name
    resource.labels.project_id target.cloud.project.name
    resource.labels.project_id target.resource_ancestors.name
    protoPayload.request.disk[].type target.resource_ancestors.resource_subtype 如果 protoPayload.request.cluster.subnetwork 日志字段值不为空,则 target.resource_ancestors.resource_subtype UDM 字段设置为 subnetwork

    如果 protoPayload.request.cluster.network 日志字段值不为空,则 target.resource_ancestors.resource_subtype UDM 字段设置为 network

    如果 protoPayload.request.cluster.nodePools.name 日志字段值不为空,则 target.resource_ancestors.resource_subtype UDM 字段设置为 nodepool
    resource.location target.resource.attribute.cloud.availability_zone
    resourceLocation.currentLocations target.resource.attribute.cloud.availability_zone
    resource.labels.zone target.resource.attribute.cloud.availability_zone
    protoPayload.request.body.settings.locationPreference.zone target.resource.attribute.cloud.availability_zone
    protoPayload.metadata.tableChange.table.createTime target.resource.attribute.creation_time
    protoPayload.metadata.tableCreation.table.createTime target.resource.attribute.creation_time
    protoPayload.resourceOriginalState.creationTimestamp target.resource.attribute.creation_time
    protoPayload.response.insertTime target.resource.attribute.creation_time
    protoPayload.metadata.tableChange.table.updateTime target.resource.attribute.last_update_time
    protoPayload.metadata.tableCreation.table.updateTime target.resource.attribute.last_update_time
    protoPayload.serviceData.policyDelta.auditConfigDeltas[].logType target.resource.attribute.permissions.type
    request.role.title target.resource.attribute.roles.name
    protoPayload.request.role.included_permissions[] target.resource.attributes.permission.name
    protoPayload.request.role.description target.resource.attributes.roles.description
    protoPayload.resource.labels.firewall_rule_id target.resource.id
    protoPayload.resourceName target.resource.name 如果 protoPayload.resourceName 日志字段值为空,则 protoPayload.resourceName 日志字段会映射到 target.resource.name UDM 字段。
    protoPayload.resource.labels.role_name target.resource.name 如果 protoPayload.methodName 日志字段值等于 google.iam.admin.v1.CreateRole,则 protoPayload.resource.labels.role_name 日志字段会映射到 target.resource.name UDM 字段。
    protoPayload.resource.role_name target.resource.name
    protoPayload.request.service_account.display_name target.resource.name
    protoPayload.request.workloadIdentityPool.displayName target.resource.name
    protoPayload.request.name target.resource.name 如果 protoPayload.methodName 日志字段值等于 beta.compute.instances.insert,则 protoPayload.request.name 日志字段会映射到 target.resource.name UDM 字段。
    protoPayload.request.cluster.name target.resource.name
    protoPayload.metadata.tableCreation.table.tableName target.resource.name
    protoPayload.metadata.datasetCreation.dataset.datasetName target.resource.name
    jsonPayload.accessApprovals[] target.resource.name
    jsonPayload.resource.name target.resource.name
    resource.labels.email_id target.resource.name 如果 resource.labels.email_id 日志字段值不为空,则 resource.labels.email_id 日志字段会映射到 target.resource.name UDM 字段。
    protoPayload.request.accessLevel.title target.resource.name
    resource.discoveryName target.resource.name
    protoPayload.response.name target.resource.name
    protoPayload.request.name target.resource.name
    resource.labels.network_id target.resource.name
    request.cluster.name target.resource.name
    resource.labels.cluster_name target.resource.name
    protoPayload.metadata.tableChange.table.tableName target.resource.name
    resource.labels.function_name target.resource.name 如果 resource.type 日志字段值与正则表达式 cloud_function 匹配,则 resource.labels.function_name 日志字段会映射到 target.resource.name UDM 字段。
    resource.parent target.resource.parent
    resource.labels.bucket_name target.resource.parent 如果 resource.type 日志字段值等于 gcs_bucket,则 resource.labels.bucket_name 日志字段会映射到 target.resource.parent UDM 字段。
    resource.labels.dataset_id target.resource.product_object_id
    resource.labels.instance_group_id target.resource.product_object_id
    resource.labels.subnetwork_id target.resource.product_object_id
    resource.labels.firewall_rule_id target.resource.product_object_id
    resource.labels.forwarding_rule_id target.resource.product_object_id
    resource.labels.network_id target.resource.product_object_id
    resource.labels.unique_id target.resource.product_object_id
    protoPayload.metadata.event.eventName.parameter.name[RESOURCE_IDENTIFIER] target.resource.product_object_id
    protoPayload.metadata.event.eventName.parameter.name[SHARED_DRIVE_ID] target.resource.product_object_id
    protoPayload.response.unique_id target.resource.product_object_id 如果 protoPayload.methodName 日志字段值与正则表达式 (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) 匹配,则 protoPayload.response.unique_id 日志字段会映射到 target.resource.product_object_Id UDM 字段。
    protoPayload.request.account_id target.resource.product_object_id
    protoPayload.request.role_id target.resource.product_object_id 如果 protoPayload.methodName 日志字段值等于 google.iam.admin.v1.CreateRole,则 protoPayload.request.role_id 日志字段会映射到 target.resource.product_object_id UDM 字段。
    protoPayload.request.workloadIdentityPoolId target.resource.product_object_id
    jsonPayload.resource.id target.resource.product_object_id
    resource.labels.instance_id target.resource.product_object_id
    resource.data.uniqueId target.resource.product_object_id
    protoPayload.request.workloadIdentityPoolProviderId target.resource.product_object_id
    protoPayload.request.machineType target.resource.resource_subtype
    resource.type target.resource.resource_subtype
    target.resource.resource_type 如果resource.type日志字段值与正则表达式gce_(firewall or forwarding_rule)匹配,target.resource.resource_type1resource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typeFIREWALL_RULE

























    gce_(subnetwork or network)VPC_NETWORKdataprocCLUSTERCLUSTERk8s or gke_gce_backend_serviceBACKEND_SERVICE(gce_ or dns_query)VIRTUAL_MACHINEgcs_bucketSTORAGE_BUCKETbigqueryDATABASEDATABASEcloudsqlservice_accountSERVICE_ACCOUNTprojectCLOUD_PROJECTorganizationCLOUD_ORGANIZATIONcloud_functionFUNCTIONUNSPECIFIED
    protoPayload.response.targetLink target.url
    protoPayload.metadata.event.eventName.parameter.name[WEB_ADDRESS] target.url
    protoPayload.request.httpRequest.url target.url
    resource.discoveryDocumentUri target.url
    httpRequest.requestUrl target.url
    protoPayload.request.role.included_permissions[] target.user.attribute.permissions.name
    protoPayload.metadata.event.eventName.parameter.name[ROLE_ID] target.user.attribute.roles.description 如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 ROLE_ID,则 Role_ID - protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.attribute.roles.description UDM 字段。
    protoPayload.response.bindings[].role target.user.attribute.roles.name
    protoPayload.metadata.event.eventName.parameter.name[ROLE_NAME] target.user.attribute.roles.name
    protoPayload.request.serviceAccounts[].email target.user.email_addresses
    protoPayload.metadata.event.eventName.parameter.value target.user.email_addresses 如果 protoPayload.metadata.event.eventName.parameter.value 日志字段值为空,并且 protoPayload.metadata.event.eventName 日志字段值等于 USER_EMAILEMAIL_MONITOR_DEST_EMAILDESTINATION_USER_EMAIL,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.email_addresses UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.user.first_name 如果 protoPayload.metadata.event.eventName 日志字段值等于 FIRST_NAME,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 NEW_VALUE,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.first_name UDM 字段。
    protoPayload.request.personIdentifier.canonicalPersonId target.user.group_identifiers
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.user.last_name 如果 protoPayload.metadata.event.eventName 日志字段值等于 LAST_NAME,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 NEW_VALUE,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.last_name UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.user.user_display_name 如果 protoPayload.metadata.event.eventName 日志字段值等于 RENAME_USER,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 NEW_VALUE,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.user_display_name UDM 字段。
    protoPayload.response.user target.user.userid
    protoPayload.metadata.event.eventName.parameter.name[USER_EMAIL] target.user.userid 如果 protoPayload.metadata.event.eventName 日志字段值等于 CREATE_EMAIL_MONITORCREATE_DATA_TRANSFER_REQUEST,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 USER_EMAIL,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 principal.user.userid UDM 字段。

    如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 USER_EMAIL,那么 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 target.user.userid UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_DEST_EMAIL] target.user.userid
    protoPayload.metadata.event.eventName.parameter.name[DESTINATION_USER_EMAIL] target.user.userid
    protoPayload.request.user target.user.userid
    protoPayload.serviceData.policyDelta.bindingDeltas[].member target.user.userid
    protoPayload.request.objects.db about.labels [database_name](已弃用)
    jsonPayload.accesses[].methodName about.labels [methodName](已弃用)
    protoPayload.request.objects.name about.labels [objects_name](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] about.labels[api_client_name](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] about.labels[api_scopes](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] about.labels[begin_date_time](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] about.labels[bulk_upload_fail_users_number](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] about.labels[bulk_upload_total_users_number](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] about.labels[caa_assignments_new](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] about.labels[caa_assignments_old](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] about.labels[caa_enforcement_endpoints_new](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] about.labels[caa_enforcement_endpoints_old](已弃用)
    protoPayload.requestMetadata.requestAttributes.size about.labels[caller_network_request_size](已弃用)
    protoPayload.requestMetadata.requestAttributes.time about.labels[caller_network_request_time](已弃用)
    protoPayload.requestMetadata.callerNetwork about.labels[caller_network](已弃用)
    protoPayload.requestMetadata.requestAttributes.size principal.labels[caller_network_request_size](已弃用)
    protoPayload.requestMetadata.requestAttributes.time principal.labels[request_attributes_time](已弃用)
    protoPayload.requestMetadata.callerNetwork principal.labels[caller_network](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] about.labels[chrome_licenses_enabled](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] about.labels[end_date_time](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[END_DATE] about.labels[end_date](已弃用)
    protoType.metadata.event[].eventName about.labels[event_name](已弃用)
    protoPayload.metadata.event.parameter[].label about.labels[event_param_label](已弃用)
    protoPayload.metadata.event.parameter[].type about.labels[event_param_type](已弃用)
    protoType.metadata.event[].eventType about.labels[event_type](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] about.labels[field_name](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] about.labels[full_org_unit_path](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] about.labels[grp_member_bulk_upload_failed](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] about.labels[grp_member_bulk_upload_total](已弃用)
    httpRequest.cacheFillBytes about.labels[httpreq_cache_fill_bytes](已弃用)
    httpRequest.cacheHit about.labels[httpreq_cache_hit](已弃用)
    httpRequest.cacheLookup about.labels[httpreq_cache_lookup](已弃用)
    httpRequest.cacheValidatedWithOriginServer about.labels[httpreq_cache_validated_with_origin_server](已弃用)
    httpRequest.latency about.labels[httprequest_latency](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] about.labels[info_type](已弃用)
    protoPayload.metadata.activityId.timeUsec about.labels[metadata_activityId_time_usec](已弃用)
    protoPayload.metadata.activityId.uniqQualifier about.labels[metadata_activityId_uniq_qualifier](已弃用)
    protoPayload.metadata.@type about.labels[metadata_type](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] about.labels[new_permission_grant_state](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] about.labels[num_of_company_owned_device](已弃用)
    protoPayload.numResponseItems about.labels[num_response_items](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] about.labels[old_permission_grant_state](已弃用)
    operation.first about.labels[operation_first](已弃用)
    operation.id about.labels[operation_id](已弃用)
    operation.last about.labels[operation_last](已弃用)
    operation.producer about.labels[operation_producer](已弃用)
    protoPayload.resourceOriginalState.selfLinkWithId about.labels[rc_old_selflinkWithId](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] about.labels[reauth_setting_new](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] about.labels[reauth_setting_old](已弃用)
    protoPayload.request.alloweds[].ports about.labels[req_alloweds_ports](已弃用)
    protoPayload.request.body.name about.labels[req_body_name](已弃用)
    protoPayload.request.body.settings.activityPolicy about.labels[req_body_settings_activity_policy](已弃用)
    protoPayload.request.deletionProtection about.labels[req_deletion_protection](已弃用)
    protoPayload.request.disabled about.labels[req_disabled](已弃用)
    protoPayload.request.displayDevice.enableDisplay about.labels[req_display_device_enable_display](已弃用)
    protoPayload.request.enableFlowLogs about.labels[req_enable_flow_logs](已弃用)
    protoPayload.request.fingerprint about.labels[req_fingerprint](已弃用)
    protoPayload.request.shieldedInstanceConfig.enableSecureBoot about.labels[req_instance_config_enable_secure_boot](已弃用)
    protoPayload.request.shieldedInstanceConfig.enableVtpm about.labels[req_instance_config_enable_vtpm](已弃用)
    protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring about.labels[req_instance_enable_integrity_monitoring](已弃用)
    protoPayload.request.key_types[] about.labels[req_key_types](已弃用)
    protoPayload.request.logconfig.enable about.labels[req_logconfig_enable](已弃用)
    protoPayload.request.networkTier about.labels[req_network_tier](已弃用)
    protoPayload.request.network about.labels[req_network](已弃用)
    protoPayload.request.page_size about.labels[req_page_size](已弃用)
    request.pagesize about.labels[req_page_size](已弃用)
    protoPayload.request.policy.etag about.labels[req_policy_etag](已弃用)
    protoPayload.request.portRange about.labels[req_port_range](已弃用)
    protoPayload.request.privateIpGoogleAccess about.labels[req_private_ip_google_access](已弃用)
    protoPayload.request.private_key_type about.labels[req_private_key_type](已弃用)
    protoPayload.request.remove_deleted_service_accounts about.labels[req_remove_deleted_serviceAcc](已弃用)
    protoPayload.request.showDeleted about.labels[req_show_deleted](已弃用)
    protoPayload.request.skip_visibility_check about.labels[req_skip_visibility_check](已弃用)
    protoPayload.request.stackType about.labels[req_stack_type](已弃用)
    protoPayload.request.type about.labels[req_type](已弃用)
    protoPayload.request.updateMask about.labels[req_update_mask](已弃用)
    protoPayload.request.version about.labels[req_version](已弃用)
    protoPayload.response.clientOperationId about.labels[res_client_operation_id](已弃用)
    protoPayload.response.endTime about.labels[res_end_time](已弃用)
    protoPayload.response.id about.labels[res_id](已弃用)
    protoPayload.response.key_algorithm about.labels[res_key_algorithm](已弃用)
    protoPayload.response.key_origin about.labels[res_key_origin](已弃用)
    protoPayload.response.key_type about.labels[res_key_type](已弃用)
    protoPayload.response.kind about.labels[res_kind](已弃用)
    protoPayload.response.private_key_type about.labels[res_private_key_type](已弃用)
    protoPayload.response.progress about.labels[res_progress](已弃用)
    protoPayload.response.startTime about.labels[res_start_time](已弃用)
    protoPayload.response.status about.labels[res_status](已弃用) 如果 protoPayload.methodName 日志字段值等于 cloudsql.instances.create,则 protoPayload.response.status 日志字段会映射到 security_result.description UDM 字段。
    protoPayload.response.type about.labels[res_type](已弃用)
    protoPayload.response.unique_id about.labels[res_unique_id](已弃用) 如果 protoPayload.methodName 日志字段值与正则表达式 (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) 匹配,则 protoPayload.response.unique_id 日志字段会映射到 target.resource.product_object_id UDM 字段。
    protoPayload.response.valid_after_time.seconds about.labels[res_valid_after_time](已弃用)
    protoPayload.response.valid_before_time.seconds about.labels[res_valid_before_time](已弃用)
    protoPayload.response.version about.labels[res_version](已弃用)
    protoPayload.response.zone about.labels[res_zone](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] about.labels[search_query_for_dump](已弃用)
    spanId about.labels[span_id](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[START_DATE] about.labels[start_date](已弃用)
    traceSampled about.labels[trace_sampled](已弃用)
    Trace about.labels[trace](已弃用)
    protoPayload.@type about.labels[type](已弃用)
    protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys metadata.ingestion_labels [instance_metadata_key_added]
    protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys metadata.ingestion_labels [instance_metadata_key_deletion]
    protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys metadata.ingestion_labels [instance_metadata_key_modification]
    protoPayload.metadata.projectMetadataDelta.addedMetadataKeys metadata.ingestion_labels [AddedMetadataKeys]
    protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys metadata.ingestion_labels [DeletedMetadataKeys]
    protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys metadata.ingestion_labels [ModifiedMetadataKeys]
    protoPayload.redactions.reason principal.labels [protoPayload.redactions.field](已弃用)
    protoPayload.redactions.type principal.labels [protoPayload.redactions.field](已弃用)
    authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata principal.labels [service_metadata](已弃用)
    jsonPayload.sourceNetwork principal.labels [source_network](已弃用)
    authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims principal.labels [third_party_claims](已弃用)
    protoPayload.requestMetadata.requestAttributes.time principal.labels[caller_network_request_time](已弃用)
    protoPayload.request.description principal.labels[req_description](已弃用)
    protoPayload.request.ipCidrRange principal.labels[req_ip_cidr_range](已弃用)
    protoPayload.request.sourceRanges[] principal.labels[req_source_ranges](已弃用)
    protoPayload.requestMetadata.requestAttributes.reason principal.labels[request_attributes_reason](已弃用)
    protoPayload.authenticationInfo.thirdPartyPrincipal principal.labels[third_party_principal](已弃用)
    protoPayload.authenticationInfo.principalSubject principal.user.userid 如果 protoPayload.authenticationInfo.principalSubject 日志字段值不为空,系统会使用 Grok 模式从 protoPayload.authenticationInfo.principalSubject 日志字段提取 new_user_id,并映射到 principal.user.userid UDM 字段。
    protoPayload.authenticationInfo.principalSubject principal.user.email_addresses 如果 protoPayload.authenticationInfo.principalSubject 日志字段值为空,则系统会使用 Grok 模式从 protoPayload.authenticationInfo.principalSubject 日志字段中提取 new_email_id,并将其映射到 principal.user.email_addresses UDM 字段。
    protoPayload.authenticationInfo.serviceAccountDelegationInfo.principalSubject principal.user.attribute.labels[access_serviceAcc_principalSubject]
    protoPayload.response.oauth2_client_id principal.user.attribute.labels[response_oauth2_client_id]
    protoPayload.authorizationInfo.resourceAttributes.service principal.resource.attribute.labels[authorization_info_rcService]
    protoPayload.authorizationInfo.granted principal.user.attributes.labels[authorization_granted]
    protoPayload.request.cryptoKey.versionTemplate.algorithm security_result.detection_fields [algorithm]
    protoPayload.response.details[].@type security_result.detection_fields [details_type]
    protoPayload.request.cryptoKey.nextRotationTime security_result.detection_fields [next_rotation_time]
    protoPayload.request.cryptoKey.versionTemplate.protectionLevel security_result.detection_fields [protection_level]
    protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value security_result.detection_fields [protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind]
    protoPayload.request.cryptoKey.purpose security_result.detection_fields [purpose]
    protoPayload.resourceName security_result.detection_fields [resource_name]
    protoPayload.authorizationInfo.resource security_result.detection_fields [resource]
    protoPayload.response.code security_result.detection_fields [response_code]
    protoPayload.request.cryptoKey.rotationPeriod security_result.detection_fields [rotation_period]
    protoPayload.metadata.securityPolicyInfo.organizationId security_result.detection_fields [securityPolicyInfo.organizationId]
    protoPayload.request.serviceAccounts[].scopes security_result.detection_fields [service_account_scope]
    protoPayload.response.details[].violations[].subject security_result.detection_fields [violation_subject]
    protoPayload.response.details[].violations[].type security_result.detection_fields [violation_type]
    protoPayload.metadata.event.eventName.parameter.name[ACTION_ID] security_result.detection_fields[action_id]
    protoPayload.serviceData.policyDelta.auditConfigDeltas[].action security_result.detection_fields[action]
    protoPayload.metadata.event.eventName.parameter.name[ALERT_NAME] security_result.detection_fields[alert_name]
    protoPayload.metadata.event.eventName.parameter.name[ALLOWED_TWO_STEP_VERIFICATION_METHOD] security_result.detection_fields[allowed_two_step_verification_method]
    protoPayload.requestMetadata.callerNetwork.requestAttributes.reason security_result.detection_fields[caller_network_request_reason]
    protoPayload.metadata.event.eventName.parameter.name[is_second_factor] security_result.detection_fields[is_second_factor] 如果 protoPayload.metadata.event.eventName 日志字段值等于 login_verification,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 is_second_factor,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.detection_fields.value UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[is_suspicious] security_result.detection_fields[is_suspicious] 如果 protoPayload.metadata.event.eventName 日志字段值等于 login_success,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 is_suspicious,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.detection_fields.value UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[login_failure_type] security_result.detection_fields[login_failure_type] 如果 protoPayload.metadata.event.eventName 日志字段值等于 login_failure,并且 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_failure_type,则 protoPayload.metadata.event.eventName.parameter.value 日志字段会映射到 security_result.detection_fields.value UDM 字段。
    protoPayload.metadata.event.eventName.parameter.name[login_type] security_result.detection_fields[login_type] 如果 protoPayload.metadata.event.eventName 日志字段值等于 login_failurelogin_challengelogin_verificationlogin_successlogout,那么如果 protoPayload.metadata.event.eventName.parameter.name 日志字段值等于 login_type,则 protoPayload.metadata.event.eventName.parameter.value 日志字段将映射到 about.labels.value UDM 字段。
    protoPayload.request.bindings.members[] security_result.detection_fields[members]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.checkedValue security_result.detection_fields[policy_violation_checked_value]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.constraint security_result.detection_fields[policy_violation_constraint]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags security_result.detection_fields[policy_violation_resource_tags]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType security_result.detection_fields[policy_violation_resource_type]
    protoPayload.metadata.event.eventName.parameter.name[QUARANTINE_NAME] security_result.detection_fields[quarantine_name]
    protoPayload.resourceOriginalState.logconfig.enable security_result.detection_fields[rc_orgState_logconfig_enable]
    protoPayload.request.alloweds[].ports security_result.detection_fields[req_alloweds_ports]
    protoPayload.response.error.errors[].domain security_result.detection_fields[res_error_domain]
    protoPayload.resourceOriginalState.direction security_result.detection_fields[resource_original_state_direction]
    protoPayload.authenticationInfo.serviceAccountKeyName security_result.detection_fields[service_account_key_name]
    Referred this from Default parser. security_result.detection_fields[SERVICE]
    protoPayload.status.details.type security_result.detection_fields[status_details_type]
    protoPayload.status.details.violations.subject security_result.detection_fields[status_details_violation_subject]
    protoPayload.status.details.violations.type security_result.detection_fields[status_details_violation_type]
    sourceLocation.function src.labels[src_location_function]
    sourceLocation.line src.labels[src_location_line]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_STATE] target.asset.attribute.labels[dvc_new_state]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_STATE] target.asset.attribute.labels[dvc_previous_state]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_TYPE] target.asset.attribute.labels[dvc_type]
    protoPayload.metadata.event.eventName.parameter.name[MANAGED_CONFIGURATION_NAME] target.asset.attribute.labels[managed_config_name]
    protoPayload.metadata.event.eventName.parameter.name[MOBILE_APP_PACKAGE_ID] target.asset.attribute.labels[mobile_app_package_id]
    protoPayload.metadata.event.eventName.parameter.name[MOBILE_CERTIFICATE_COMMON_NAME] target.asset.attribute.labels[mobile_certificate_common_name]
    protoPayload.metadata.event.eventName.parameter.name[MOBILE_WIRELESS_NETWORK_NAME] target.asset.attribute.labels[mobile_wireless_network_name]
    protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_MDM_VENDOR_NAME] target.asset.attribute.labels[play_for_work_mdm_vendor_name]
    protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_TOKEN_ID] target.asset.attribute.labels[play_for_work_token_id]
    resource.labels.instance_id target.asset.attribute.labels[rc_instance_id]
    protoPayload.metadata.event.eventName.parameter.name[SKU_NAME] target.asset.attribute.labels[sku_name]
    protoPayload.response.targetId target.asset.attribute.labels[target_id] 如果 protoPayload.methodName 日志字段值等于 cloudsql.instances.create,则 protoPayload.response.targetId 日志字段会映射到 target.asset.attribute.labels.value UDM 字段。
    resource.labels.backend_service_name target.labels [backend_service_name](已弃用)
    protoPayload.requestMetadata.requestAttributes.auth.claims target.labels [request_auth_claims](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] target.labels[application_edition](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[ASP_ID] target.labels[asp_id](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] target.labels[chrome_os_session_type](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] target.labels[device_new_org_unit](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] target.labels[device_previous_org_unit](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] target.labels[domain_alias](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] target.labels[email_export_include_deleted](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] target.labels[email_export_package_content](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] target.labels[email_log_search_end_date](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] target.labels[email_log_search_start_date](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] target.labels[email_monitor_level_chat](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] target.labels[email_monitor_level_draft_email](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] target.labels[email_monitor_level_in_email](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] target.labels[email_monitor_level_out_email](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] target.labels[email_reset_reason](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.labels[new_value](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] target.labels[oauth2_app_type](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] target.labels[old_value](已弃用)
    protoPayload.requestMetadata.destinationAttributes.principal target.labels[peer_principal](已弃用)
    protoPayload.requestMetadata.destinationAttributes.regionCode target.labels[peer_region_code](已弃用)
    protoPayload.request.loadBalancingScheme target.labels[req_load_balancing_scheme](已弃用)
    protoPayload.request.requestId target.labels[request_id](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] target.labels[request_id](已弃用)
    protoPayload.resourceOriginalState.description target.labels[res_originalState_description](已弃用)
    protoPayload.response.bindings[].members[] target.labels[response_bindings_members](已弃用)
    protoPayload.response.description target.labels[response_description](已弃用)
    protoPayload.response.display_name target.labels[response_display_name](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] target.labels[secondary_domain_name](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] target.labels[setting_name](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] target.labels[user_custom_field](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] target.labels[user_defined_setting_name](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] target.labels[web_origin](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] target.labels[whitelisted_groups](已弃用)
    protoPayload.metadata.event.eventName.parameter.name[APP_LICENSES_ORDER_NUMBER] target.asset.labels[app_licenses_order_number]
    protoPayload.metadata.event.eventName.parameter.name[CHROME_NUM_LICENSES_PURCHASED] target.asset.labels[chrome_num_licenses_purchased]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_COMMAND_DETAILS] target.asset.labels[device_command_details]
    protoPayload.metadata.event.eventName.parameter.name[DIRECTORY_API_ID] target.asset.labels[directory_api_id]
    protoPayload.metadata.event.eventName.parameter.name[GROUP_PRIORITIES] target.group.attribute.labels[group_priorities]
    protoPayload.request.cluster.subnetwork target.resource_ancestor.attribute.labels[req_cls_subnetwork]
    protoPayload.request.cluster.nodePools[].autoscaling.enabled target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_enabled]
    protoPayload.request.cluster.nodePools[].autoscaling.maxNodeCount target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_max_node_cnt]
    protoPayload.request.cluster.nodePools[].autoscaling.minNodeCount target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_min_node_cnt]
    protoPayload.request.cluster.nodePools[].management.autoupgrade target.resource_ancestor.attribute.labels[req_clsNodePools_autoupgrade]
    protoPayload.request.cluster.nodePools[].config.diskSizeGb target.resource_ancestor.attribute.labels[req_clsNodePools_config_disksize]
    protoPayload.request.cluster.nodePools[].config.imageType target.resource_ancestor.attribute.labels[req_clsNodePools_config_imagetype]
    protoPayload.request.cluster.nodePools[].config.machineType target.resource_ancestor.attribute.labels[req_clsNodePools_config_machinetype]
    protoPayload.request.cluster.nodePools[].config.oauthScopes[] target.resource_ancestor.attribute.labels[req_clsNodePools_config_oauth_scopes]
    protoPayload.request.cluster.nodePools[].name target.resource_ancestor.attribute.labels[req_clsNodePools_name]
    protoPayload.request.cluster.nodePools[].initialNodeCount target.resource_ancestor.attribute.labels[req_clsterNodePools_autoscaling_initial_node_cnt]
    resource.data.oauth2ClientId target.resource.attribute.labels [oauth_client_id]
    protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute target.resource.attribute.labels [ enable_confidential_compute]
    protoPayload.request.function.timeout target.resource.attribute.labels [ function_time_out]
    protoPayload.requestMetadata.requestAttributes.auth.accessLevels target.resource.attribute.labels [accessLevel]
    protoPayload.request.date target.resource.attribute.labels [audit_event_occurred]
    protoPayload.request.auditId target.resource.attribute.labels [audit_id]
    protoPayload.request.autoscalingPolicy.mode target.resource.attribute.labels [autoscaling_policy_mode]
    protoPayload.request.autoscalingPolicy.coolDownPeriodSec target.resource.attribute.labels [cool_down_period]
    protoPayload.request.denieds.0.IPProtocol target.resource.attribute.labels [Denied Protocol]
    protoPayload.request.destinationRanges target.resource.attribute.labels [destination_ranges]
    protoPayload.request.function.entryPoint target.resource.attribute.labels [function_entry_point]
    protoPayload.request.function.httpsTrigger.securityLevel target.resource.attribute.labels [function_httptrigger_security_level]
    protoPayload.request.function.runtime target.resource.attribute.labels [function_runtime]
    protoPayload.request.function.serviceAccountEmail target.resource.attribute.labels [function_service_account_email]
    protoPayload.request.function.sourceUploadUrl target.resource.attribute.labels [function_source_upload_url]
    protoPayload.metadata.iapEnabled target.resource.attribute.labels [iapEnabled]
    protoPayload.request.listManagedInstancesResults target.resource.attribute.labels [managed_instances_result]
    protoPayload.request.autoscalingPolicy.maxNumReplicas target.resource.attribute.labels [max_replicas]
    protoPayload.request.autoscalingPolicy.minNumReplicas target.resource.attribute.labels [min_replicas]
    protoPayload.request.msgType target.resource.attribute.labels [msg_type]
    protoPayload.metadata.oauth_client_id target.resource.attribute.labels [oauth_client_id]
    protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod target.resource.attribute.labels [predictive_method]
    protoPayload.request.labels.0.value target.resource.attribute.labels [protoPayload.request.labels.0.key]
    protoPayload.request.queryId target.resource.attribute.labels [query_id]
    protoPayload.request.constraint target.resource.attribute.labels [request_constraint]
    protoPayload.request.dataAccessed target.resource.attribute.labels [request_data_accessed]
    protoPayload.request.function.labels.deployment-tool target.resource.attribute.labels [request_deployment_tool]
    protoPayload.request.properties.description target.resource.attribute.labels [request_description]
    protoPayload.request.function.name target.resource.attribute.labels [request_function_name]
    protoPayload.request.location target.resource.attribute.labels [request_location]
    protoPayload.request.policy.constraint target.resource.attribute.labels [request_policy_constraint]
    protoPayload.request.@type target.resource.attribute.labels [request_type]
    protoPayload.request.cmd target.resource.attribute.labels [sql_operation_type ]
    protoPayload.request.threadId target.resource.attribute.labels [thread_id]
    protoPayload.metadata.unsatisfied_access_levels target.resource.attribute.labels [unsatisfied_access_levels]
    protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget target.resource.attribute.labels [utilization_target]
    protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled target.resource.attribute.labels[backup_config_binarylog_enabled]
    protoPayload.request.body.settings.backupConfiguration.enabled target.resource.attribute.labels[backup_config_enabled]
    protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays target.resource.attribute.labels[backup_config_logRetention_days]
    protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled target.resource.attribute.labels[backup_config_point_in_time_recovery_enabled]
    protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups target.resource.attribute.labels[backup_config_retention_settings_retained_backups]
    protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit target.resource.attribute.labels[backup_config_retention_settings_unit]
    protoPayload.request.body.settings.backupConfiguration.startTime target.resource.attribute.labels[backup_config_start_time]
    protoPayload.request.canIpForward target.resource.attribute.labels[can_ip_forward]
    resource.labels.cluster_name target.resource.attribute.labels[cls_name]
    request.cluster.name target.resource.attribute.labels[cls_name]
    protoPayload.request.body.settings.dataDiskSizeGb target.resource.attribute.labels[data_disk_size_gb]
    protoPayload.request.body.settings.dataDiskType target.resource.attribute.labels[data_disk_type]
    protoPayload.metadata.tableDataRead.fields target.resource.attribute.labels[data_read_fields]
    protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris[] target.resource.attribute.labels[destination_uris]
    protoPayload.request.direction target.resource.attribute.labels[direction]
    resource.labels.email_id target.resource.attribute.labels[email_id]
    resource.email_id target.resource.attribute.labels[email_id]
    resource.labels.forwarding_rule_name target.resource.attribute.labels[forwarding_rule_name]
    protoPayload.request.body.settings.ipConfiguration.ipv4Enabled target.resource.attribute.labels[ip_config_ipv4_enabled]
    protoPayload.request.body.settings.ipconfiguration.privatNetwork target.resource.attribute.labels[ip_config_private_network]
    protoPayload.request.body.settings.ipconfiguration.requireSsl target.resource.attribute.labels[ip_config_require_ssl]
    protoPayload.metadata.jobChange.job.jobConfig.type target.resource.attribute.labels[job_type]
    protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id target.resource.attribute.labels[job_change_looker_studio_report_id]
    protoPayload.metadata.jobChange.job.jobConfig.labels.requestor target.resource.attribute.labels[job_change_requestor]
    protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id target.resource.attribute.labels[job_change_looker_studio_datasource_id]
    protoPayload.metadata.tableChange.table.tableName target.resource.attribute.labels[metadata_changedTable_name]
    protoPayload.metadata.tableCreation.table.expireTime target.resource.attribute.labels[metadata_creationTable_expire_time]
    protoPayload.request.body.settings.pricingPlan target.resource.attribute.labels[pricing_plan]
    resource.data.projectId target.resource.attribute.labels[projectId]
    resource.labels.instance_group_name target.resource.attribute.labels[rc_instance_groupName]
    resource.labels.method target.resource.attribute.labels[rc_method]
    protoPayload.resourceOriginalState.disabled target.resource.attribute.labels[rc_orgState_disabled]
    protoPayload.resourceOriginalState.enableLogging target.resource.attribute.labels[rc_orgState_enable_logging]
    protoPayload.resourceOriginalState.logconfig.enable target.resource.attribute.labels[rc_orgState_logconfig_enable]
    protoPayload.resourceOriginalState.selfLink target.resource.attribute.labels[rc_orgState_selflink]
    protoPayload.resourceOriginalState.sourceRanges target.resource.attribute.labels[rc_orgState_srcranges]
    protoPayload.resourceOriginalState.targetTags target.resource.attribute.labels[rc_orgState_target_tags]
    protoPayload.resourceOriginalState.@type target.resource.attribute.labels[rc_orgState_type]
    resource.labels.service target.resource.attribute.labels[rc_service]
    resource.labels.subnetwork_name target.resource.attribute.labels[rc_subnetwork_name]
    resource.labels.version target.resource.attribute.labels[rc_version]
    protoPayload.request.body.databaseVersion target.resource.attribute.labels[req_body_dbVersion]
    protoPayload.request.cluster.releaseChannel.channel target.resource.attribute.labels[req_cls_channel]
    protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled target.resource.attribute.labels[req_cls_policy_config_disabled]
    protoPayload.request.reservationAffinity.consumeReservationType target.resource.attribute.labels[req_consumeReservation_type]
    protoPayload.request.disabled target.resource.attribute.labels[req_disabled]
    protoPayload.request.disks[].boot target.resource.attribute.labels[req_disk_boot]
    protoPayload.request.disks[].initializeParams.diskSizeGb target.resource.attribute.labels[req_disk_initialize_disk_size]
    protoPayload.request.disks[].initializeParams.diskType target.resource.attribute.labels[req_disk_initialize_disk_type]
    protoPayload.request.disks[].initializeParams.sourceImage target.resource.attribute.labels[req_disk_initialize_source_image]
    protoPayload.request.workloadIdentityPoolProvider.attributeCondition target.resource.attribute.labels[req_identityPool_attribute_condition]
    protoPayload.request.workloadIdentityPoolProvider.aws.accountId target.resource.attribute.labels[req_identityPool_aws_accountId]
    protoPayload.request.workloadIdentityPoolProvider.attributeMapping.attribute.aws_role target.resource.attribute.labels[req_identityPool_aws_role]
    protoPayload.request.workloadIdentityPool.description target.resource.attribute.labels[req_identityPool_description]
    protoPayload.request.workloadIdentityPool.disabled target.resource.attribute.labels[req_identityPool_disabled]
    protoPayload.request.workloadIdentityPoolProvider.displayName target.resource.attribute.labels[req_identityPool_displayName]
    protoPayload.request.workloadIdentityPoolProvider.attributeMapping.google.subject target.resource.attribute.labels[req_identityPool_googleSubject]
    protoPayload.request.workloadIdentityPoolProvider.disabled target.resource.attribute.labels[req_identityPool_provider_disabled]
    protoPayload.request.workloadIdentityPoolProviderId target.resource.attribute.labels[req_identityPool_providerId]
    protoPayload.request.instances[].instance target.resource.attribute.labels[req_instance]
    protoPayload.request.logconfig.enable target.resource.attribute.labels[req_logconfig_enable]
    protoPayload.serviceData.tabelDataListRequest.maxResults target.resource.attribute.labels[req_max_results]
    protoPayload.serviceData.jobGetQueryResultsRequest.maxResults target.resource.attribute.labels[req_max_results]
    protoPayload.request.maxResults target.resource.attribute.labels[req_max_results]
    protoPayload.request.name target.resource.attribute.labels[req_name]
    protoPayload.request.networkInterfaces[].accessConfig.name target.resource.attribute.labels[req_network_access_config_name]
    protoPayload.request.networkInterfaces[].accessConfig.networkTier target.resource.attribute.labels[req_network_access_config_network_tier]
    protoPayload.request.networkInterfaces[].accessConfig.type target.resource.attribute.labels[req_network_access_config_type]
    protoPayload.request.network target.resource.attribute.labels[req_network]
    protoPayload.request.network target.resource.attribute.labels[req_network]
    protoPayload.request.priority target.resource.attribute.labels[Request Priority]
    protoPayload.request.project target.resource.attribute.labels[req_project]
    protoPayload.request.role.stage target.resource.attribute.labels[req_role_stage]
    protoPayload.request.scheduling.automaticRestart target.resource.attribute.labels[req_scheduling_automatic_restart]
    protoPayload.request.scheduling.onHostMaintenance target.resource.attribute.labels[req_scheduling_on_host_mainten]
    protoPayload.request.scheduling.preemptible target.resource.attribute.labels[req_scheduling_preemptible]
    protoPayload.request.service_account.description target.resource.attribute.labels[req_serviceAcc_description]
    protoPayload.request.serviceAccounts[].email target.resource.attribute.labels[req_serviceAcc_email]
    protoPayload.request.policy.booleanPolicy.enforced target.resource.attribute.labels[request_constraint]
    protoPayload.response.email target.resource.attribute.labels[res_email]
    protoPayload.response.etag target.resource.attribute.labels[res_etag]
    protoPayload.response.name target.resource.attribute.labels[res_name]
    protoPayload.response.operationType target.resource.attribute.labels[response_operation_type]
    protoPayload.response.zone target.resource.attribute.labels[res_zone]
    resource.data.name target.resource.attribute.labels[resource_data_name]
    protoPayload.response.booleanPolicy.enforced target.resource.attribute.labels[response_enforce_policy]
    protoPayload.response.status target.resource.attribute.labels[response_status]
    protoPayload.response.status.conditions.message target.resource.attribute.labels[response_status]
    protoPayload.serviceData.permissionDelta.addedPermissions[] target.resource.attribute.labels[ser_added_perm]
    protoPayload.serviceData.policyDelta.bindingDeltas[].action target.resource.attribute.labels[ser_binding_deltas_action]
    protoPayload.serviceData.policyDelta.bindingDeltas[].member target.resource.attribute.labels[ser_binding_deltas_member]
    Referred this from default parser. target.resource.attribute.labels[ser_binding_deltas_member]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.datasetId target.resource.attribute.labels[ser_destTable_datasetId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.projectId target.resource.attribute.labels[ser_destTable_projectId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.tableId target.resource.attribute.labels[ser_destTable_tableId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime target.resource.attribute.labels[ser_jobCreate_time]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.jobId target.resource.attribute.labels[ser_req_jobId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.query target.resource.attribute.labels[ser_req_query]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.createDisposotion target.resource.attribute.labels[ser_reqCreate_disposotion]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.location target.resource.attribute.labels[ser_reqJob_location]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.projectId target.resource.attribute.labels[ser_reqJob_projectid]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.startTime target.resource.attribute.labels[ser_reqJob_start_time]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatus.state target.resource.attribute.labels[ser_reqJob_state]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.totalSlotMs target.resource.attribute.labels[ser_reqJob_total_slot_ms]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.statementType target.resource.attribute.labels[ser_reqStatement_type]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.writeDisposition target.resource.attribute.labels[ser_reqWrite_disposition]
    protoPayload.serviceData.tableInsertRequest.resource.view.query target.resource.attribute.labels[ser_tableInsert_query]
    protoPayload.serviceData.@type target.resource.attribute.labels[ser_type]
    protoPayload.request.sourceRanges[] target.resource.attribute.labels[source_ranges]
    protoPayload.request.body.settings.storageAutoResize target.resource.attribute.labels[storage_auto_resize]
    resource.labels.target_proxy_name target.resource.attribute.labels[target_proxy_name]
    protoPayload.request.body.settings.tier target.resource.attribute.labels[tier]
    resource.labels.url_map_name target.resource.attribute.labels[url_map_name]
    protoPayload.request.cluster.network target.resource_ancestors.attribute.labels[req_cls_network]
    protoPayload.request.cluster.nodePools[].management.autoRepair target.resource_ancestors.attribute.labels[req_clsNodePools_autorepair]
    protoPayload.request.body.settings.availabilityType target.resource.attributes.labels[resource_avaibilitytype]
    protoPayload.metadata.tableCreation.table.schemaJSON target.resource.attributes.labels[table_schemaJson]
    protoPayload.metadata.event.eventName.parameter.name[BIRTHDATE] target.user.attribute.labels[birthdate]
    protoPayload.metadata.event.eventName.parameter.name[PRIVILEGE_NAME] target.user.attribute.labels[privilege_name]
    protoPayload.metadata.event.eventName.parameter.name[USER_NICKNAME] target.user.attribute.labels[user_nickname]
    resource.type target.resource_ancestors.resource_type 如果resource.type日志字段值与正则表达式gce_(firewall or forwarding_rule)匹配,target.resource_ancestors.resource_type1resource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typetarget.resource_ancestors.resource_typeFIREWALL_RULE

























    gce_(subnetwork or network)VPC_NETWORKdataprocCLUSTERCLUSTERk8s or gke_gce_backend_serviceBACKEND_SERVICE(gce_ or dns_query)target.resource.resource_typeVIRTUAL_MACHINEgcs_bucketSTORAGE_BUCKETbigqueryDATABASEDATABASEcloudsqlservice_accountSERVICE_ACCOUNTprojectCLOUD_PROJECTCLOUD_PROJECTorganizationCLOUD_ORGANIZATIONUNSPECIFIEDresource.labels.project_id
    jsonPayload.end_time about.labels[jsonPayload_end_time](已弃用)
    jsonPayload.packets_sent network.sent_packets
    jsonPayload.reporter about.labels[jsonPayload_reporter](已弃用)
    jsonPayload.src_vpc.vpc_name principal.resource.name
    jsonPayload.src_vpc.project_id principal.resource.product_object_id
    jsonPayload.src_vpc.subnetwork_name principal.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]
    jsonPayload.start_time about.labels[jsonPayload_start_time](已弃用)
    jsonPayload.src_instance.region principal.location.name
    jsonPayload.src_instance.project_id principal.labels[jsonPayload_src_instance_project_id](已弃用)
    jsonPayload.src_instance.zone principal.cloud.availability_zone
    resource.labels.subnetwork_id target.resource.attribute.labels[resource_labels_subnetwork_id]
    jsonPayload.dest_vpc.project_id target.resource.product_object_id
    jsonPayload.dest_vpc.subnetwork_name target.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]
    jsonPayload.dest_vpc.vpc_name target.resource.name
    jsonPayload.dest_instance.region target.location.name
    jsonPayload.dest_instance.project_id target.labels[jsonPayload_dest_instance_project_id](已弃用)
    jsonPayload.dest_instance.zone target.cloud.availability_zone
    jsonPayload.src_location.asn principal.labels[jsonPayload_src_location_asn](已弃用)
    jsonPayload.src_location.city principal.location.city
    jsonPayload.src_location.continent principal.labels[jsonPayload_src_location_continent](已弃用)
    jsonPayload.src_location.country principal.location.country_or_region
    jsonPayload.src_location.region principal.labesl[jsonPayload_src_location_region]
    jsonPayload.dest_location.asn target.labels[jsonPayload_dest_location_asn](已弃用)
    jsonPayload.dest_location.city target.location.city
    jsonPayload.dest_location.continent target.labels[jsonPayload_dest_location_continent](已弃用)
    jsonPayload.dest_location.region target.labesl[jsonPayload_dest_location_region]
    protoPayload.metadata.ingressViolations.servicePerimeter security_result.detection_fields[protoPayload_metadata_ingressViolations_serviceParameter]
    protoPayload.metadata.ingressViolations.source security_result.detection_fields[protoPayload_metadata_ingressViolations_source]
    protoPayload.metadata.ingressViolations.sourceType security_result.detection_fields[protoPayload_metadata_ingressViolations_sourceType]
    protoPayload.metadata.ingressViolations.targetResource security_result.detection_fields[protoPayload_metadata_ingressViolations_targetResource]
    protoPayload.request.subjects.name target.user.attribute.labels[subject_name]
    protoPayload.request.spec.containers.0.image target.process.command_line
    protoPayload.request.spec.containers.0.name target.resource.attribute.labels[name]
    protoPayload.request.spec.containers.0.terminationMessagePolicy traget.resource.attribute.labels[terminationMessagePolicy]
    protoPayload.request.spec.containers.0.terminationMessagePath traget.resource.attribute.labels[terminationMessagePath]
    protoPayload.request.spec.containers.0.imagePullPolicy traget.resource.attribute.labels[imagePullPolicy]
    protoPayload.request.spec.dnsPolicy target.resource.attribute.labels[imagePullPolicy]
    protoPayload.request.spec.enableServiceLinks traget.resource.attribute.labels[enableServiceLinks]
    protoPayload.request.spec.restartPolicy target.resource.attribute.labels[restartPolicy]
    protoPayload.request.spec.schedulerName target.resource.attribute.labels[schedulerName]
    protoPayload.request.spec.terminationGracePeriodSeconds traget.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds]
    protoPayload.request.metadata.namespace principal.namespace
    protoPayload.request.apiVersion target.resource.attribute.labels [request apiVersion]
    protoPayload.request.kind target.resource.attribute.labels[request.kind]
    protoPayload.request.metadata.name target.resource.attribute.labels[request.metadata.name]
    labels.mutation.webhook.admission.k8s.io/round_0_index_0 security_result.about.resource.attribute.labels[labels_round_0_index_0]
    protoPayload.request.spec.containers.0.args about.file.capabilities_tags
    protoPayload.request.properties.disks.0.initializeParams.diskSizeGb principal.resource.attribute.labels[diskSizeGb]
    protoPayload.request.properties.disks.0.initializeParams.diskType principal.resource.attribute.labels[diskType]
    protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type principal.resource.attribute.labels[guestOsFeatures type]
    protoPayload.request.properties.disks.0.initializeParams.labels.0.key principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key]
    protoPayload.request.properties.disks.0.initializeParams.sourceImage principal.resource.attribute.labels[sourceImage]
    protoPayload.request.properties.disks.0.type principal.resource.attribute.labels[disks Type]
    key_id security_result.detection_field[key_id] key_id 字段值提取自 message 日志 字段。
    protoPayload.request.securityHealthAnalyticsSettings.modules.PUBLIC_BUCKET_ACL.moduleEnablementState target.resource.attribute.labels[PUBLIC_BUCKET_ACL_module_enablement_state]
    protoPayload.response.serviceEnablementState target.resource.attribute.labels[service_enablement_state]
    protoPayload.request.metadata.creationTimestamp target.resource.attribute.creation_time
    protoPayload.request.metadata.labels.trivy.automatic.created target.resource.attribute.labels[req_metadata_trivy_automatic_created]
    protoPayload.request.metadata.labels.trivy.collector.name target.resource.attribute.labels[req_metadata_trivy_collector_name]
    protoPayload.request.metadata.labels.trivy.resource.kind target.resource.attribute.labels[req_metadata_trivy_resource_kind]
    protoPayload.request.metadata.labels.trivy.resource.name target.resource.attribute.labels[req_metadata_trivy_resource_name]
    protoPayload.request.spec.backoffLimit target.resource.attribute.labels[req_spec_backoff_limit]
    protoPayload.request.spec.completionMode target.resource.attribute.labels[req_spec_completion_mode]
    protoPayload.request.spec.completions target.resource.attribute.labels[req_spec_completions]
    protoPayload.request.spec.parallelism target.resource.attribute.labels[req_spec_parallelism]
    protoPayload.request.spec.suspend target.resource.attribute.labels[req_spec_suspend]
    protoPayload.request.spec.template.metadata.creationTimestamp target.resource.attribute.labels[req_spec_template_metadata_creation_time]
    protoPayload.request.spec.template.metadata.labels.app target.resource.attribute.labels[req_spec_template_metadata_app]
    protoPayload.request.spec.template.spec.automountServiceAccountToken target.resource.attribute.labels[req_spec_template_spec_automount_service_account_token]
    protoPayload.request.spec.template.spec.containers.command target.resource_ancestors.attribute.labels[req_spec_template_spec_container_command]
    protoPayload.request.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image]
    protoPayload.request.spec.template.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image_pull_policy]
    protoPayload.request.spec.template.spec.containers.name target.resource_ancestors.name
    protoPayload.request.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_cpu]
    protoPayload.request.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_memory]
    protoPayload.request.spec.template.spec.containers.resources.requests.cpu target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_cpu]
    protoPayload.request.spec.template.spec.containers.resources.requests.memory target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_memory]
    protoPayload.request.spec.template.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_allow_privilege_escalation]
    protoPayload.request.spec.template.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_capabilities_drop]
    protoPayload.request.spec.template.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_privileged]
    protoPayload.request.spec.template.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_read_only_root_filesystem]
    protoPayload.request.spec.template.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_path]
    protoPayload.request.spec.template.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_policy]
    protoPayload.request.spec.template.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_mount_path]
    protoPayload.request.spec.template.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_name]
    protoPayload.request.spec.template.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_readonly]
    protoPayload.request.spec.template.spec.dnsPolicy target.resource.attribute.labels[req_spec_template_spec_dns_policy]
    protoPayload.request.spec.template.spec.hostPID target.resource.attribute.labels[req_spec_template_spec_host_pid]
    protoPayload.request.spec.template.spec.restartPolicy target.resource.attribute.labels[req_spec_template_spec_restart_policy]
    protoPayload.request.spec.template.spec.schedulerName target.resource.attribute.labels[req_spec_template_spec_scheduler_name]
    protoPayload.request.spec.template.spec.securityContext.runAsGroup target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_group]
    protoPayload.request.spec.template.spec.securityContext.runAsUser target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_user]
    protoPayload.request.spec.template.spec.securityContext.seccompProfile.type target.resource.attribute.labels[req_spec_template_spec_security_context_seccomp_profile_type]
    protoPayload.request.spec.template.spec.terminationGracePeriodSeconds target.resource.attribute.labels[req_spec_template_spec_termination_grace_period_seconds]
    protoPayload.request.spec.template.spec.volumes.hostPath.path target.resource.attribute.labels[req_spec_template_spec_volumes_host_path]
    protoPayload.request.spec.template.spec.volumes.hostPath.type target.resource.attribute.labels[req_spec_template_spec_volumes_host_path_type]
    protoPayload.request.spec.template.spec.volumes.name target.resource.attribute.labels[req_spec_template_spec_volumes_name]
    protoPayload.request.spec.automountServiceAccountToken target.resource.attribute.labels[req_spec_automount_service_account_token]
    protoPayload.request.spec.containers.command target.resource.attribute.labels[req_spec_container_command]
    protoPayload.request.spec.containers.securityContext.privileged target.resource.attribute.labels[req_spec_container_security_context_privileged]
    protoPayload.request.spec.containers.securityContext.allowPrivilegeEscalation target.resource.attribute.labels[req_spec_container_security_context_allow_privilege_escalation]
    protoPayload.request.spec.containers.securityContext.readOnlyRootFilesystem target.resource.attribute.labels[req_spec_container_security_context_read_only_root_filesystem]
    protoPayload.request.spec.containers.securityContext.capabilities.drop target.resource.attribute.labels[req_spec_container_security_context_capabilities_drop]
    protoPayload.request.spec.containers.volumeMounts.mountPath target.resource.attribute.labels[req_spec_container_volume_mount_path]
    protoPayload.request.spec.containers.volumeMounts.name target.resource.attribute.labels[req_spec_container_volume_mount_name]
    protoPayload.request.spec.containers.volumeMounts.readOnly target.resource.attribute.labels[req_spec_container_volume_mount_read_only]
    protoPayload.request.metadata.annotations.deprecated.daemonset.template.generation target.resource.attribute.labels[req_metadata_annotations_deprecated_daemonset_template_generation]
    protoPayload.request.metadata.labels.app target.resource.attribute.labels[req_metadata_app]
    protoPayload.request.metadata.labels.type target.resource.attribute.labels[req_metadata_labels_type]
    protoPayload.request.spec.serviceAccount target.resource.attribute.labels[req_spec_service_account]
    protoPayload.request.spec.serviceAccountName target.resource.attribute.labels[req_spec_serivce_account_name]
    protoPayload.request.spec.hostIPC target.resource.attribute.labels[req_spec_host_ipc]
    protoPayload.request.spec.hostNetwork target.resource.attribute.labels[req_spec_host_network]
    protoPayload.request.spec.hostPID target.resource.attribute.labels[req_spec_host_pid]
    protoPayload.request.spec.nodeName target.resource.attribute.labels[req_spec_node_name]
    protoPayload.request.spec.securityContext.privileged target.resource.attribute.labels[req_spec_security_context_privileged]
    protoPayload.request.spec.securityContext.allowPrivilegeEscalation target.resource.attribute.labels[req_spec_security_context_allow_privilege_escalation]
    protoPayload.request.spec.securityContext.readOnlyRootFilesystem target.resource.attribute.labels[req_spec_security_context_read_only_root_filesystem]
    protoPayload.request.spec.securityContext.capabilities.drop target.resource.attribute.labels[req_spec_security_context_capabilities_drop]
    protoPayload.request.spec.volumes.hostPath.path target.resource.attribute.labels[req_spec_volume_host_path]
    protoPayload.request.spec.volumes.hostPath.type target.resource.attribute.labels[req_spec_volume_host_path_type]
    protoPayload.request.spec.volumes.name target.resource.attribute.labels[req_spec_volume_name]
    protoPayload.request.spec.revisionHistoryLimit target.resource.attribute.labels[req_spec_revision_history_limit]
    protoPayload.request.spec.selector.matchLabels.app target.resource.attribute.labels[req_spec_selector_match_label_app]
    protoPayload.request.spec.selector.matchLabels.type target.resource.attribute.labels[req_spec_selector_match_label_type]
    protoPayload.request.spec.template.metadata.labels.type target.resource.attribute.labels[req_spec_template_metadata_labels_type]
    protoPayload.request.spec.template.spec.containers.args target.resource.attribute.labels[req_spec_template_spec_container_arg]
    protoPayload.request.spec.template.spec.hostIPC target.resource.attribute.labels[req_spec_template_spec_host_ipc]
    protoPayload.request.spec.template.spec.hostNetwork target.resource.attribute.labels[req_spec_template_spec_host_network]
    protoPayload.request.spec.updateStrategy.rollingUpdate.maxSurge target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_surge]
    protoPayload.request.spec.updateStrategy.rollingUpdate.maxUnavailable target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_unavailable]
    protoPayload.request.spec.updateStrategy.type target.resource.attribute.labels[req_spec_update_strategy_type]
    protoPayload.request.status.currentNumberScheduled target.resource.attribute.labels[req_status_current_number_scheduled]
    protoPayload.request.status.desiredNumberScheduled target.resource.attribute.labels[req_status_desired_number_scheduled]
    protoPayload.request.status.numberMisscheduled target.resource.attribute.labels[req_status_number_miss_scheduled]
    protoPayload.request.status.numberReady target.resource.attribute.labels[req_status_number_ready]
    protoPayload.response.@type target.resource.attribute.labels[res_type]
    protoPayload.response.apiVersion target.resource.attribute.labels[res_api_version]
    protoPayload.response.metadata.annotations.deprecated.daemonset.template.generation target.resource.attribute.labels[res_metadata_annotations_deprecated_daemonset_template_generation]
    protoPayload.response.metadata.generation target.resource.attribute.labels[res_metadata_generation]
    protoPayload.response.metadata.labels.type target.resource.attribute.labels[res_metadata_labels_type]
    protoPayload.response.metadata.labels.app target.resource.attribute.labels[res_metadata_label_app]
    protoPayload.response.metadata.creationTimestamp target.resource.attribute.labels[res_metadata_creation_time]
    protoPayload.response.metadata.name target.resource.attribute.labels[res_metadata_name]
    protoPayload.response.metadata.namespace target.resource.attribute.labels[res_metadata_namespace]
    protoPayload.response.metadata.resourceVersion target.resource.attribute.labels[res_metadata_resource_version]
    protoPayload.response.metadata.uid target.resource.attribute.labels[res_metadata_uid]
    protoPayload.response.spec.revisionHistoryLimit target.resource.attribute.labels[res_spec_revision_history_limit]
    protoPayload.response.spec.selector.matchLabels.app target.resource.attribute.labels[res_spec_selector_match_label_app]
    protoPayload.response.spec.selector.matchLabels.type target.resource.attribute.labels[res_spec_selector_match_label_type]
    protoPayload.response.spec.template.metadata.creationTimestamp target.resource.attribute.labels[res_spec_template_metadata_creation_time]
    protoPayload.response.spec.template.metadata.labels.app target.resource.attribute.labels[res_spec_template_metadata_app]
    protoPayload.response.spec.template.metadata.labels.type target.resource.attribute.labels[res_spec_template_metadata_type]
    protoPayload.response.spec.template.spec.containers.args target.resource_ancestors.attribute.labels[res_spec_template_spec_container_arg]
    protoPayload.response.spec.template.spec.containers.command target.resource_ancestors.attribute.labels[res_spec_template_spec_container_command]
    protoPayload.response.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image]
    protoPayload.response.spec.template.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image_pull_policy]
    protoPayload.response.spec.template.spec.containers.name target.resource_ancestors.name
    protoPayload.response.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_cpu]
    protoPayload.response.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_memory]
    protoPayload.response.spec.template.spec.containers.resources.requests.cpu target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_cpu]
    protoPayload.response.spec.template.spec.containers.resources.requests.memory target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_memory]
    protoPayload.response.spec.template.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_privileged]
    protoPayload.response.spec.template.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_allow_privilege_escalation]
    protoPayload.response.spec.template.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_read_only_root_filesystem]
    protoPayload.response.spec.template.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_capabilities_drop]
    protoPayload.response.spec.template.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_path]
    protoPayload.response.spec.template.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_policy]
    protoPayload.response.spec.template.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_mount_path]
    protoPayload.response.spec.template.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_name]
    protoPayload.response.spec.template.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_read_only]
    protoPayload.response.spec.template.spec.dnsPolicy target.resource.attribute.labels[res_spec_template_spec_dns_policy]
    protoPayload.response.spec.template.spec.hostIPC target.resource.attribute.labels[res_spec_template_spec_host_pid]
    protoPayload.response.spec.template.spec.hostNetwork target.resource.attribute.labels[res_spec_template_spec_host_network]
    protoPayload.response.spec.template.spec.hostPID target.resource.attribute.labels[res_spec_template_spec_host_ipc]
    protoPayload.response.spec.template.spec.nodeName target.resource.attribute.labels[res_spec_template_spec_node_name]
    protoPayload.response.spec.template.spec.restartPolicy target.resource.attribute.labels[res_spec_template_spec_restart_policy]
    protoPayload.response.spec.template.spec.schedulerName target.resource.attribute.labels[res_spec_template_spec_scheduler_name]
    protoPayload.response.spec.template.spec.securityContext.runAsGroup target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_group]
    protoPayload.response.spec.template.spec.securityContext.runAsUser target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_user]
    protoPayload.response.spec.template.spec.securityContext.seccompProfile.type target.resource.attribute.labels[res_spec_template_spec_security_context_seccomp_profile_type]
    protoPayload.response.spec.template.spec.terminationGracePeriodSeconds target.resource.attribute.labels[res_spec_template_spec_termination_grace_period_seconds]
    protoPayload.response.spec.template.spec.volumes.hostPath.path target.resource.attribute.labels[res_spec_template_spec_volumes_host_path]
    protoPayload.response.spec.template.spec.volumes.hostPath.type target.resource.attribute.labels[res_spec_template_spec_volumes_host_path_type]
    protoPayload.response.spec.template.spec.volumes.name target.resource.attribute.labels[res_spec_template_spec_volumes_name]
    protoPayload.response.spec.updateStrategy.rollingUpdate.maxSurge target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_surge]
    protoPayload.response.spec.updateStrategy.rollingUpdate.maxUnavailable target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_unavailable]
    protoPayload.response.spec.updateStrategy.type target.resource.attribute.labels[res_spec_update_strategy_type]
    protoPayload.response.spec.containers.args target.resource_ancestors.attribute.labels[res_spec_container_arg]
    protoPayload.response.spec.containers.command target.resource_ancestors.attribute.labels[res_spec_container_command]
    protoPayload.response.spec.containers.image target.resource_ancestors.attribute.labels[res_spec_container_image]
    protoPayload.response.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[res_spec_container_image_pull_policy]
    protoPayload.response.spec.containers.name target.resource_ancestors.name
    protoPayload.response.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[res_spec_container_security_context_privileged]
    protoPayload.response.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[res_spec_container_security_context_allow_privilege_escalation]
    protoPayload.response.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[res_spec_container_security_context_read_only_root_filesystem]
    protoPayload.response.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_drop]
    protoPayload.response.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[res_spec_container_termination_message_path]
    protoPayload.response.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[res_spec_container_termination_message_policy]
    protoPayload.response.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_path]
    protoPayload.response.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_name]
    protoPayload.response.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_read_only]
    protoPayload.response.spec.dnsPolicy target.resource.attribute.labels[res_spec_dns_policy]
    protoPayload.response.spec.enableServiceLinks target.resource.attribute.labels[res_spec_enable_service_links]
    protoPayload.response.spec.hostIPC target.resource.attribute.labels[res_spec_host_ipc]
    protoPayload.response.spec.hostNetwork target.resource.attribute.labels[res_spec_host_network]
    protoPayload.response.spec.hostPID target.resource.attribute.labels[res_spec_host_pid]
    protoPayload.response.spec.nodeName target.resource.attribute.labels[res_spec_node_name]
    protoPayload.response.spec.preemptionPolicy target.resource.attribute.labels[res_spec_preemption_policy]
    protoPayload.response.spec.priority target.resource.attribute.labels[res_spec_priority]
    protoPayload.response.spec.restartPolicy target.resource.attribute.labels[res_spec_restart_policy]
    protoPayload.response.spec.schedulerName target.resource.attribute.labels[res_spec_scheduler_name]
    protoPayload.response.spec.serviceAccount target.resource.attribute.labels[res_spec_service_account]
    protoPayload.response.spec.serviceAccountName target.resource.attribute.labels[res_spec_serivce_account_name]
    protoPayload.response.spec.terminationGracePeriodSeconds target.resource.attribute.labels[res_spec_termination_grace_period_seconds]
    protoPayload.response.spec.tolerations.effect target.resource.attribute.labels[res_spec_toleration_effect]
    protoPayload.response.spec.tolerations.key target.resource.attribute.labels[res_spec_toleration_key]
    protoPayload.response.spec.tolerations.operator target.resource.attribute.labels[res_spec_toleration_operator]
    protoPayload.response.spec.tolerations.tolerationSeconds target.resource.attribute.labels[res_spec_toleration_second]
    protoPayload.response.spec.volumes.hostPath.path target.resource.attribute.labels[res_spec_volume_host_path]
    protoPayload.response.spec.volumes.hostPath.type target.resource.attribute.labels[res_spec_volume_host_path_type]
    protoPayload.response.spec.volumes.name target.resource.attribute.labels[res_spec_volume_name]
    protoPayload.response.spec.volumes.projected.defaultMode target.resource.attribute.labels[res_spec_volume_projected_default_mode]
    protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.expirationSeconds target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_ecpiration_sec]
    protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.path target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_path]
    protoPayload.response.spec.volumes.projected.sources.configMap.items.key target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_key]
    protoPayload.response.spec.volumes.projected.sources.configMap.items.path target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_path]
    protoPayload.response.spec.volumes.projected.sources.configMap.name target.resource.attribute.labels[res_spec_volume_projected_src_config_map_name]
    protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.apiVersion target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_api_version]
    protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.fieldPath target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_field_path]
    protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.path target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_path]
    protoPayload.response.status.phase target.resource.attribute.labels[res_status_phase]
    protoPayload.response.status.qosClass target.resource.attribute.labels[res_status_qos_class]
    protoPayload.response.status.currentNumberScheduled target.resource.attribute.labels[res_status_current_number_scheduled]
    protoPayload.response.status.desiredNumberScheduled target.resource.attribute.labels[res_status_desired_number_scheduled]
    protoPayload.response.status.numberMisscheduled target.resource.attribute.labels[res_status_number_miss_scheduled]
    protoPayload.response.status.numberReady target.resource.attribute.labels[res_status_number_ready]
    protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor target.resource.attribute.labels[ser_jobconf_requestor]
    protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id target.resource.attribute.labels[ser_jobconf_looker_studio_datasource_id]
    protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id target.resource.attribute.labels[ser_jobconf_looker_studio_report_id]
    labels.authorization.k8s.io/decision security_result.action 如果 labels.authorization.k8s.io/decision 日志字段值等于 allow,则 security_result.action UDM 字段会设置为 ALLOW

    否则,如果 labels.authorization.k8s.io/decision 日志字段值等于 block,则 security_result.action UDM 字段会设置为 BLOCK
    labels.pod-security.kubernetes.io/enforce-policy security_result.detection_fields[pod_security_kubernetes_io_enforce_policy]
    labels.authorization.k8s.io/reason security_result.action_details
    protoPayload.request.roleRef.apiGroup target.user.attribute.labels[req_role_ref_api_group]
    protoPayload.request.roleRef.kind target.user.attribute.labels[req_role_ref_kind]
    protoPayload.request.roleRef.name target.user.attribute.roles.name
    protoPayload.request.subjects.apiGroup target.user.attribute.labels[req_subject_api_group]
    protoPayload.request.subjects.kind target.user.attribute.labels[req_subject_kind]
    protoPayload.request.rules.apiGroups security_result.rule_labels[req_rule_api_group]
    protoPayload.request.rules.resources security_result.rule_labels[req_rule_resource]
    protoPayload.request.rules.verbs security_result.rule_labels[req_rule_verb]
    protoPayload.request.rules.resourceNames security_result.rule_labels[req_rule_resource_name]
    protoPayload.response.metadata.managedFields.apiVersion target.resource.attribute.labels[res_managed_field_api_version]
    protoPayload.response.metadata.managedFields.fieldsType target.resource.attribute.labels[res_managed_field_type]
    protoPayload.response.metadata.managedFields.manager target.resource.attribute.labels[res_managed_field_manager]
    protoPayload.response.metadata.managedFields.operation target.resource.attribute.labels[res_managed_field_operation]
    protoPayload.response.metadata.managedFields.time target.resource.attribute.labels[res_managed_field_time]
    protoPayload.request.spec.containers.securityContext.capabilities.add target.resource_ancestors.attribute.labels[req_spec_container_security_context_capabilities_add]
    protoPayload.request.spec.containers.securityContext.seccompProfile.type target.resource_ancestors.attribute.labels[req_spec_container_security_context_seccomp_profile_type]
    protoPayload.request.spec.shareProcessNamespace target.resource.attribute.labels[req_spec_share_process_namespace]
    protoPayload.response.spec.containers.securityContext.capabilities.add target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_add]
    protoPayload.response.spec.containers.securityContext.seccompProfile.type target.resource_ancestors.attribute.labels[res_spec_container_security_context_seccomp_profile_type]
    protoPayload.response.spec.shareProcessNamespace target.resource.attribute.labels[res_spec_share_process_namespace]
    protoPayload.metadata.membershipDelta.member target.resource.attribute.labels[membership_delta_member]
    protoPayload.metadata.membershipDelta.roleDeltas.action target.resource.attribute.labels[membership_role_deltas_action]
    protoPayload.metadata.membershipDelta.roleDeltas.role target.resource.attribute.labels[membership_role_deltas_role]
    protoPayload.request.spec.resourceAttributes.namespace target.resource.attribute.labels[req_spec_resource_attribute_namespace]
    protoPayload.request.spec.resourceAttributes.resource target.resource.attribute.labels[req_spec_resource_attribute_resource]
    protoPayload.request.spec.resourceAttributes.verb target.resource.attribute.labels[req_spec_resource_attribute_verb]
    protoPayload.request.status.allowed target.resource.attribute.labels[req_status_allowed]
    protoPayload.response.spec.resourceAttributes.namespace target.resource.attribute.labels[res_spec_resource_attribute_namespace]
    protoPayload.response.spec.resourceAttributes.resource target.resource.attribute.labels[res_spec_resource_attribute_resource]
    protoPayload.response.spec.resourceAttributes.verb target.resource.attribute.labels[res_spec_resource_attribute_verb]
    protoPayload.response.status.allowed target.resource.attribute.labels[res_status_allowed]
    protoPayload.request.objects.db additional.fields[database_name]
    jsonPayload.accesses.methodName additional.fields[methodName]
    protoPayload.request.objects.name additional.fields[objects_name]
    protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] additional.fields[api_client_name]
    protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] additional.fields[api_scopes]
    protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] additional.fields[begin_date_time]
    protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] additional.fields[bulk_upload_fail_users_number]
    protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] additional.fields[bulk_upload_total_users_number]
    protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] additional.fields[caa_assignments_new]
    protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] additional.fields[caa_assignments_old]
    protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] additional.fields[caa_enforcement_endpoints_new]
    protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] additional.fields[caa_enforcement_endpoints_old]
    protoPayload.requestMetadata.requestAttributes.size additional.fields[caller_network_request_size]
    protoPayload.requestMetadata.requestAttributes.time additional.fields[caller_network_request_time]
    protoPayload.requestMetadata.callerNetwork additional.fields[caller_network]
    protoPayload.requestMetadata.requestAttributes.size additional.fields[caller_network_request_size]
    protoPayload.requestMetadata.requestAttributes.time additional.fields[request_attributes_time]
    protoPayload.requestMetadata.callerNetwork additional.fields[caller_network]
    protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] additional.fields[chrome_licenses_enabled]
    protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] additional.fields[end_date_time]
    protoPayload.metadata.event.eventName.parameter.name[END_DATE] additional.fields[end_date]
    protoType.metadata.event.eventName additional.fields[event_name]
    protoPayload.metadata.event.parameter.label additional.fields[event_param_label]
    protoPayload.metadata.event.parameter.type additional.fields[event_param_type]
    protoType.metadata.event.eventType additional.fields[event_type]
    protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] additional.fields[field_name]
    protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] additional.fields[full_org_unit_path]
    protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] additional.fields[grp_member_bulk_upload_failed]
    protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] additional.fields[grp_member_bulk_upload_total]
    httpRequest.cacheFillBytes additional.fields[httpreq_cache_fill_bytes]
    httpRequest.cacheHit additional.fields[httpreq_cache_hit]
    httpRequest.cacheLookup additional.fields[httpreq_cache_lookup]
    httpRequest.cacheValidatedWithOriginServer additional.fields[httpreq_cache_validated_with_origin_server]
    httpRequest.latency additional.fields[httprequest_latency]
    protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] additional.fields[info_type]
    protoPayload.metadata.activityId.timeUsec additional.fields[metadata_activityId_time_usec]
    protoPayload.metadata.activityId.uniqQualifier additional.fields[metadata_activityId_uniq_qualifier]
    protoPayload.metadata.@type additional.fields[metadata_type]
    protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] additional.fields[new_permission_grant_state]
    protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] additional.fields[num_of_company_owned_device]
    protoPayload.numResponseItems additional.fields[num_response_items]
    protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] additional.fields[old_permission_grant_state]
    operation.first additional.fields[operation_first]
    operation.id additional.fields[operation_id]
    operation.last additional.fields[operation_last]
    operation.producer additional.fields[operation_producer]
    protoPayload.resourceOriginalState.selfLinkWithId additional.fields[rc_old_selflinkWithId]
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] additional.fields[reauth_setting_new]
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] additional.fields[reauth_setting_old]
    protoPayload.request.alloweds.ports additional.fields[req_alloweds_ports]
    protoPayload.request.body.name additional.fields[req_body_name]
    protoPayload.request.body.settings.activityPolicy additional.fields[req_body_settings_activity_policy]
    protoPayload.request.deletionProtection additional.fields[req_deletion_protection]
    protoPayload.request.disabled additional.fields[req_disabled]
    protoPayload.request.displayDevice.enableDisplay additional.fields[req_display_device_enable_display]
    protoPayload.request.enableFlowLogs additional.fields[req_enable_flow_logs]
    protoPayload.request.fingerprint additional.fields[req_fingerprint]
    protoPayload.request.shieldedInstanceConfig.enableSecureBoot additional.fields[req_instance_config_enable_secure_boot]
    protoPayload.request.shieldedInstanceConfig.enableVtpm additional.fields[req_instance_config_enable_vtpm]
    protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring additional.fields[req_instance_enable_integrity_monitoring]
    protoPayload.request.key_types additional.fields[req_key_types]
    protoPayload.request.logconfig.enable additional.fields[req_logconfig_enable]
    protoPayload.request.networkTier additional.fields[req_network_tier]
    protoPayload.request.network additional.fields[req_network]
    protoPayload.request.page_size additional.fields[req_page_size]
    request.pagesize additional.fields[req_page_size]
    protoPayload.request.policy.etag additional.fields[req_policy_etag]
    protoPayload.request.portRange additional.fields[req_port_range]
    protoPayload.request.privateIpGoogleAccess additional.fields[req_private_ip_google_access]
    protoPayload.request.private_key_type additional.fields[req_private_key_type]
    protoPayload.request.remove_deleted_service_accounts additional.fields[req_remove_deleted_serviceAcc]
    protoPayload.request.showDeleted additional.fields[req_show_deleted]
    protoPayload.request.skip_visibility_check additional.fields[req_skip_visibility_check]
    protoPayload.request.stackType additional.fields[req_stack_type]
    protoPayload.request.type additional.fields[req_type]
    protoPayload.request.updateMask additional.fields[req_update_mask]
    protoPayload.request.version additional.fields[req_version]
    protoPayload.response.clientOperationId additional.fields[res_client_operation_id]
    protoPayload.response.endTime additional.fields[res_end_time]
    protoPayload.response.id additional.fields[res_id]
    protoPayload.response.key_algorithm additional.fields[res_key_algorithm]
    protoPayload.response.key_origin additional.fields[res_key_origin]
    protoPayload.response.key_type additional.fields[res_key_type]
    protoPayload.response.kind additional.fields[res_kind]
    protoPayload.response.private_key_type additional.fields[res_private_key_type]
    protoPayload.response.progress additional.fields[res_progress]
    protoPayload.response.startTime additional.fields[res_start_time]
    protoPayload.response.status security_result.action 当满足以下条件时,security_result.action 会设置为 FAIL
    • protoPayload.response.status 日志字段值中的值等于 Failure
    • security_result.action UDM 字段中的值等于 ALLOW
    protoPayload.response.status additional.fields[res_status]
    protoPayload.response.type additional.fields[res_type]
    protoPayload.response.unique_id additional.fields[res_unique_id]
    protoPayload.response.valid_after_time.seconds additional.fields[res_valid_after_time]
    protoPayload.response.valid_before_time.seconds additional.fields[res_valid_before_time]
    protoPayload.response.version additional.fields[res_version]
    protoPayload.response.zone additional.fields[res_zone]
    protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] additional.fields[search_query_for_dump]
    spanId additional.fields[span_id]
    protoPayload.metadata.event.eventName.parameter.name[START_DATE] additional.fields[start_date]
    traceSampled additional.fields[trace_sampled]
    Trace additional.fields[trace]
    protoPayload.@type additional.fields[type]
    protoPayload.redactions.reason additional.fields[protoPayload.redactions.field]
    protoPayload.redactions.type additional.fields[protoPayload.redactions.field]
    authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata additional.fields[service_metadata]
    jsonPayload.sourceNetwork additional.fields[source_network]
    authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims additional.fields[third_party_claims]
    protoPayload.requestMetadata.requestAttributes.time additional.fields[caller_network_request_time]
    protoPayload.request.ipCidrRange additional.fields[req_ip_cidr_range]
    protoPayload.request.description additional.labels[req_description]
    protoPayload.request.sourceRanges additional.fields[req_source_ranges]
    protoPayload.requestMetadata.requestAttributes.reason additional.fields[request_attributes_reason]
    protoPayload.authenticationInfo.thirdPartyPrincipal additional.fields[third_party_principal]
    sourceLocation.function additional.fields[src_location_function]
    sourceLocation.line additional.fields[src_location_line]
    resource.labels.backend_service_name additional.fields[backend_service_name]
    protoPayload.requestMetadata.requestAttributes.auth.claims additional.fields[request_auth_claims]
    protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] additional.fields[application_edition]
    protoPayload.metadata.event.eventName.parameter.name[ASP_ID] additional.fields[asp_id]
    protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] additional.fields[chrome_os_session_type]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] additional.fields[device_new_org_unit]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] additional.fields[device_previous_org_unit]
    protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] additional.fields[domain_alias]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] additional.fields[email_export_include_deleted]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] additional.fields[email_export_package_content]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] additional.fields[email_log_search_end_date]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] additional.fields[email_log_search_start_date]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] additional.fields[email_monitor_level_chat]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] additional.fields[email_monitor_level_draft_email]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] additional.fields[email_monitor_level_in_email]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] additional.fields[email_monitor_level_out_email]
    protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] additional.fields[email_reset_reason]
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] additional.fields[new_value]
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] additional.fields[oauth2_app_type]
    protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] additional.fields[old_value]
    protoPayload.requestMetadata.destinationAttributes.principal additional.fields[peer_principal]
    protoPayload.requestMetadata.destinationAttributes.regionCode additional.fields[peer_region_code]
    protoPayload.request.loadBalancingScheme additional.fields[req_load_balancing_scheme]
    protoPayload.request.requestId additional.fields[request_id]
    protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] additional.fields[request_id]
    protoPayload.resourceOriginalState.description additional.fields[res_originalState_description]
    protoPayload.response.bindings.members additional.fields[response_bindings_members]
    protoPayload.response.description additional.fields[response_description]
    protoPayload.response.display_name additional.fields[response_display_name]
    protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] additional.fields[secondary_domain_name]
    protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] additional.fields[setting_name]
    protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] additional.fields[user_custom_field]
    protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] additional.fields[user_defined_setting_name]
    protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] additional.fields[web_origin]
    protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] additional.fields[whitelisted_groups]
    jsonPayload.end_time additional.fields[jsonPayload_end_time]
    jsonPayload.reporter additional.fields[jsonPayload_reporter]
    jsonPayload.start_time additional.fields[jsonPayload_start_time]
    jsonPayload.src_instance.project_id additional.fields[jsonPayload_src_instance_project_id]
    jsonPayload.dest_instance.project_id additional.fields[jsonPayload_dest_instance_project_id]
    jsonPayload.src_location.asn additional.fields[jsonPayload_src_location_asn]
    jsonPayload.src_location.continent additional.fields[jsonPayload_src_location_continent]
    jsonPayload.dest_location.asn additional.fields[jsonPayload_dest_location_asn]
    jsonPayload.dest_location.continent additional.fields[jsonPayload_dest_location_continent]
    protoPayload.request.spec.expirationSeconds target.resource.attribute.labels[req_spec_expiration_seconds]
    protoPayload.request.spec.request target.resource.attribute.labels[req_spec_request]
    protoPayload.request.spec.signerName target.resource.attribute.labels[req_spec_signer_name]
    protoPayload.request.spec.usages target.resource.attribute.labels[req_spec_usage]
    protoPayload.response.spec.expirationSeconds target.resource.attribute.labels[res_spec_expiration_seconds]
    protoPayload.response.spec.extra.iam.gke.io/user-assertion target.resource.attribute.labels[res_spec_extra_iam_gke_io/user_assertion]
    protoPayload.response.spec.extra.user-assertion.cloud.google.com target.resource.attribute.labels[res_spec_extra_user_assertion_cloud_google_com]
    protoPayload.response.spec.groups target.resource.attribute.labels[res_spec_group]
    protoPayload.response.spec.request target.resource.attribute.labels[res_spec_request]
    protoPayload.response.spec.signerName target.resource.attribute.labels[res_spec_signer_name]
    protoPayload.response.spec.usages target.resource.attribute.labels[res_spec_usage]
    protoPayload.response.spec.username target.resource.attribute.labels[res_spec_username]
    protoPayload.request.cryptoKeyVersion.state target.resource.attribute.labels[req_cryptokey_version_state]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.action target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_action]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.service target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_service]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.exemptedMember target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_exempted_member]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.logType target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_log_type]
    protoPayload.request.policy.bindings.role target.resource.attribute.labels[req_policy_bindings_role]
    protoPayload.request.policy.bindings.members target.resource.attribute.labels[req_bindings_members]
    protoPayload.metadata.tableChange.bindingDeltas.action target.resource.attribute.labels[table_change_binding_deltas_action]
    protoPayload.metadata.tableChange.bindingDeltas.member target.resource.attribute.labels[table_change_binding_deltas_member]
    protoPayload.metadata.tableChange.bindingDeltas.role target.resource.attribute.labels[table_change_binding_deltas_role]
    protoPayload.metadata.datasetChange.bindingDeltas.action target.resource.attribute.labels[dataset_change_binding_deltas_action]
    protoPayload.metadata.datasetChange.bindingDeltas.member target.resource.attribute.labels[dataset_change_binding_deltas_member]
    protoPayload.metadata.datasetChange.bindingDeltas.role target.resource.attribute.labels[dataset_change_binding_deltas_role]
    protoPayload.metadata.tableChange.table.policy.etag target.resource.attribute.labels[table_change_table_policy_etag]
    protoPayload.metadata.tableChange.table.policy.bindings.role target.resource.attribute.labels[table_change_table_policy_bindings_{index}_role]
    protoPayload.metadata.tableChange.table.policy.bindings.members target.resource.attribute.labels[table_change_table_policy_bindings_{index}_members_{index1}]
    protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.role target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_role]
    protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_members_{index1}]
    protoPayload.request.bindings.role target.resource.attribute.labels[request_bindings_{index}_role]
    protoPayload.request.bindings.members target.resource.attribute.labels[request_bindings_{index}_members_{index1}]
    protoPayload.metadata.groupDelta.newGroup.description target.group.attribute.labels[metadata_group_delta_new_group_description]
    protoPayload.metadata.groupDelta.newGroup.email target.group.email_addresses
    protoPayload.metadata.groupDelta.newGroup.name target.group.group_display_name
    protoPayload.metadata.groupDelta.action target.group.attribute.labels[metadata_group_delta_action]
    protoPayload.response.spec.template.metadata.labels.client.knative.dev/nonce target.resource.attribute.labels[res_spec_template_metadata_nonce]
    protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-name target.resource.attribute.labels[res_spec_template_metadata_client_name]
    protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-version target.resource.attribute.labels[res_spec_template_metadata_client_version]
    protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/execution-environment target.resource.attribute.labels[res_spec_template_metadata_exection_environment]
    protoPayload.response.spec.template.spec.taskCount target.resource.attribute.labels[res_spec_template_spec_taskcount]
    protoPayload.response.spec.template.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_image]
    protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_memory]
    protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_cpu]
    protoPayload.response.spec.template.spec.template.spec.maxRetries target.resource.attribute.labels[res_spec_template_spec_template_spec_max_retries]
    protoPayload.response.spec.template.spec.template.spec.timeoutSeconds target.resource.attribute.labels[res_spec_template_spec_template_spec_timeout_seconds]
    protoPayload.response.spec.template.spec.template.spec.serviceAccountName principal.user.email_addresses
    protoPayload.request.service.metadata.annotations.run.googleapis.com/client-name target.resource_ancestors.attribute.labels[req_service_metadata_client_name]
    protoPayload.request.service.metadata.annotations.serving.knative.dev/creator target.resource_ancestors.attribute.labels[req_service_metadata_creator]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/client-version target.resource_ancestors.attribute.labels[req_service_metadata_client_version]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/operation-id target.resource_ancestors.attribute.labels[req_service_metadata_client_operation_id]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/binary-authorization target.resource_ancestors.attribute.labels[req_service_metadata_binary_authorization]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress-status target.resource_ancestors.attribute.labels[req_service_metadata_client_ingress_status]
    protoPayload.request.service.metadata.annotations.serving.knative.dev/lastModifier target.resource_ancestors.attribute.labels[req_service_metadata_last_modifier]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress target.resource_ancestors.attribute.labels[req_service_metadata_ingress]
    protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-name target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_name]
    protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-version target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_version]
    protoPayload.request.service.spec.template.metadata.annotations.autoscaling.knative.dev/maxScale target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_max_scale]
    protoPayload.request.New Data target.resource_ancestors.attribute.labels[req_new_data]
    protoPayload.response.Original Data target.resource_ancestors.attribute.labels[req_original_data]
    protoPayload.request.timestampRange.startTime target.resource.attribute.labels[timestamp_range_start_time]
    protoPayload.request.timestampRange.endTime target.resource.attribute.labels[timestamp_range_end_time]
    protoPayload.request.regexSearch target.resource.attribute.labels[request_regex_search]
    protoPayload.request.productSources target.resource.attribute.labels[request_product_sources]
    protoPayload.request.query target.resource.attribute.labels[request_query]
    protoPayload.request.caseSensitive target.resource.attribute.labels[request_case_sensitive]
    protoPayload.request.baselineQuery target.resource.attribute.labels[baseline_query]
    protoPayload.request.baselineTimeRange.startTime target.resource.attribute.labels[baseline_time_range_start_time]
    protoPayload.request.baselineTimeRange.endTime target.resource.attribute.labels[baseline_time_range_end_time]
    protoPayload.response.serviceConfig.timeoutSeconds target.resource.attribute.labels[response_service_config_timeout_seconds]
    labels.execution_id additional.fields[execution_id]
    labels.instance_id additional.fields[instance_id]
    labels.runtime_version additional.fields[runtime_version]
    protoPayload.metadata.updatedGrant.requester principal.user.userid 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.updatedGrant.requester 日志字段会映射到 principal.user.userid UDM 字段。
    protoPayload.metadata.updatedGrant.requestedDuration target.resource.attribute.labels[requestedDuration] 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.updatedGrant.requestedDuration 日志字段会映射到 target.resource.attribute.labels UDM 字段。
    protoPayload.metadata.updatedGrant.justification.unstructuredJustification target.resource.attribute.labels[justification] 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.updatedGrant.justification.unstructuredJustification 日志字段会映射到 target.resource.attribute.labels UDM 字段。
    protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role target.resource.attribute.roles.name 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role 日志字段会映射到 target.resource.attribute.roles.name UDM 字段。
    protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType target.resource.attribute.labels[resourceType] 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType 日志字段会映射到 target.resource.attribute.labels UDM 字段。
    protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource target.resource.attribute.labels[resource] 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource 日志字段会映射到 target.resource.attribute.labels UDM 字段。
    protoPayload.metadata.updatedGrant.state target.resource.attribute.labels[state] 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.updatedGrant.state 日志字段会映射到 target.resource.attribute.labels UDM 字段。
    protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id target.resource.attribute.labels[job_insertion_looker_studio_report_id] 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id 日志字段会映射到 target.resource.attribute.labels UDM 字段。
    protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor target.resource.attribute.labels[job_insertion_requestor] 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor 日志字段会映射到 target.resource.attribute.labels UDM 字段。
    protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id target.resource.attribute.labels[job_insertion_looker_studio_datasource_id] 如果 protoPayload.serviceName 日志字段值等于 privilegedaccessmanager.googleapis.com,则 protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id 日志字段会映射到 target.resource.attribute.labels UDM 字段。
    protoPayload.response.displayName security_result.associations.name 如果 protoPayload.response.displayName 日志字段值不为空,则 protoPayload.response.displayName 日志字段会映射到 security_result.associations.name UDM 字段。
    protoPayload.request.referenceList.displayName security_result.associations.name 如果 protoPayload.response.displayName 日志字段值为空,则 protoPayload.request.referenceList.displayName 日志字段会映射到 security_result.associations.name UDM 字段。
    protoPayload.resourceName security_result.detection_fields[rule_id] 如果 protoPayload.resourceName 日志字段值为空,并且 protoPayload.response.@type 日志字段值为 type.googleapis.com/google.cloud.chronicle.v1alpha.Rule,则系统会使用 Grok 模式从 protoPayload.resourceName 日志字段中提取 new_rule_id,并将其映射到 security_result.detection_fields[rule_id] UDM 字段。
    protoPayload.request.projection target.resource.attribute.labels[req_projection]
    protoPayload.response.items.metageneration target.resource.attribute.labels[res_items_metageneration]
    protoPayload.response.items.labels.created_date target.resource.attribute.labels[res_items_labels_created_date]
    protoPayload.response.items.labels.team_email target.resource.attribute.labels[res_items_labels_team_email]
    protoPayload.response.items.labels.team_name target.resource.attribute.labels[res_items_labels_team_name]
    protoPayload.response.items.labels.office_number target.resource.attribute.labels[res_items_labels_official_number]
    protoPayload.response.items.labels.department target.resource.attribute.labels[res_items_labels_department]
    protoPayload.response.items.labels.business_project_number target.resource.attribute.labels[res_items_labels_business_project_number]
    protoPayload.response.items.labels.owner_email target.resource.attribute.labels[res_items_labels_owner_email]
    protoPayload.response.items.labels.purchase_order_number target.resource.attribute.labels[res_items_labels_purchase_order_number]
    protoPayload.response.items.labels.office_name target.resource.attribute.labels[res_items_labels_office_name]
    protoPayload.response.items.labels.environment target.resource.attribute.labels[res_items_labels_environment]
    protoPayload.response.items.labels.created_by target.resource.attribute.labels[res_items_labels_created_by]
    protoPayload.response.items.labels.project_name target.resource.attribute.labels[res_items_labels_project_name]
    protoPayload.response.items.labels.finops_tag target.resource.attribute.labels[res_items_labels_finops_tag]
    protoPayload.response.items.labels.owner_role target.resource.attribute.labels[res_items_labels_owner_role]
    protoPayload.response.items.versioning.enabled target.resource.attribute.labels[res_items_versioning_enabled]
    protoPayload.response.items.iamConfiguration.publicAccessPrevention target.resource.attribute.labels[res_items_iam_conf_public_access_prevention]
    protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_locked_time]
    protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_enabled]
    protoPayload.response.items.id target.resource.attribute.labels[res_items_id]
    protoPayload.response.items.updated target.resource.attribute.labels[res_items_updated]
    protoPayload.response.items.storageClass target.resource.attribute.labels[res_items_storage_class]
    protoPayload.response.items.timeCreated target.resource.attribute.labels[res_items_time_created]
    protoPayload.response.items.location target.resource.attribute.labels[res_items_location]
    protoPayload.response.items.locationType target.resource.attribute.labels[res_items_location_type]
    protoPayload.response.items.projectNumber target.resource.attribute.labels[res_items_project_number]
    protoPayload.response.items.name target.resource.attribute.labels[res_items_name]
    protoPayload.response.items.softDeletePolicy.effectiveTime target.resource.attribute.labels[res_items_soft_delete_policy_effective_time]
    protoPayload.response.items.softDeletePolicy.retentionDurationSeconds target.resource.attribute.labels[res_items_soft_delete_policy_retention_duration_seconds]
    protoPayload.response.items.etag target.resource.attribute.labels[res_items_etag]
    protoPayload.response.code network.http.response_code
    protoPayload.response.reason additional.fields[res_reason]

    后续步骤