Diese Seite wurde von der Cloud Translation API übersetzt.

Cloud-Audit-Logs erfassen

Unterstützt in:

Google SecOps SIEM

In diesem Dokument wird beschrieben, wie Sie Cloud-Audit-Logs exportieren, indem Sie die Aufnahme von Google Cloud-Telemetriedaten in Google Security Operations aktivieren. Außerdem wird erläutert, wie Cloud-Audit-Log-Felder den UDM-Feldern (Unified Data Model) von Google Security Operations zugeordnet werden.

Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.

Eine typische Bereitstellung besteht aus Cloud-Audit-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Jede Kundenbereitstellung kann davon abweichen und kann komplexer sein.

Das Deployment enthält die folgenden Komponenten:

Google Cloud: Google Cloud-Dienste und ‑Produkte, von denen Sie Protokolle erfassen
Cloud-Audit-Logs: die Cloud-Audit-Logs, die für die Aufnahme in Google Security Operations aktiviert sind
Google Workspace-Audit-Logs: Die Google Workspace-Audit-Logs, die für die Aufnahme in Google Security Operations aktiviert sind
Google Security Operations: Cloud-Audit-Logs und Google Workspace-Audit-Logs werden aufbewahrt und analysiert.

Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel „GCP_CLOUDAUDIT“.

Hinweise

Sie müssen die Zugriffssteuerung für Ihre Organisation und Ihre Ressourcen mithilfe von Identity and Access Management (IAM) eingerichtet haben. Weitere Informationen zur Zugriffssteuerung finden Sie unter Zugriffssteuerung für Organisationen mit IAM
Audit-Logs zum Datenzugriff konfigurieren für Ihre Google Cloud-Ressourcen und -Dienste.
Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur konfiguriert sind in der Zeitzone UTC angegeben.
Prüfen Sie die Logtypen, die der Cloud-Audit-Logs-Parser unterstützt. In der folgenden Tabelle Listet die Logquellen und -typen auf, die vom Cloud-Audit-Logs-Parser unterstützt werden:

Logquellen	Logquelle
Cloud DNS	–
syslog	–
Audit-Logs für Google Workspace	Prüfung von Anmeldeaktivitäten
Audit-Logs für Google Workspace	Admin Audit
Cloud-Audit-Logs	Administratoraktivität
Cloud-Audit-Logs	VPC Service Controls-Audit
Cloud-Audit-Logs	Google Kubernetes Engine-Datenzugriff
Cloud-Audit-Logs	Resource Manager-Datenzugriff
Cloud-Audit-Logs	Zugriff auf BigQuery-Audit-Metadaten
Cloud-Audit-Logs	MySQL-Datenzugriff, Administratoraktivität
Cloud-Audit-Logs	PostgreSQL-Datenzugriff, Administratoraktivität
Cloud-Audit-Logs	SQL Server-Datenzugriff, Administratoraktivität
Cloud Load Balancing	Cloud-HTTP-Load-Balancer
Cloud DNS	Administratoraktivität
Virtual Private Cloud-Datenfluss	Virtual Private Cloud-Datenfluss
Firewallregeln	Firewallregeln
Cloud NAT	Cloud NAT

Aufnahme von Cloud-Audit-Logs konfigurieren

Führen Sie die Schritte auf der Seite Google Cloud-Logs in Google Security Operations aufnehmen aus, um Cloud-Audit-Logs in Google Security Operations aufzunehmen.

Wenn bei der Aufnahme von Cloud-Audit-Logs Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.

Feldzuordnungsreferenz

In diesem Abschnitt wird erläutert, wie der Google Security Operations-Parser Cloud-Audit-Log-Felder den Feldern des Unified Data Model (UDM) von Google Security Operations zuordnet.

GCP_CLOUDAUDIT-Protokolltypen in UDM-Ereignistyp

In der folgenden Tabelle sind die Ereignis-IDs von GCP_CLOUDAUDIT und die zugehörigen Ereignistypen aufgeführt.

Event identifier	Event type
`dns.managedZones.get`	`USER_RESOURCE_ACCESS`
`dns.managedZones.list`	`USER_RESOURCE_ACCESS`
`dns.changes.get`	`USER_RESOURCE_ACCESS`
`dns.changes.list`	`USER_RESOURCE_ACCESS`
`dns.activePeeringZones.list`	`USER_RESOURCE_ACCESS`
`dns.activePeeringZones.getpeeringzoneinfo`	`USER_RESOURCE_ACCESS`
`dns.resourceRecordSets.get`	`USER_RESOURCE_ACCESS`
`dns.resourceRecordSets.list`	`USER_RESOURCE_ACCESS`
`dns.responsePolicies.get`	`USER_RESOURCE_ACCESS`
`dns.responsePolicies.list`	`USER_RESOURCE_ACCESS`
`dns.responsePolicyRules.get`	`USER_RESOURCE_ACCESS`
`dns.responsePolicyRules.list`	`USER_RESOURCE_ACCESS`
`dns.policies.get`	`USER_RESOURCE_ACCESS`
`dns.policies.list`	`USER_RESOURCE_ACCESS`
`dns.projects.get`	`USER_RESOURCE_ACCESS`
`dns.managedZones.create`	`USER_RESOURCE_CREATION`
`dns.managedZones.delete`	`RESOURCE_DELETION`
`dns.managedZones.update`	`RESOURCE_WRITTEN`
`dns.managedZones.patch`	`USER_RESOURCE_UPDATE_CONTENT`
`dns.changes.create`	`USER_RESOURCE_CREATION`
`dns.changes.delete`	`RESOURCE_DELETION`
`dns.activePeeringZones.deactivate`	`USER_RESOURCE_UPDATE_CONTENT`
`dns.resourceRecordSets.create`	`USER_RESOURCE_CREATION`
`dns.resourceRecordSets.delete`	`RESOURCE_DELETION`
`dns.resourceRecordSets.update`	`RESOURCE_WRITTEN`
`dns.resourceRecordSets.patch`	`USER_RESOURCE_UPDATE_CONTENT`
`dns.responsePolicies.create`	`USER_RESOURCE_CREATION`
`dns.responsePolicies.delete`	`RESOURCE_DELETION`
`dns.responsePolicies.update`	`RESOURCE_WRITTEN`
`dns.responsePolicies.patch`	`USER_RESOURCE_UPDATE_CONTENT`
`dns.responsePolicyRules.create`	`USER_RESOURCE_CREATION`
`dns.responsePolicyRules.delete`	`RESOURCE_DELETION`
`dns.responsePolicyRules.update`	`RESOURCE_WRITTEN`
`dns.responsePolicyRules.patch`	`USER_RESOURCE_UPDATE_CONTENT`
`dns.policies.create`	`USER_RESOURCE_CREATION`
`dns.policies.delete`	`RESOURCE_DELETION`
`dns.policies.update`	`RESOURCE_WRITTEN`
`dns.policies.patch`	`USER_RESOURCE_UPDATE_CONTENT`
`CreateRole`	`USER_RESOURCE_CREATION`
`DeleteRole`	`RESOURCE_DELETION`
`UndeleteRole`	`RESOURCE_CREATION`
`UpdateRole`	`RESOURCE_WRITTEN`
`google.iam.v2beta.Policies.CreatePolicy`	`USER_RESOURCE_CREATION`
`google.iam.v2beta.Policies.DeletePolicy`	`RESOURCE_DELETION`
`google.iam.v2beta.Policies.UpdatePolicy`	`RESOURCE_WRITTEN`
`CreateServiceAccount`	`USER_CREATION`
`DeleteServiceAccount`	`RESOURCE_DELETION`
`DisableServiceAccount`	`USER_CHANGE_PERMISSIONS`
`EnableServiceAccount`	`USER_CHANGE_PERMISSIONS`
`GetServiceAccount`	`USER_RESOURCE_ACCESS`
`PatchServiceAccount`	`USER_RESOURCE_UPDATE_CONTENT`
`SetIAMPolicy`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`UndeleteServiceAccount`	`USER_CREATION`
`UpdateServiceAccount`	`RESOURCE_WRITTEN`
`CreateServiceAccountKey`	`USER_CHANGE_PASSWORD`
`DeleteServiceAccountKey`	`USER_DELETION`
`UploadServiceAccountKey`	`USER_CHANGE_PASSWORD`
`CreateWorkloadIdentityPool`	`USER_RESOURCE_CREATION`
`DeleteWorkloadIdentityPool`	`RESOURCE_DELETION`
`UndeleteWorkloadIdentityPool`	`RESOURCE_CREATION`
`UpdateWorkloadIdentityPool`	`RESOURCE_WRITTEN`
`CreateWorkloadIdentityPoolProvider`	`USER_RESOURCE_CREATION`
`DeleteWorkloadIdentityPoolProvider`	`RESOURCE_DELETION`
`UndeleteWorkloadIdentityPoolProvider`	`RESOURCE_DELETION`
`UpdateWorkloadIdentityPoolProvider`	`RESOURCE_WRITTEN`
`CreateWorkforcePool`	`USER_RESOURCE_CREATION`
`DeleteWorkforcePool`	`RESOURCE_DELETION`
`UndeleteWorkforcePool`	`RESOURCE_DELETION`
`UpdateWorkforcePool`	`RESOURCE_WRITTEN`
`CreateWorkforcePoolProvider`	`USER_RESOURCE_CREATION`
`DeleteWorkforcePoolProvider`	`RESOURCE_DELETION`
`UndeleteWorkforcePoolProvider`	`RESOURCE_DELETION`
`UpdateWorkforcePoolProvider`	`RESOURCE_WRITTEN`
`GetEffectivePolicy1`	`USER_RESOURCE_ACCESS`
`google.iam.admin.v1.GetPolicyDetails2`	`USER_RESOURCE_ACCESS`
`ExchangeToken`	`USER_RESOURCE_ACCESS`
`Google Cloud console (federated) sign in`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`GetRole`	`USER_RESOURCE_ACCESS`
`ListRoles`	`USER_RESOURCE_ACCESS`
`google.iam.v2beta.Policies.GetPolicy`	`USER_RESOURCE_ACCESS`
`google.iam.v2beta.Policies.ListPolicies`	`USER_RESOURCE_ACCESS`
`QueryGrantableRoles`	`USER_RESOURCE_ACCESS`
`GenerateAccessToken`	`USER_RESOURCE_UPDATE_CONTENT`
`GenerateIdToken`	`USER_RESOURCE_UPDATE_CONTENT`
`ListServiceAccounts`	`USER_RESOURCE_ACCESS`
`SignBlob`	`USER_RESOURCE_UPDATE_CONTENT`
`SignJwt`	`USER_RESOURCE_UPDATE_CONTENT`
`GetServiceAccountKey`	`USER_RESOURCE_ACCESS`
`ListServiceAccountKeys`	`USER_RESOURCE_ACCESS`
`GetWorkloadIdentityPool`	`USER_RESOURCE_ACCESS`
`ListWorkloadIdentityPools`	`USER_RESOURCE_ACCESS`
`GetWorkloadIdentityPoolProvider`	`USER_RESOURCE_ACCESS`
`ListWorkloadIdentityPoolProviders`	`USER_RESOURCE_ACCESS`
`GetWorkforcePool`	`USER_RESOURCE_ACCESS`
`ListWorkforcePools`	`USER_RESOURCE_ACCESS`
`GetWorkforcePoolProvider`	`USER_RESOURCE_ACCESS`
`ListWorkforcePoolProviders`	`USER_RESOURCE_ACCESS`
`io.k8s.authorization.rbac.v1`	`STATUS_UPDATE`
`io.k8s.authorization.rbac.v1.roles`	`STATUS_UPDATE`
`io.k8s.batch.v1.jobs.create`	`RESOURCE_CREATION`
`io.k8s.authorization.rbac.v1.clusterroles.create`	`RESOURCE_CREATION`
`io.k8s.apps.v1.daemonsets.create`	`RESOURCE_CREATION`
`io.k8s.authorization.v1.selfsubjectaccessreviews.create`	`RESOURCE_CREATION`
`google.container.v1.ClusterManager.CreateCluster`	`USER_RESOURCE_CREATION`
`google.cloud.bigquery.v2.TableService.InsertTable`	`USER_RESOURCE_CREATION`
`google.cloud.bigquery.v2.TableService.UpdateTable`	`RESOURCE_WRITTEN`
`google.cloud.bigquery.v2.TableService.PatchTable`	`USER_RESOURCE_UPDATE_CONTENT`
`google.cloud.bigquery.v2.TableService.DeleteTable`	`RESOURCE_DELETION`
`google.cloud.bigquery.v2.DatasetService.InsertDataset`	`USER_RESOURCE_CREATION`
`google.cloud.bigquery.v2.DatasetService.UpdateDataset`	`RESOURCE_WRITTEN`
`google.cloud.bigquery.v2.DatasetService.PatchDataset`	`USER_RESOURCE_UPDATE_CONTENT`
`google.cloud.bigquery.v2.DatasetService.DeleteDataset`	`USER_RESOURCE_DELETION`
`google.cloud.bigquery.v2.TableDataService.List`	`USER_RESOURCE_ACCESS`
`google.cloud.bigquery.v2.JobService.InsertJob`	`USER_RESOURCE_CREATION`
`google.cloud.bigquery.v2.JobService.Query`	`USER_RESOURCE_ACCESS`
`google.cloud.bigquery.v2.JobService.GetQueryResults`	`USER_RESOURCE_ACCESS`
`InternalTableExpired`	`USER_RESOURCE_DELETION`
`google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection`	`USER_RESOURCE_CREATION`
`google.cloud.bigquery.connection.v1.ConnectionService.DeleteConnection`	`RESOURCE_DELETION`
`google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection`	`RESOURCE_WRITTEN`
`google.cloud.bigquery.connection.v1.ConnectionService.SetIamPolicy`	`RESOURCE_PERMISSIONS_CHANGE`
`google.cloud.bigquery.reservation.v1.ReservationService.CreateReservation`	`USER_RESOURCE_CREATION`
`google.cloud.bigquery.reservation.v1.ReservationService.DeleteReservation`	`RESOURCE_DELETION`
`google.cloud.bigquery.reservation.v1.ReservationService.UpdateReservation`	`RESOURCE_WRITTEN`
`google.cloud.bigquery.reservation.v1.ReservationService.CreateCapacityCommitment`	`USER_RESOURCE_CREATION`
`google.cloud.bigquery.reservation.v1.ReservationService.DeleteCapacityCommitment`	`RESOURCE_DELETION`
`google.cloud.bigquery.reservation.v1.ReservationService.CreateAssignment`	`USER_RESOURCE_CREATION`
`google.cloud.bigquery.reservation.v1.ReservationService.DeleteAssignment`	`RESOURCE_DELETION`
`google.cloud.bigquery.reservation.v1.ReservationService.MoveAssignment`	`STATUS_UPDATE`
`cloudsql.backupRuns.get`	`USER_RESOURCE_ACCESS`
`cloudsql.backupRuns.list`	`USER_RESOURCE_ACCESS`
`cloudsql.databases.create`	`USER_RESOURCE_CREATION`
`cloudsql.databases.delete`	`RESOURCE_DELETION`
`cloudsql.databases.get`	`USER_RESOURCE_ACCESS`
`cloudsql.databases.list`	`USER_RESOURCE_ACCESS`
`cloudsql.databases.update`	`RESOURCE_WRITTEN`
`cloudsql.instances.export`	`USER_RESOURCE_ACCESS`
`cloudsql.instances.get`	`USER_RESOURCE_ACCESS`
`cloudsql.instances.import`	`STATUS_UNCATEGORIZED`
`cloudsql.instances.list`	`USER_RESOURCE_ACCESS`
`cloudsql.instances.listEffectiveTags`	`USER_RESOURCE_ACCESS`
`cloudsql.instances.listServerCas`	`USER_RESOURCE_ACCESS`
`cloudsql.instances.listTagBindings`	`USER_RESOURCE_ACCESS`
`cloudsql.instances.login`	`USER_LOGIN`
`cloudsql.sslCerts.get`	`USER_RESOURCE_ACCESS`
`cloudsql.sslCerts.list`	`USER_RESOURCE_ACCESS`
`cloudsql.users.create`	`USER_RESOURCE_CREATION`
`cloudsql.users.delete`	`RESOURCE_DELETION`
`cloudsql.users.get`	`USER_RESOURCE_ACCESS`
`cloudsql.users.list`	`USER_RESOURCE_ACCESS`
`cloudsql.users.update`	`RESOURCE_WRITTEN`
`cloudsql.backupRuns.create`	`USER_RESOURCE_CREATION`
`cloudsql.backupRuns.delete`	`RESOURCE_DELETION`
`cloudsql.instances.addServerCa`	`USER_RESOURCE_CREATION`
`cloudsql.instances.clone`	`USER_RESOURCE_CREATION`
`cloudsql.instances.connect`	`USER_LOGIN`
`cloudsql.instances.create`	`USER_RESOURCE_CREATION`
`cloudsql.instances.createTagBinding`	`USER_RESOURCE_CREATION`
`cloudsql.instances.delete`	`RESOURCE_DELETION`
`cloudsql.instances.deleteTagBinding`	`RESOURCE_DELETION`
`cloudsql.instances.demoteMaster`	`STATUS_UPDATE`
`cloudsql.instances.failover`	`STATUS_UPDATE`
`cloudsql.instances.promoteReplica`	`STATUS_UPDATE`
`cloudsql.instances.resetSslConfig`	`USER_RESOURCE_UPDATE_CONTENT`
`cloudsql.instances.restart`	`STATUS_STARTUP`
`cloudsql.instances.restoreBackup`	`STATUS_UPDATE`
`cloudsql.instances.rotateServerCa`	`STATUS_UPDATE`
`cloudsql.instances.startReplica`	`STATUS_STARTUP`
`cloudsql.instances.stopReplica`	`STATUS_UPDATE`
`cloudsql.instances.truncateLog`	`STATUS_UPDATE`
`cloudsql.instances.update`	`RESOURCE_WRITTEN`
`cloudsql.sslCerts.create`	`USER_RESOURCE_CREATION`
`cloudsql.sslCerts.createEphemeral`	`USER_RESOURCE_CREATION`
`cloudsql.sslCerts.delete`	`RESOURCE_DELETION`
`compute.instances.insert`	`RESOURCE_CREATION`
`compute.instanceGroups.removeInstances`	`RESOURCE_DELETION`
`compute.instances.setMetadata`	`USER_RESOURCE_UPDATE_CONTENT`
`compute.instances.setLabels`	`USER_RESOURCE_CREATION`
`compute.instances.setTags`	`USER_RESOURCE_CREATION`
`compute.instances.setIamPolicy`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`compute.instances.list`	`USER_RESOURCE_ACCESS`
`compute.images.get`	`USER_RESOURCE_ACCESS`
`compute.interconnectAttachments.aggregatedList`	`USER_RESOURCE_ACCESS`
`compute.instance.getSerialPortOutput`	`USER_RESOURCE_ACCESS`
`compute.instances.migrateOnHostMaintenance`	`RESOURCE_CREATION`
`compute.instances.automaticRestart`	`USER_RESOURCE_UPDATE_CONTENT`
`compute.instanceGroupManagers.resizeAdvanced`	`USER_RESOURCE_UPDATE_CONTENT`
`google.ssh-serialport.v1.connect`	`NETWORK_CONNECTION`
`firewalls.delete`	`RESOURCE_DELETION`
`firewalls.insert`	`RESOURCE_CREATION`
`firewalls.patch`	`USER_RESOURCE_UPDATE_CONTENT`
`firewalls.update`	`RESOURCE_WRITTEN`
`forwardingRules.delete`	`RESOURCE_DELETION`
`forwardingRules.insert`	`RESOURCE_CREATION`
`forwardingRules.patch`	`USER_RESOURCE_UPDATE_CONTENT`
`forwardingRules.setTarget`	`STATUS_UPDATE`
`networks.addPeering`	`STATUS_UPDATE`
`networks.delete`	`RESOURCE_DELETION`
`networks.insert`	`RESOURCE_CREATION`
`networks.patch`	`USER_RESOURCE_UPDATE_CONTENT`
`networks.removePeering`	`RESOURCE_DELETION`
`networks.switchToCustomMode`	`STATUS_UPDATE`
`networks.updatePeering`	`RESOURCE_WRITTEN`
`routes.delete`	`RESOURCE_DELETION`
`routes.insert`	`USER_RESOURCE_CREATION`
`subnetworks.delete`	`RESOURCE_DELETION`
`subnetworks.expandIpCidrRange`	`STATUS_UPDATE`
`subnetworks.insert`	`RESOURCE_CREATION`
`subnetworks.patch`	`USER_RESOURCE_UPDATE_CONTENT`
`subnetworks.setIamPolicy`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`subnetworks.setPrivateIpGoogleAccess`	`STATUS_UPDATE`
`subnetworks.testIamPermissions`	`USER_RESOURCE_ACCESS`
`firewalls.get`	`USER_RESOURCE_ACCESS`
`firewalls.list`	`USER_RESOURCE_ACCESS`
`forwardingRules.aggregatedList`	`USER_RESOURCE_ACCESS`
`forwardingRules.get`	`USER_RESOURCE_ACCESS`
`forwardingRules.list`	`USER_RESOURCE_ACCESS`
`networks.get`	`USER_RESOURCE_ACCESS`
`networks.list`	`USER_RESOURCE_ACCESS`
`networks.listPeeringRoutes`	`USER_RESOURCE_ACCESS`
`routes.get`	`USER_RESOURCE_ACCESS`
`routes.list`	`USER_RESOURCE_ACCESS`
`subnetworks.aggregatedList`	`USER_RESOURCE_ACCESS`
`subnetworks.get`	`USER_RESOURCE_ACCESS`
`subnetworks.getIamPolicy`	`USER_RESOURCE_ACCESS`
`subnetworks.list`	`USER_RESOURCE_ACCESS`
`subnetworks.listUsable`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.alertCenterBatchDeleteAlerts`	`RESOURCE_DELETION`
`google.admin.AdminService.alertCenterBatchUndeleteAlerts`	`RESOURCE_DELETION`
`google.admin.AdminService.alertCenterCreateAlert`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.alertCenterCreateFeedback`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.alertCenterDeleteAlert`	`RESOURCE_DELETION`
`google.admin.AdminService.alertCenterGetAlertMetadata`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.alertCenterGetCustomerSettings`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.alertCenterGetSitLink`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.alertCenterListChange`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.alertCenterListFeedback`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.alertCenterListRelatedAlerts`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.alertCenterUndeleteAlert`	`RESOURCE_DELETION`
`google.admin.AdminService.alertCenterUpdateAlert`	`RESOURCE_WRITTEN`
`google.admin.AdminService.alertCenterUpdateAlertMetadata`	`RESOURCE_WRITTEN`
`google.admin.AdminService.alertCenterUpdateCustomerSettings`	`RESOURCE_WRITTEN`
`google.admin.AdminService.alertCenterView`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeApplicationSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.createApplicationSetting`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.deleteApplicationSetting`	`RESOURCE_DELETION`
`google.admin.AdminService.reorderGroupBasedPoliciesEvent`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.gplusPremiumFeatures`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.createManagedConfiguration`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.deleteManagedConfiguration`	`RESOURCE_DELETION`
`google.admin.AdminService.updateManagedConfiguration`	`RESOURCE_WRITTEN`
`google.admin.AdminService.flashlightEduNonFeaturedServicesSelected`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.createBuilding`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.deleteBuilding`	`RESOURCE_DELETION`
`google.admin.AdminService.updateBuilding`	`RESOURCE_WRITTEN`
`google.admin.AdminService.createCalendarResource`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.deleteCalendarResource`	`RESOURCE_DELETION`
`google.admin.AdminService.createCalendarResourceFeature`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.deleteCalendarResourceFeature`	`RESOURCE_DELETION`
`google.admin.AdminService.updateCalendarResourceFeature`	`RESOURCE_WRITTEN`
`google.admin.AdminService.renameCalendarResource`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.updateCalendarResource`	`RESOURCE_WRITTEN`
`google.admin.AdminService.changeCalendarSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.cancelCalendarEvents`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.releaseCalendarResources`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.meetInteropCreateGateway`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.meetInteropDeleteGateway`	`RESOURCE_DELETION`
`google.admin.AdminService.meetInteropModifyGateway`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeChatSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeChromeOsAndroidApplicationSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeChromeOsApplicationSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.sendChromeOsDeviceCommand`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeChromeOsDeviceAnnotation`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeChromeOsDeviceSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeChromeOsDeviceState`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeChromeOsPublicSessionSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.insertChromeOsPrinter`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.deleteChromeOsPrinter`	`RESOURCE_DELETION`
`google.admin.AdminService.updateChromeOsPrinter`	`RESOURCE_WRITTEN`
`google.admin.AdminService.changeChromeOsSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeChromeOsUserSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.removeChromeOsApplicationSettings`	`RESOURCE_DELETION`
`google.admin.AdminService.changeContactsSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.assignRole`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`google.admin.AdminService.createRole`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.deleteRole`	`RESOURCE_DELETION`
`google.admin.AdminService.addPrivilege`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.removePrivilege`	`RESOURCE_DELETION`
`google.admin.AdminService.renameRole`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.updateRole`	`RESOURCE_WRITTEN`
`google.admin.AdminService.unassignRole`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`google.admin.AdminService.deleteDevice`	`RESOURCE_DELETION`
`google.admin.AdminService.moveDeviceToOrgUnit`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.transferDocumentOwnership`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.driveDataRestore`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeDocsSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeAccountAutoRenewal`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.addApplication`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.addApplicationToWhitelist`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.changeAdvertisementOption`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.createAlert`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.changeAlertCriteria`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.deleteAlert`	`RESOURCE_DELETION`
`google.admin.AdminService.alertReceiversChanged`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.renameAlert`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.alertStatusChanged`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.addDomainAlias`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.removeDomainAlias`	`RESOURCE_DELETION`
`google.admin.AdminService.skipDomainAliasMx`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.verifyDomainAliasMx`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.verifyDomainAlias`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleOauthAccessToAllApis`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleAllowAdminPasswordReset`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.enableApiAccess`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.authorizeApiClientAccess`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.removeApiClientAccess`	`RESOURCE_DELETION`
`google.admin.AdminService.chromeLicensesRedeemed`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleAutoAddNewService`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.changePrimaryDomain`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeWhitelistSetting`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.communicationPreferencesSettingChange`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeConflictAccountAction`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.enableFeedbackSolicitation`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleContactSharing`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.createPlayForWorkToken`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.toggleUseCustomLogo`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeCustomLogo`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeDataLocalizationForRussia`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeDataLocalizationSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeDataProtectionOfficerContactInfo`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.deletePlayForWorkToken`	`RESOURCE_DELETION`
`google.admin.AdminService.viewDnsLoginDetails`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeDomainDefaultLocale`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeDomainDefaultTimezone`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeDomainName`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleEnablePreReleaseFeatures`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeDomainSupportMessage`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.addTrustedDomains`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.removeTrustedDomains`	`RESOURCE_DELETION`
`google.admin.AdminService.changeEduType`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleEnableOauthConsumerKey`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleSsoEnabled`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleSsl`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeEuRepresentativeContactInfo`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.generateTransferToken`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeLoginBackgroundColor`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeLoginBorderColor`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeLoginActivityTrace`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.playForWorkEnroll`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.playForWorkUnenroll`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.mxRecordVerificationClaim`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleNewAppFeatures`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleUseNextGenControlPanel`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.uploadOauthCertificate`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.regenerateOauthConsumerSecret`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleOpenIdEnabled`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeOrganizationName`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleOutboundRelay`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changePasswordMaxLength`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changePasswordMinLength`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.updateDomainPrimaryAdminEmail`	`RESOURCE_WRITTEN`
`google.admin.AdminService.enableServiceOrFeatureNotifications`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.removeApplication`	`RESOURCE_DELETION`
`google.admin.AdminService.removeApplicationFromWhitelist`	`RESOURCE_DELETION`
`google.admin.AdminService.changeRenewDomainRegistration`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeResellerAccess`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.ruleActionsChanged`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.createRule`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.changeRuleCriteria`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.deleteRule`	`RESOURCE_DELETION`
`google.admin.AdminService.renameRule`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.ruleStatusChanged`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.addSecondaryDomain`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.removeSecondaryDomain`	`RESOURCE_DELETION`
`google.admin.AdminService.skipSecondaryDomainMx`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.verifySecondaryDomainMx`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.verifySecondaryDomain`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.updateDomainSecondaryEmail`	`RESOURCE_WRITTEN`
`google.admin.AdminService.changeSsoSettings`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.generatePin`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.updateRule`	`RESOURCE_WRITTEN`
`google.admin.AdminService.dropFromQuarantine`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.emailLogSearch`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.emailUndelete`	`RESOURCE_DELETION`
`google.admin.AdminService.changeEmailSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeGmailSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.createGmailSetting`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.deleteGmailSetting`	`RESOURCE_DELETION`
`google.admin.AdminService.rejectFromQuarantine`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.releaseFromQuarantine`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.createGroup`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.deleteGroup`	`RESOURCE_DELETION`
`google.admin.AdminService.changeGroupDescription`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.groupListDownload`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.addGroupMember`	`GROUP_MODIFICATION`
`google.admin.AdminService.removeGroupMember`	`RESOURCE_DELETION`
`google.admin.AdminService.updateGroupMember`	`RESOURCE_WRITTEN`
`google.admin.AdminService.updateGroupMemberDeliverySettings`	`RESOURCE_WRITTEN`
`google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride`	`RESOURCE_WRITTEN`
`google.admin.AdminService.groupMemberBulkUpload`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.groupMembersDownload`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeGroupName`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeGroupSetting`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.whitelistedGroupsUpdated`	`RESOURCE_WRITTEN`
`google.admin.AdminService.securityInvestigationAction`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationActionCancellation`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationActionCompletion`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationActionRetry`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationActionVerificationConfirmation`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationActionVerificationRequest`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationChartCreate`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.securityInvestigationContentAccess`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationDownloadAttachment`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationExportActionResults`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationExportQuery`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.securityInvestigationObjectDeleteInvestigation`	`RESOURCE_DELETION`
`google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationObjectOwnershipTransfer`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationObjectSaveInvestigation`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing`	`RESOURCE_WRITTEN`
`google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing`	`RESOURCE_WRITTEN`
`google.admin.AdminService.securityInvestigationQuery`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityInvestigationSettingUpdate`	`RESOURCE_WRITTEN`
`google.admin.AdminService.addToTrustedOauth2Apps`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.allowAspWithout2Sv`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.allowServiceForOauth2Access`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.allowStrongAuthentication`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.blockOnDeviceAccess`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeAllowedTwoStepVerificationMethods`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeAppAccessSettingsCollectionId`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeCaaAppAssignments`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeCaaDefaultAssignments`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeCaaErrorMessage`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeSessionLength`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeTwoStepVerificationFrequency`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeTwoStepVerificationStartDate`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.disallowServiceForOauth2Access`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.enableNonAdminUserPasswordRecovery`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.enforceStrongAuthentication`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`google.admin.AdminService.removeFromTrustedOauth2Apps`	`RESOURCE_DELETION`
`google.admin.AdminService.sessionControlSettingsChange`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleCaaEnablement`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.trustDomainOwnedOauth2Apps`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.unblockOnDeviceAccess`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.untrustDomainOwnedOauth2Apps`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps`	`RESOURCE_WRITTEN`
`google.admin.AdminService.weakProgrammaticLoginSettingsChanged`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.delete2SvScratchCodes`	`RESOURCE_DELETION`
`google.admin.AdminService.generate2SvScratchCodes`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.revoke3LoDeviceTokens`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.revoke3LoToken`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.addRecoveryEmail`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.addRecoveryPhone`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.grantAdminPrivilege`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.revokeAdminPrivilege`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.revokeAsp`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.toggleAutomaticContactSharing`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.bulkUpload`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.bulkUploadNotificationSent`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.cancelUserInvite`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserCustomField`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserExternalId`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserGender`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserIm`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.enableUserIpWhitelist`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserKeyword`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserLanguage`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserLocation`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserOrganization`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserPhoneNumber`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeRecoveryEmail`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeRecoveryPhone`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserRelation`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeUserAddress`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.createEmailMonitor`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.createDataTransferRequest`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.grantDelegatedAdminPrivileges`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.deleteAccountInfoDump`	`RESOURCE_DELETION`
`google.admin.AdminService.deleteEmailMonitor`	`RESOURCE_DELETION`
`google.admin.AdminService.deleteMailboxDump`	`RESOURCE_DELETION`
`google.admin.AdminService.changeFirstName`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.gmailResetUser`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changeLastName`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.mailRoutingDestinationAdded`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.mailRoutingDestinationRemoved`	`RESOURCE_DELETION`
`google.admin.AdminService.addNickname`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.removeNickname`	`RESOURCE_DELETION`
`google.admin.AdminService.changePassword`	`USER_CHANGE_PASSWORD`
`google.admin.AdminService.changePasswordOnNextLogin`	`USER_CHANGE_PASSWORD`
`google.admin.AdminService.downloadPendingInvitesList`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.removeRecoveryEmail`	`RESOURCE_DELETION`
`google.admin.AdminService.removeRecoveryPhone`	`RESOURCE_DELETION`
`google.admin.AdminService.requestAccountInfo`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.requestMailboxDump`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.resendUserInvite`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.resetSigninCookies`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.securityKeyRegisteredForUser`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.revokeSecurityKey`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.userInvite`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.viewTempPassword`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.turnOff2StepVerification`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.unblockUserSession`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.unenrollUserFromTitanium`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.archiveUser`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.updateBirthdate`	`RESOURCE_WRITTEN`
`google.admin.AdminService.createUser`	`USER_CREATION`
`google.admin.AdminService.deleteUser`	`RESOURCE_DELETION`
`google.admin.AdminService.downgradeUserFromGplus`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.userEnrolledInTwoStepVerification`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.downloadUserlistCsv`	`USER_RESOURCE_ACCESS`
`google.admin.AdminService.moveUserToOrgUnit`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.userPutInTwoStepVerificationGracePeriod`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.renameUser`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.unenrollUserFromStrongAuth`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.suspendUser`	`USER_CHANGE_PERMISSIONS`
`google.admin.AdminService.unarchiveUser`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.undeleteUser`	`RESOURCE_DELETION`
`google.admin.AdminService.upgradeUserToGplus`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.usersBulkUpload`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.usersBulkUploadNotificationSent`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.createAccessLevelV2`	`USER_RESOURCE_CREATION`
`google.admin.AdminService.systemDefinedRuleUpdated`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`google.admin.AdminService.createDeviceEnrollmentToken`	`USER_RESOURCE_CREATION`
`google.login.LoginService.2svDisable`	`STATUS_UPDATE`
`google.login.LoginService.2svEnroll`	`STATUS_UPDATE`
`google.login.LoginService.accountDisabledPasswordLeak`	`STATUS_UPDATE`
`google.login.LoginService.accountDisabledGeneric`	`USER_LOGIN`
`google.login.LoginService.accountDisabledSpammingThroughRelay`	`USER_LOGIN` Security category: `NETWORK_SUSPICIOUS`
`google.login.LoginService.accountDisabledSpamming`	`USER_LOGIN` Security category: `NETWORK_SUSPICIOUS`
`google.login.LoginService.accountDisabledHijacked`	`USER_LOGIN` Security category: `NETWORK_SUSPICIOUS`
`google.login.LoginService.emailForwardingOutOfDomain`	`EMAIL_TRANSACTION`
`google.login.LoginService.govAttackWarning`	`USER_LOGIN` Security category: `NETWORK_MALICIOUS`
`google.login.LoginService.loginChallenge`	`USER_LOGIN`
`google.login.LoginService.loginFailure`	`USER_LOGIN` Security category: `AUTH_VIOLATION`
`google.login.LoginService.loginVerification`	`USER_LOGIN`
`google.login.LoginService.logout`	`USER_LOGOUT`
`google.login.LoginService.loginSuccess`	`USER_LOGIN`
`google.login.LoginService.passwordEdit`	`USER_CHANGE_PASSWORD`
`google.login.LoginService.recoveryEmailEdit`	`USER_RESOURCE_UPDATE_CONTENT`
`google.login.LoginService.recoveryPhoneEdit`	`USER_RESOURCE_UPDATE_CONTENT`
`google.login.LoginService.recoverySecretQaEdit`	`USER_RESOURCE_UPDATE_CONTENT`
`google.login.LoginService.suspiciousLogin`	`USER_LOGIN` Security category: `ACL_VIOLATION`
`google.login.LoginService.suspiciousLoginLessSecureApp`	`USER_LOGIN` Security category: `ACL_VIOLATION`
`google.login.LoginService.suspiciousProgrammaticLogin`	`USER_LOGIN` Security category: `ACL_VIOLATION`
`google.login.LoginService.titaniumEnroll`	`USER_RESOURCE_UPDATE_CONTENT`
`google.login.LoginService.titaniumUnenroll`	`USER_RESOURCE_CREATION`
`google.identity.accesscontextmanager.v1.AccessContextManager.CreateAccessLevel`	`USER_RESOURCE_CREATION`
`google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership`	`USER_RESOURCE_UPDATE_CONTENT`
`io.k8s.core.v1.pods.create`	`RESOURCE_CREATION`
`io.k8s.authorization.rbac.v1.clusterrolebindings.create`	`RESOURCE_CREATION`
`beta.compute.instanceTemplates.insert`	`RESOURCE_CREATION`
`SetOrgPolicy`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`beta.compute.instanceGroupManagers.patch`	`RESOURCE_WRITTEN`
`beta.compute.autoscalers.update`	`RESOURCE_WRITTEN`
`compute.v1.InstancesService.Get`	`USER_RESOURCE_ACCESS`
`google.storage.objects.list`	`USER_RESOURCE_ACCESS`
`google.cloudresourcemanager.v1.Projects.SetIamPolicy`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`cloudsql.instances.query`	`USER_RESOURCE_ACCESS`
`cloudtrace.googleapis.com/ListInsights`	`RESOURCE_READ`
`google.cloud.functions.v1.CloudFunctionsService.CreateFunction`	`RESOURCE_CREATION`
`google.api.servicemanagement.v1.ServiceManager.ActivateServices`	`USER_RESOURCE_UPDATE_CONTENT`
`google.admin.AdminService.changePassword`	`USER_CHANGE_PASSWORD`
`google.api.serviceusage.v1.ServiceUsage.DisableService`	`USER_RESOURCE_UPDATE_CONTENT`
`AuthorizeUser`	`USER_LOGIN`
`google.cloud.oslogin.v1.OsLoginService.CheckPolicy`	`USER_LOGIN`
`google.admin.AdminService.unsuspendUser`	`USER_CHANGE_PERMISSIONS`
`jobservice.jobcompleted`	`RESOURCE_WRITTEN`
`compute.v1.ProjectsService.Get`	`USER_RESOURCE_ACCESS`
`v1.compute.projects.setCommonInstanceMetadata`	`USER_RESOURCE_UPDATE_CONTENT`
`CreateCryptoKey`	`RESOURCE_CREATION`
`storage.buckets.get`	`RESOURCE_READ`
`google.longrunning.Operations.GetOperation`	`RESOURCE_READ`
`io.k8s.core.v1.pods.delete`	`RESOURCE_DELETION`
`v1.compute.disks.delete`	`RESOURCE_DELETION`
`v1.compute.disks.insert`	`RESOURCE_CREATION`
`ScheduledSnapshots`	`RESOURCE_WRITTEN`
`v1.compute.disks.setLabels`	`RESOURCE_WRITTEN`
`google.cloud.healthcare.v1alpha2.dataset.DatasetService.AccessEhrSearch`	`STATUS_UPDATE`
`io.k8s.apiextensions.v1.customresourcedefinitions.patch`	`RESOURCE_WRITTEN`
`io.k8s.post`	`USER_UNCATEGORIZED`
`v1.compute.instances.delete`	`RESOURCE_DELETION`
`storage.buckets.list`	`RESOURCE_READ`
`storage.objects.create`	`RESOURCE_CREATION`
`google.pubsub.v1.Publisher.CreateTopic`	`RESOURCE_CREATION`
`google.devtools.cloudbuild.v1.CloudBuild.ListBuilds`	`USER_RESOURCE_ACCESS`
`google.cloud.asset.v1.AssetService.UpdateFeed`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`storage.objects.update`	`RESOURCE_WRITTEN`
`datasetservice.insert`	`USER_RESOURCE_CREATION`
`storage.setIamPermissions`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`io.k8s.coordination.v1.leases.update`	`RESOURCE_WRITTEN`
`datasetservice.delete`	`USER_RESOURCE_DELETION`
`compute.instances.repair.recreateInstance`	`RESOURCE_CREATION`
`tableservice.delete`	`USER_RESOURCE_DELETION`
`io.k8s.core.v1.configmaps.update`	`RESOURCE_WRITTEN`
`io.k8s.core.v1.nodes.proxy.get`	`RESOURCE_READ`
`compute.instances.repair.deleteInstance`	`RESOURCE_DELETION`
`google.cloud.dataproc.v1.JobController.SubmitJob`	`RESOURCE_WRITTEN`
`google.cloud.dataproc.v1beta2.ClusterController.UpdateCluster`	`RESOURCE_WRITTEN`
`io.k8s.app.v1beta1.applications.update`	`RESOURCE_WRITTEN`
`io.gke.networking.v1beta1.managedcertificates.update`	`RESOURCE_WRITTEN`
`io.k8s.extensions.v1beta1.deployments.patch`	`RESOURCE_WRITTEN`
`compute.instanceGroupManagers.deleteInstances`	`RESOURCE_DELETION`
`io.k8s.authorization.rbac.v1.rolebindings.patch`	`RESOURCE_WRITTEN`
`google.admin.AdminService.toggleServiceEnabled`	`USER_UNCATEGORIZED`
`io.k8s.core.v1.services.proxy.get`	`RESOURCE_READ`
`google.datastore.v1.Datastore.RunQuery`	`STATUS_UPDATE`
`google.appengine.Datastore.Put`	`STATUS_UPDATE`
`google.cloud.securitycenter.settings.v1beta2.Settings.UpdateSecurityHealthAnalyticsSettings`	`RESOURCE_WRITTEN`
`v1.compute.securityPolicies.patchRule`	`RESOURCE_WRITTEN`
`beta.compute.images.setIamPolicy`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`google.iam.v1.IAMPolicy.SetIamPolicy`	`USER_RESOURCE_UPDATE_PERMISSIONS`
`io.k8s.certificates.v1.certificatesigningrequests.create`	`RESOURCE_CREATION`
`io.k8s.core.v0.id.create`	`RESOURCE_CREATION`
`google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy`	`RESOURCE_WRITTEN`
`google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings`	`RESOURCE_DELETION`
`UpdateCryptoKeyVersion`	`RESOURCE_WRITTEN`
`google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup`	`RESOURCE_WRITTEN`
`v1`	`STATUS_UPDATE`
`google.cloud.run.v1.Services.ReplaceService`	`SERVICE_UNCATEGORIZED`
`updatePolicy`	`RESOURCE_WRITTEN`
`updateBackup`	`RESOURCE_WRITTEN`

Referenz für die Feldzuordnung: GCP_CLOUDAUDIT

In der folgenden Tabelle sind die Logfelder des Logtyps GCP_CLOUDAUDIT und ihre entsprechenden UDM-Feldern.

Logfeld	UDM-Zuordnung	Logik
`jsonPayload.accesses[].resourceName`	`about.resource.name`
`protoPayload.response.selfLink`	`about.url`
`protoPayload.metadata.event.eventName.parameter.name[login_challenge_method]`	`extensions.auth.auth_details`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName` gleich `login_failure` oder `login_verification` oder `login_challenge` oder `login_success` ist und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `login_challenge_method` ist, wird das Logfeld `protoPayload.metadata.event.eventName.parameter.value` dem UDM-Feld `extensions.auth.auth_details` zugeordnet.
	`extensions.auth.auth_mechanism`	Wenn `protoPayload.metadata.event.eventName` mit `login_failure`, `login_verification`, `login_challenge` oder `logic_success` übereinstimmt, hat das UDM-Feld `extensions.auth.auth_mechanism` folgende Werte: Legen Sie `MECHANISM_OTHER` fest, wenn die folgenden Bedingungen erfüllt sind: Der Wert im `protoPayload.metadata.event.eventName.parameter.name` ist gleich `is_second_factor`. `value protoPayload.metadata.event.eventName.parameter.value` ist nicht gleich `True`. Wird auf `USERNAME_PASSWORD` gesetzt, wenn folgende Bedingungen erfüllt sind: Der Wert in `protoPayload.metadata.event.eventName.parameter.name` entspricht `login_challenge_method` oder `login_type`. Der Wert `protoPayload.metadata.event.eventName.parameter.value` ist gleich `exchange` oder `password` oder `google_password` oder `saml`. Legen Sie `OTP` fest, wenn die folgenden Bedingungen erfüllt sind: Der Wert in `protoPayload.metadata.event.eventName.parameter.name` entspricht `login_challenge_method` oder `login_type`. `value protoPayload.metadata.event.eventName.parameter.value` ist gleich `backup_code` oder `google_authenticator` oder `idv_any_phone` oder `idv_preregistered_phone` oder `offline_otp` oder `security_key_otp`. Legen Sie `INTERACTIVE` fest, wenn eine der folgenden Bedingungen erfüllt ist: Der Wert in `protoPayload.metadata.event.eventName.parameter.name` ist `is_second_factor` und der Wert `protoPayload.metadata.event.eventName.parameter.value` ist `True`. Der Wert in `protoPayload.metadata.event.eventName.parameter.name` ist `login_challenge_method` oder `login_type` und der Wert `protoPayload.metadata.event.eventName.parameter.value` ist `internal_two_factor` oder `login_location`. Wird auf `MECHANISM_OTHER` gesetzt, wenn folgende Bedingungen erfüllt sind: Der Wert im `protoPayload.metadata.event.eventName.parameter.name` ist gleich `login_challenge_method` oder `login_type`. Der Wert `protoPayload.metadata.event.eventName.parameter.value` ist gleich `google_prompt` oder `knowledge_employee_id` oder `knowledge_preregistered_email` oder `knowledge_preregistered_phone or other`. Wird auf `HARDWARE_KEY` gesetzt, wenn folgende Bedingungen erfüllt sind: Der Wert im `protoPayload.metadata.event.eventName.parameter.name` ist gleich `login_challenge_method` oder `login_type`. Der Wert `protoPayload.metadata.event.eventName.parameter.value` ist gleich `security_key`. Wird auf `MECHANISM_UNSPECIFIED` gesetzt, wenn folgende Bedingungen erfüllt sind: Der Wert in `protoPayload.metadata.event.eventName.parameter.name` entspricht `login_challenge_method` oder `login_type`. Der Wert `protoPayload.metadata.event.eventName.parameter.value` ist gleich `reauth` oder `unknown`.
	`extensions.auth.type`	Wenn der Wert des `protoPayload.metadata.event.eventName`-Logfelds `login_failure`, `login_verification`, `login_challenge` oder `login_success` ist und der Wert des `protoPayload.metadata.event.eventName.parameter.name`-Logfelds `login_challenge_method` ist, wird das `extensions.auth.type`-UDM-Feld auf `MACHINE` gesetzt.
`protoPayload.response.vulnerability.shortDescription`	`extensions.vulns.vulnerabilities.cve_id`
`protoPayload.response.vulnerability.effectiveSeverity`	`extensions.vulns.vulnerabilities.severity`	Wenn der Wert des `protoPayload.response.vulnerability.effectiveSeverity`-Logfelds einen der folgenden Werte enthält, wird das `protoPayload.response.vulnerability.effectiveSeverity`-Logfeld dem UDM-Feld `extensions.vulns.vulnerabilities.severity` zugeordnet. `CRITICAL` `HIGH` `MEDIUM` `LOW`
`protoPayload.request.occurrence.vulnerability.shortDescription`	`extensions.vulns.vulnerabilities.cve_id`
`protoPayload.request.occurrence.vulnerability.effectiveSeverity`	`extensions.vulns.vulnerabilities.severity`	Wenn der Wert des Logfelds `protoPayload.request.occurrence.vulnerability.effectiveSeverity` einen der folgenden Werte enthält, wird das Logfeld `protoPayload.request.occurrence.vulnerability.effectiveSeverity` dem UDM-Feld `extensions.vulns.vulnerabilities.severity` zugeordnet. `CRITICAL` `HIGH` `MEDIUM` `LOW`
`protoPayload.request.occurrence.resourceUri`	`additional.fields[request_resourceuri]`
`protoPayload.request.spec.type`	`target.resource.attribute.labels[request_spec_type]`
`protoPayload.response.spec.type`	`target.resource.attribute.labels[response_spec_type]`
`protoPayload.request.spec.template.spec.shareProcessNamespace`	`target.resource.attribute.labels[req_spec_template_spec_share_process_namespace]`
`protoPayload.response.spec.template.spec.shareProcessNamespace`	`target.resource.attribute.labels[resp_spec_template_spec_share_process_namespace]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.shareProcessNamespace`	`target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_share_process_namespace]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.restartPolicy`	`target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_restart_policy]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.args`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_arg_{index}]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.command`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_command_{index}]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.image`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.imagePullPolicy`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image_pull_policy]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.name`	`target.resource_ancestors.name`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.cpu`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_cpu]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.memory`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_memory]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.cpu`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_cpu]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.memory`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_memory]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.allowPrivilegeEscalation`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_allow_privilege_escalation]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.capabilities.drop`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_capabilities_drop_{index}]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.privileged`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_privileged]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.readOnlyRootFilesystem`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_read_only_root_filesystem]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePath`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_path]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePolicy`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_policy]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.mountPath`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_mount_path_{index}]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.name`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_name_{index}]`
`protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.readOnly`	`target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_readonly_{index}]`
`protoPayload.metadata.event.eventName.parameter.name[GATEWAY_NAME]`	`intermediary.resource.name`
`receiveTimestamp`	`metadata.collected_timestamp`
`protoPayload.response.operationType`	`metadata.description`	Wenn der Wert des Logfelds `protoPayload.methodName` gleich `cloudsql.instances.create` ist, wird das Logfeld `protoPayload.response.operationType - protoPayload.response.kind` dem UDM-Feld `metadata.description` zugeordnet.
`protoPayload.response.kind`	`target.resource.attribute.labels[response_kind]`
`protoPayload.status.message`	`metadata.description`
`protoPayload.metadata.event.eventName.parameter.name[SETTING_DESCRIPTION]`	`metadata.description`
`timestamp`	`metadata.event_timestamp`
`protoPayload.methodName`	`metadata.product_event_type`
`resource.labels.method`	`metadata.product_event_type`
`jsonPayload.event_subtype`	`metadata.product_event_type`
`insertId`	`metadata.product_log_id`
`protoPayload.metadata.event.eventName.parameter.name[PRODUCT_NAME]`	`metadata.product_name`	Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(compute.googleapis.com)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `Google Compute Engine` festgelegt. Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(bigquery.googleapis.com)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `BigQuery` festgelegt. Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `G Suite` festgelegt. Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(k8s.io)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `Google Kubernetes Engine` festgelegt. Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(servicemanagement.googleapis.com)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `Google Service Management` festgelegt. Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(storage.googleapis.com)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `Google Cloud Storage` festgelegt. Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(cloudsql.googleapis.com)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `Google Cloud SQL` festgelegt. Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(dataproc.googleapis.com)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `Google Dataproc` festgelegt. Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(iam.googleapis.com)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `Google Cloud IAM` festgelegt. Wenn der Wert des `protoPayload.serviceName`-Log-Felds mit dem regulären Ausdruck `(accesscontextmanager.googleapis.com)` übereinstimmt, wird das `metadata.product_name`-UDM-Feld auf `Context Manager API` festgelegt.
`logName`	`metadata.url_back_to_product`
`protoPayload.response.selfLinkWithId`	`metadata.url_back_to_product`
	`metadata.vendor_name`	Das UDM-Feld `metadata.vendor_name` ist auf `Google Cloud Platform` gesetzt.
`httpRequest.protocol`	`network.application_protocol`
`protoPayload.metadata.request_id`	`network.community_id`
`protoPayload.resourceOriginalState.direction`	`network.direction`
`protoPayload.request.direction`	`network.direction`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SENDER]`	`network.email.from`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_MSG_ID]`	`network.email.mail_id`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_RECIPIENT]`	`network.email.to`
`httpRequest.requestMethod`	`network.http.method`
`protoPayload.requestMetadata.requestAttributes.method`	`network.http.method`
`httpRequest.referer`	`network.http.referral_url`
`protoPayload.requestMetadata.requestAttributes.path`	`network.http.referral_url`
`httpRequest.requestUrl`	`network.http.referral_url`
`protoPayload.resourceOriginalState.network`	`network.http.referral_url`
`httpRequest.status`	`network.http.response_code`
`protoPayload.response.error.code`	`network.http.response_code`
`protoPayload.status.code`	`security_result.detection_fields [status_code]`
`protoPayload.requestMetadata.callerSuppliedUserAgent`	`network.http.user_agent`	Wenn der Wert des `protoPayload.requestMetadata.callerSuppliedUserAgent`-Logfelds mit dem regulären Ausdruck `Group` übereinstimmt, wird das `protoPayload.requestMetadata.callerSuppliedUserAgent`-Logfeld dem UDM-Feld `principal.group.group_display_name` zugeordnet.
`httpRequest.userAgent`	`network.http.user_agent`
`protoPayload.resourceOriginalState.alloweds.IPProtocol`	`network.ip_protocol`
`protoPayload.requestMetadata.requestAttributes.protocol`	`network.ip_protocol`
`protoPayload.request.IPProtocol`	`network.ip_protocol`
`protoPayload.request.alloweds.IPProtocol`	`network.ip_protocol`
`jsonPayload.connection.protocol`	`network.ip_protocol`
`protoPayload.metadata.event.eventName.parameter.name[ORG_UNIT_NAME]`	`network.organization_name`
`httpRequest.responseSize`	`network.received_bytes`
`httpRequest.requestSize`	`network.sent_bytes`
`jsonPayload.bytes_sent`	`network.sent_bytes`
`protoPayload.requestMetadata.requestAttributes.id`	`network.session_id`
`ProtoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail`	`principal.email`
`jsonPayload.src_instance.vm_name`	`principal.hostname`
`protoPayload.requestMetadata.callerIp`	`principal.ip`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_SENDER_IP]`	`principal.ip`
`jsonPayload.connection.src_ip`	`principal.ip`
`httpRequest.serverIp`	`principal.ip`
`resourceLocation.originalLocations`	`principal.location.name`
`jsonPayload.connection.nat_ip`	`principal.nat_ip`
`jsonPayload.connection.nat_port`	`principal.nat_port`
`jsonPayload.connection.src_port`	`principal.port`
`protoPayload.authorizationInfo.resource`	`principal.resource.name`	Wenn der Wert des Logfelds `protoPayload.authorizationInfo.resource` nicht leer ist, wird das Logfeld `protoPayload.authorizationInfo.resource` dem UDM-Feld `principal.resource.name` zugeordnet.
`protoPayload.authorizationInfo.resourceAttributes.name`	`principal.resource.name`	Wenn der Wert des Logfelds `protoPayload.authorizationInfo.resourceAttributes.name` nicht leer ist, wird das Logfeld `protoPayload.authorizationInfo.resourceAttributes.name` dem UDM-Feld `principal.resource.name` zugeordnet.
`protoPayload.authorizationInfo.permission`	`target.resource_ancestors.attribute.permissions.name`
`protoPayload.authorizationInfo.permissionType`	`target.resource_ancestors.attribute.permissions.type`
`protoPayload.authorizationInfo.resourceAttributes.service`	`target.resource_ancestors.attribute.labels[resource_attribute_service]`
`protoPayload.authorizationInfo.granted`	`target.resource_ancestors.attribute.labels[authorization_granted]`
`protoPayload.resourceOriginalState.name`	`principal.resource.name`
`protoPayload.authorizationInfo.resourceAttributes.type`	`principal.resource.resource_subtype`
	`principal.user.account_type`	Wenn der Wert des Logfelds `access.principalSubject` mit dem regulären Ausdruck `serviceAccount` übereinstimmt, wird das UDM-Feld `principal.user.account_type` auf `SERVICE_ACCOUNT_TYPE` gesetzt. Wenn der Wert des Logfelds `access.principalSubject` mit dem regulären Ausdruck `user` übereinstimmt, wird das UDM-Feld `principal.user.account_type` auf `CLOUD_ACCOUNT_TYPE` festgelegt.
`protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType`	`principal.user.attribute.permissions.description`
`protoPayload.request.serviceAccounts[].scopes`	`principal.user.attribute.permissions.name`
`protoPayload.authorizationInfo.permission`	`principal.user.attribute.permissions.name`
`protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType`	`principal.user.attribute.permissions.type`
`protoPayload.serviceData.policyDelta.bindingDeltas[].action`	`principal.user.attribute.roles.description`
`protoPayload.request.bindings.role`	`principal.user.attribute.roles.name`
`protoPayload.serviceData.policyDelta.bindingDeltas[].role`	`principal.user.attribute.roles.name`
`jsonPayload.location.principalEmployingEntity`	`principal.user.company_name`
`jsonPayload.location.principalOfficeCountry`	`principal.user.office_address.country_or_region`
`protoPayload.authenticationInfo.principalEmail`	`principal.user.userid`	Wenn der Wert des `protoPayload.authenticationInfo.principalEmail`-Logfelds nicht leer ist, wird `userid_auth` mithilfe eines Grok-Musters aus dem `protoPayload.authenticationInfo.principalEmail`-Logfeld extrahiert und dem UDM-Feld `principal.user.userid` zugeordnet.
`protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query`	`additional.fields[job_insertion_query_org_id_{index}]`	Wenn der Wert des Logfelds `protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query` nicht leer ist, wird `org_ids` mithilfe eines Grok-Musters aus dem `protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query`-Logfeld extrahiert und dem UDM-Feld `additional.fields.job_insertion_query_org_id_{index}` zugeordnet.
`protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query`	`additional.fields[job_insert_request_query_org_id_{index}]`	Wenn der Wert des Logfelds `protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query` nicht leer ist, wird `org_ids` mithilfe eines Grok-Musters aus dem `protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query`-Logfeld extrahiert und dem UDM-Feld `additional.fields.job_insert_request_query_org_id_{index}` zugeordnet.
`protoPayload.request.permissions`	`target.resource.attribute.labels.permission`
`protoPayload.metadata.event.eventName.parameter.value`	`principal.user.userid`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName` gleich `CREATE_EMAIL_MONITOR` oder `CREATE_DATA_TRANSFER_REQUEST` ist: Wenn der Wert des `protoPayload.metadata.event.eventName.parameter.name`-Logfelds `USER_EMAIL` entspricht, wird `userid` mithilfe eines Grok-Musters aus dem `protoPayload.metadata.event.eventName.parameter.value`-Logfeld extrahiert und dem UDM-Feld `principal.user.userid` zugeordnet.
`protoPayload.authenticationInfo.authoritySelector`	`principal.user.userid`	Wenn der Wert des Logfelds `protoPayload.authenticationInfo.authoritySelector` nicht leer ist, wird `userid_selector` mithilfe eines Grok-Musters aus dem `protoPayload.authenticationInfo.authoritySelector`-Logfeld extrahiert und dem UDM-Feld `principal.user.userid` zugeordnet.
`jsonPayload.actor.user`	`principal.user.userid`	Wenn der Wert des Logfelds `jsonPayload.actor.user` nicht leer ist, wird `userid_actor` mithilfe eines Grok-Musters aus dem `jsonPayload.actor.user`-Logfeld extrahiert und dem UDM-Feld `principal.user.userid` zugeordnet.
`protoPayload.authenticationInfo.principalEmail`	`principal.user.email_addresses`	Wenn der Wert des Logfelds `protoPayload.authenticationInfo.principalEmail` nicht leer ist und der Wert des Logfelds `protoPayload.authenticationInfo.principalEmail` mit dem regulären Ausdruck `.@.` übereinstimmt, wird das Logfeld `protoPayload.authenticationInfo.principalEmail` dem UDM-Feld `principal.user.email_addresses` zugeordnet.
`protoPayload.metadata.event.eventName.parameter.value`	`principal.user.email_addresses`	`protoPayload.metadata.event.eventName.parameter.value` wird `principal.user.email_addresses` zugeordnet, wenn die folgenden Bedingungen erfüllt sind: Der Wert im Logfeld `protoPayload.metadata.event.eventName` ist gleich `CREATE_EMAIL_MONITOR` oder `CREATE_DATA_TRANSFER_REQUEST`. Der Wert im Logfeld `protoPayload.metadata.event.eventName.parameter.name` ist gleich `USER_EMAIL`. Der Wert im Logfeldwert `protoPayload.metadata.event.eventName.parameter.name` stimmt mit dem regulären Ausdruck `.@.` überein
`protoPayload.authenticationInfo.authoritySelector`	`principal.user.email_addresses`	Wenn der Wert des `protoPayload.authenticationInfo.authoritySelector`-Logfelds nicht leer ist und mit dem regulären Ausdruck `.@.` übereinstimmt, wird das `protoPayload.authenticationInfo.authoritySelector`-Logfeld dem `principal.user.email_addresses`-UDM-Feld zugeordnet.
`jsonPayload.actor.user`	`principal.user.email_addresses`	Wenn der Wert des Logfelds `jsonPayload.actor.user` nicht leer ist und der Wert des Logfelds `jsonPayload.actor.user` mit dem regulären Ausdruck `.@.` übereinstimmt, wird das Logfeld `jsonPayload.actor.user` dem UDM-Feld `principal.user.email_addresses` zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[login_challenge_status]`	`security_result.action`	`security_result.action` wird auf `ALLOW` gesetzt, wenn die folgenden Bedingungen erfüllt sind: Der Wert im `protoPayload.metadata.event.eventName`-Logfeld ist `login_challenge` oder `login_verification`. Der Wert im Logfeld `protoPayload.metadata.event.eventName.parameter.name` ist gleich `login_challenge_status`. Der Wert im Logfeld `protoPayload.metadata.event.parameter.value` ist gleich `Challenge Passed`. `security_result.action` wird auf `FAIL` gesetzt, wenn die folgenden Bedingungen erfüllt sind: Der Wert im Logfeld `protoPayload.metadata.event.eventName` ist gleich `login_challenge` oder `login_verification`. Der Wert im Logfeld `protoPayload.metadata.event.eventName.parameter.name` ist gleich `login_challenge_status`. Der Wert im `protoPayload.metadata.event.parameter.value`-Logfeld ist `Challenge Failed`.
`protoPayload.metadata.event.eventName.parameter.name[ACTION_TYPE]`	`security_result.action`	`security_result.action` wird auf `ALLOW` gesetzt, wenn die folgenden Bedingungen erfüllt sind: Der Wert im `protoPayload.metadata.event.eventName`-Logfeld ist `ACTION_CANCELLED` oder `ACTION_REQUESTED`. Der Wert im Logfeld `protoPayload.metadata.event.eventName.parameter.name` ist gleich `ACTION_TYPE`. Der Wert im `protoPayload.metadata.event.parameter.value`-Logfeld ist `ALLOW_ACCESS` oder `APPROVE`. `security_result.action` wird auf `BLOCK` gesetzt, wenn die folgenden Bedingungen erfüllt sind: Der Wert im Logfeld `protoPayload.metadata.event.eventName` ist gleich `ACTION_CANCELLED` oder `ACTION_REQUESTED`. Der Wert im Logfeld `protoPayload.metadata.event.eventName.parameter.name` ist gleich `ACTION_TYPE`. Der Wert im `protoPayload.metadata.event.parameter.value`-Logfeld ist `DISALLOW_ACCESS` oder `BLOCK`. Wenn der Wert des Logfelds `protoPayload.response.error.errors` nicht leer ist. `security_result.action` wird auf `ALLOW_WITH_MODIFICATION` gesetzt, wenn die folgenden Bedingungen erfüllt sind: Der Wert im Logfeld `protoPayload.metadata.event.eventName` ist gleich `ACTION_CANCELLED` oder `ACTION_REQUESTED`. Der Wert im Logfeld `protoPayload.metadata.event.eventName.parameter.name` ist gleich `ACTION_TYPE`. Der Wert im Logfeld `protoPayload.metadata.event.parameter.value` ist gleich `RESET_PIN` oder `REVOKE_TOKEN`. `security_result.action` wird auf `QUARANTINE` gesetzt, wenn die folgenden Bedingungen erfüllt sind: Der Wert im Logfeld `protoPayload.metadata.event.eventName` ist gleich `ACTION_CANCELLED` oder `ACTION_REQUESTED`. Der Wert im `protoPayload.metadata.event.eventName.parameter.name`-Logfeld ist `ACTION_TYPE`. Der Wert im `protoPayload.metadata.event.parameter.value`-Logfeld ist `LOCK_DEVICE`. `security_result.action` wird auf `QUARANTINE` gesetzt, wenn die folgenden Bedingungen erfüllt sind: Der Wert im Logfeld `protoPayload.metadata.event.eventName` ist gleich `ACTION_CANCELLED` oder `ACTION_REQUESTED`. Der Wert im `protoPayload.metadata.event.eventName.parameter.name`-Logfeld ist `ACTION_TYPE`. Der Wert im Logfeldwert `protoPayload.metadata.event.parameter.value` ist gleich `ACCOUNT_WIPE` oder `COLLECT_BUGREPORT` oder `DEVICE_WIPE` oder `LOCATE_DEVICE` oder `REMOVE_APP_FROM_DEVICE` oder `REMOVE_IOS_PROFILE` oder `RING_DEVICE` oder `SYNC_DEVICE` oder `UNKNOWN`.
	`security_result.action_details`	Wenn der Wert des `protoPayload.metadata.event.eventName`-Logfelds `login_challenge` oder `login_verification` ist und der Wert des `protoPayload.metadata.event.eventName.parameter.name`-Logfelds `login_challenge_status`, wird das `protoPayload.metadata.event.eventName.parameter.value`-Logfeld dem `security_result.action_details`-UDM-Feld zugeordnet. Wenn der Wert des `protoPayload.metadata.event.eventName`-Logfelds `ACTION_CANCELLED` oder `ACTION_REQUESTED` ist und der Wert des `protoPayload.metadata.event.eventName.parameter.name`-Logfelds `ACTION_TYPE`, wird das `protoPayload.metadata.event.eventName.parameter.value`-Logfeld dem `security_result.action_details`-UDM-Feld zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[is_suspicious]`	`security_result.category`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName` gleich `login_success` ist und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `is_suspicious` ist und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.value` gleich `True` ist, wird das UDM-Feld `security_result.category` auf `NETWORK_SUSPICIOUS` festgelegt.
`logName`	`security_result.category_details`
`protoPayload.response.status`	`security_result.description`
`protoPayload.response.error.errors[].reason`	`security_result.description`
`protoPayload.metadata.tableCreation.reason`	`security_result.description`
`protoPayload.metadata.tableChange.reason`	`security_result.description`
`protoPayload.metadata.tableDeletion.reason`	`security_result.description`
`protoPayload.metadata.datasetCreation.reason`	`security_result.description`
`protoPayload.metadata.datasetDeletion.reason`	`security_result.description`
`protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.errorMessage`	`security_result.description`
`protoPayload.status.message`	`security_result.description`
`protoPayload.request.status`	`security_result.description`
`jsonPayload.reason[].detail`	`security_result.description`
`protoPayload.response.status.state`	`security_result.description`
`protoPayload.response.status.conditions[].message`	`security_result.description`	Wenn der Wert des `message`-Logfelds mit dem regulären Ausdruck `response.status.conditions.*message` übereinstimmt, wird das `protoPayload.response.status.conditions.0.message`-Logfeld dem UDM-Feld `security_result.description` zugeordnet.
`protoPayload.resourceOriginalState.priority`	`security_result.priority_details`
`protoPayload.request.priority`	`security_result.priority_details`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.queryPriority`	`security_result.priority_details`
`protoPayload.metadata.vpcServiceControlsUniqueId`	`security_result.rule_id`
`protoPayload.request.body.settings.activationPolicy`	`security_result.rule_name`
`protoPayload.request.policy`	`security_result.rule_name`
`protoPayload.metadata.violationReason`	`security_result.rule_name`
`protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.policyType`	`security_result.rule_type`
`protoPayload.metadata.dryRun`	`security_result.rule_type`
`severity`	`security_result.severity`
	`security_result.severity_details`	`severityseverityseverityseverityseverityseverityCRITICALCRITICALsecurity_result.severitysecurity_result.severitysecurity_result.severitysecurity_result.severitysecurity_result.severitysecurity_result.severitysecurity_result.severity` `ERRORERRORALERTEMERGENCYHIGHINFONOTICEINFORMATIONALDEBUGLOWWARNINGMEDIUMUNKNOWN_SEVERITY`
`protoPayload.response.error.message`	`security_result.summary`
`protoPayload.response.error.errors[].message`	`security_result.summary`
`protoPayload.status.details.violations.description`	`security_result.summary`
`protoPayload.response.message`	`security_result.summary`
`protoPayload.request.description`	`security_result.summary`
`jsonPayload.reason[].type`	`security_result.summary`
`sourceLocation.file`	`src.file.full_path`
`protoPayload.serviceName`	`target.application`
`resource.labels.service`	`target.application`
`protoPayload.metadata.event.eventName.parameter.name[APPLICATION_NAME]`	`target.application`
`protoPayload.metadata.event.eventName.parameter.name[APP_NAME]`	`target.application`	Wenn der Wert des `protoPayload.metadata.event.eventName.parameter.name1`-Logfelds `APP_NAME` und der Wert des `protoPayload.metadata.event.eventName.parameter.name2`-Logfelds `APP_ID` ist, wird das `protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1`-Logfeld dem `target.application`-UDM-Feld zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[APP_ID]`	`target.application`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name1` gleich `APP_NAME` und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name2` gleich `APP_ID` ist, wird das Logfeld `protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1` dem UDM-Feld `target.application` zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[SERVICE_NAME]`	`target.application`
`protoPayload.metadata.event.eventName.parameter.name[OAUTH2_SERVICE_NAME]`	`target.application`
`protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_NAME]`	`target.application`	Wenn der Wert des `protoPayload.metadata.event.eventName.parameter.name1`-Logfelds `OAUTH2_APP_NAME` und der Wert des `protoPayload.metadata.event.eventName.parameter.name2`-Logfelds `OAUTH2_APP_ID` ist, wird das `protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1`-Logfeld dem `target.application`-UDM-Feld zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_ID]`	`target.application`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name1` gleich `OAUTH2_APP_NAME` und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name2` gleich `OAUTH2_APP_ID` ist, wird das Logfeld `protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1` dem UDM-Feld `target.application` zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[REAUTH_APPLICATION, SITE_NAME]`	`target.application`
`jsonPayload.product`	`target.application`
`protoPayload.metadata.device_id`	`target.asset.asset_id`
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_SERIAL_NUMBER]`	`target.asset.hardware.serial_number`
`protoPayload.metadata.event.eventName.parameter.name[PRINT_SERVER_NAME]`	`target.asset.hostname`
`protoPayload.metadata.event.eventName.parameter.name[PRINTER_NAME]`	`target.asset.hostname`
`protoPayload.request.instances.instance`	`target.asset.product_object_id`	Das `protoPayload.request.instances.instance`-Logfeld wird dem `target.asset.product_object_id`-UDM-Feld zugeordnet, wenn der Indexwert in `protoPayload.request.instances.instance` `0` entspricht. Bei jedem anderen Indexwert wird das `target.asset.labels.key`-UDM-Feld auf `request_instance` festgelegt und das `protoPayload.request.instances.instance`-Logfeld wird dem `target.asset.labels.value`-UDM-Feld zugeordnet.
`protoPayload.request.instance`	`target.asset.product_object_id`
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_ID]`	`target.asset.product_object_id`
`protoPayload.metadata.event.eventName.parameter.name[COMPANY_DEVICE_ID]`	`target.asset.product_object_id`
	`target.asset.type`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `PRINTER_SERVER_NAME` ist, wird das UDM-Feld `target.asset.type` auf `SERVER` gesetzt. Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `PRINTER_NAME` ist, wird das UDM-Feld `target.asset.type` auf `PRINTER` festgelegt. Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `DEVICE_TYPE` ist, wird das UDM-Feld `target.asset.type` auf `ROLE_UNSPECIFIED` festgelegt.
`protoPayload.metadata.event.eventName.parameter.name[SITE_LOCATION]`	`target.file.full_path`
`protoPayload.metadata.event.eventName.parameter.name[PERMISSION_GROUP_NAME]`	`target.group.attribute.permissions.name`
`protoPayload.metadata.event.eventName.parameter.name[GROUP_EMAIL]`	`target.group.email_addresses`
`protoPayload.metadata.event.eventName.parameter.name[DOMAIN_NAME]`	`target.hostname`
`jsonPayload.dest_instance.vm_name`	`target.hostname`
`protoPayload.requestMetadata.requestAttributes.host`	`target.hostname`
`httpRequest.remoteIp`	`target.ip`
`protoPayload.requestMetadata.destinationAttributes.ip`	`target.ip`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP]`	`target.ip`
`protoPayload.request.ip`	`target.ip`
`jsonPayload.connection.dest_ip`	`target.ip`
`resource.labels.region`	`target.location.country_or_region`
`protoPayload.response.region`	`target.location.country_or_region`
`protoPayload.request.body.region`	`target.location.country_or_region`
`protoPayload.request.region`	`target.location.country_or_region`
`resource.labels.region`	`target.location.country_or_region`
`jsonPayload.dest_location.country`	`target.location.country_or_region`
`jsonPayload.dest_location.continent`	`target.location.country_or_region`
`protoPayload.request.override.overrideValue`	`target.resource.attribute.labels[request_override_value]`
`protoPayload.response.overrideValue`	`target.resource.attribute.labels[response_override_value]`
`resource.labels.location`	`target.location.name`
`protoPayload.resourceOriginalState.alloweds.ports`	`target.port`
`protoPayload.requestMetadata.destinationAttributes.port`	`target.port`
`jsonPayload.connection.dest_port`	`target.port`
`protoPayload.metadata.tableCreation.table.view.query`	`target.process.command_line`
`protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query`	`target.process.command_line`
`protoPayload.serviceData.jobQueryRequest.query`	`target.process.command_line`
`protoPayload.serviceData.tableInsertResponse.resource.view.query`	`target.process.command_line`
`protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query`	`target.process.command_line`
`protoPayload.metadata.tableChange.jobName`	`target.process.pid`
`protoPayload.metadata.tableCreation.jobName`	`target.process.pid`
`protoPayload.request.networkInterfaces[].subnetwork`	`target.resource_ancestors.name`
`protoPayload.request.body.instanceUid`	`target.resource_ancestors.product_object_id`
`protoPayload.response.instanceUid`	`target.resource_ancestors.product_object_id`
`protoPayload.request.disk[].mode`	`target.resource_ancestors.attributes.permission.name`
`protoPayload.request.disk[].autoDelete`	`target.resource_ancestors.attributes.permission.name`
`protoPayload.response.project_id`	`target.resource_ancestors.id`
`protoPayload.response.targetProject`	`target.resource_ancestors.name`
`protoPayload.request.target`	`target.resource_ancestors.name`
`protoPayload.resourceName`	`target.resource_ancestors.name`	Wenn der Wert des Logfelds `protoPayload.methodName` mit dem regulären Ausdruck `(CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider)` übereinstimmt, wird das Logfeld `protoPayload.resourceName` dem UDM-Feld `target.resource_ancestors.name` zugeordnet.
`protoPayload.resource.role_name`	`target.resource_ancestors.name`
`protoPayload.request.parent`	`target.resource_ancestors.name`
`protoPayload.request.disks[].deviceName`	`target.resource_ancestors.name`
`protoPayload.request.network`	`target.resource_ancestors.name`
`resource.labels.project_id`	`target.cloud.project.name`
`resource.labels.project_id`	`target.resource_ancestors.name`
`protoPayload.request.disk[].type`	`target.resource_ancestors.resource_subtype`	Wenn der Wert des Logfelds `protoPayload.request.cluster.subnetwork` nicht leer ist, wird das UDM-Feld `target.resource_ancestors.resource_subtype` auf `subnetwork` festgelegt. Wenn der Wert des Logfelds `protoPayload.request.cluster.network` nicht leer ist, wird das UDM-Feld `target.resource_ancestors.resource_subtype` auf `network` festgelegt. Wenn der Wert des Logfelds `protoPayload.request.cluster.nodePools.name` nicht leer ist, wird das UDM-Feld `target.resource_ancestors.resource_subtype` auf `nodepool` gesetzt.
`resource.location`	`target.resource.attribute.cloud.availability_zone`
`resourceLocation.currentLocations`	`target.resource.attribute.cloud.availability_zone`
`resource.labels.zone`	`target.resource.attribute.cloud.availability_zone`
`protoPayload.request.body.settings.locationPreference.zone`	`target.resource.attribute.cloud.availability_zone`
`protoPayload.metadata.tableChange.table.createTime`	`target.resource.attribute.creation_time`
`protoPayload.metadata.tableCreation.table.createTime`	`target.resource.attribute.creation_time`
`protoPayload.resourceOriginalState.creationTimestamp`	`target.resource.attribute.creation_time`
`protoPayload.response.insertTime`	`target.resource.attribute.creation_time`
`protoPayload.metadata.tableChange.table.updateTime`	`target.resource.attribute.last_update_time`
`protoPayload.metadata.tableCreation.table.updateTime`	`target.resource.attribute.last_update_time`
`protoPayload.serviceData.policyDelta.auditConfigDeltas[].logType`	`target.resource.attribute.permissions.type`
`request.role.title`	`target.resource.attribute.roles.name`
`protoPayload.request.role.included_permissions[]`	`target.resource.attributes.permission.name`
`protoPayload.request.role.description`	`target.resource.attributes.roles.description`
`protoPayload.resource.labels.firewall_rule_id`	`target.resource.id`
`protoPayload.resourceName`	`target.resource.name`	Wenn der Wert des `protoPayload.resourceName`-Logfelds nicht leer ist, wird das `protoPayload.resourceName`-Logfeld dem `target.resource.name`-UDM-Feld zugeordnet.
`protoPayload.resource.labels.role_name`	`target.resource.name`	Wenn der Wert des `protoPayload.methodName`-Logfelds `google.iam.admin.v1.CreateRole` entspricht, wird das `protoPayload.resource.labels.role_name`-Logfeld dem `target.resource.name`-UDM-Feld zugeordnet.
`protoPayload.resource.role_name`	`target.resource.name`
`protoPayload.request.service_account.display_name`	`target.resource.name`
`protoPayload.request.workloadIdentityPool.displayName`	`target.resource.name`
`protoPayload.request.name`	`target.resource.name`	Wenn der Wert des `protoPayload.methodName`-Logfelds `beta.compute.instances.insert` entspricht, wird das `protoPayload.request.name`-Logfeld dem `target.resource.name`-UDM-Feld zugeordnet.
`protoPayload.request.cluster.name`	`target.resource.name`
`protoPayload.metadata.tableCreation.table.tableName`	`target.resource.name`
`protoPayload.metadata.datasetCreation.dataset.datasetName`	`target.resource.name`
`jsonPayload.accessApprovals[]`	`target.resource.name`
`jsonPayload.resource.name`	`target.resource.name`
`resource.labels.email_id`	`target.resource.name`	Wenn der Wert des `resource.labels.email_id`-Logfelds nicht leer ist, wird das `resource.labels.email_id`-Logfeld dem `target.resource.name`-UDM-Feld zugeordnet.
`protoPayload.request.accessLevel.title`	`target.resource.name`
`resource.discoveryName`	`target.resource.name`
`protoPayload.response.name`	`target.resource.name`
`protoPayload.request.name`	`target.resource.name`
`resource.labels.network_id`	`target.resource.name`
`request.cluster.name`	`target.resource.name`
`resource.labels.cluster_name`	`target.resource.name`
`protoPayload.metadata.tableChange.table.tableName`	`target.resource.name`
`resource.labels.function_name`	`target.resource.name`	Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `cloud_function` übereinstimmt, wird das `resource.labels.function_name`-Logfeld dem UDM-Feld `target.resource.name` zugeordnet.
`resource.parent`	`target.resource.parent`
`resource.labels.bucket_name`	`target.resource.parent`	Wenn der Wert des Logfelds `resource.type` gleich `gcs_bucket` ist, wird das Logfeld `resource.labels.bucket_name` dem UDM-Feld `target.resource.parent` zugeordnet.
`resource.labels.dataset_id`	`target.resource.product_object_id`
`resource.labels.instance_group_id`	`target.resource.product_object_id`
`resource.labels.subnetwork_id`	`target.resource.product_object_id`
`resource.labels.firewall_rule_id`	`target.resource.product_object_id`
`resource.labels.forwarding_rule_id`	`target.resource.product_object_id`
`resource.labels.network_id`	`target.resource.product_object_id`
`resource.labels.unique_id`	`target.resource.product_object_id`
`protoPayload.metadata.event.eventName.parameter.name[RESOURCE_IDENTIFIER]`	`target.resource.product_object_id`
`protoPayload.metadata.event.eventName.parameter.name[SHARED_DRIVE_ID]`	`target.resource.product_object_id`
`protoPayload.response.unique_id`	`target.resource.product_object_id`	Wenn der Wert des Logfelds `protoPayload.methodName` mit dem regulären Ausdruck `(CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider)` übereinstimmt, wird das Logfeld `protoPayload.response.unique_id` dem UDM-Feld `target.resource.product_object_Id` zugeordnet.
`protoPayload.request.account_id`	`target.resource.product_object_id`
`protoPayload.request.role_id`	`target.resource.product_object_id`	Wenn der Wert des `protoPayload.methodName`-Logfelds `google.iam.admin.v1.CreateRole` entspricht, wird das `protoPayload.request.role_id`-Logfeld dem `target.resource.product_object_id`-UDM-Feld zugeordnet.
`protoPayload.request.workloadIdentityPoolId`	`target.resource.product_object_id`
`jsonPayload.resource.id`	`target.resource.product_object_id`
`resource.labels.instance_id`	`target.resource.product_object_id`
`resource.data.uniqueId`	`target.resource.product_object_id`
`protoPayload.request.workloadIdentityPoolProviderId`	`target.resource.product_object_id`
`protoPayload.request.machineType`	`target.resource.resource_subtype`	Wenn der Wert des Logfelds `resource.type` mit dem regulären Ausdruck `gce_(autoscaler or instance_group) or gae_app"` übereinstimmt, wird das Rohlogfeld `resource.type` dem UDM-Feld `target.resource.resource_subtype` zugeordnet.
	`target.resource.resource_type`	Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `gce_(firewall or forwarding_rule) or network_security_policy` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `FIREWALL_RULE` festgelegt und das `resource.type`-Log-Eingabefeld wird dem `target.resource.resource_subtype`-UDM-Feld zugeordnet. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `gce_(subnetwork or network)` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `VPC_NETWORK` festgelegt. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `cloud_dataproc_(batch or session)` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `TASK` festgelegt. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `gce_backend_service` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `BACKEND_SERVICE` festgelegt. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `build` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `TASK` festgelegt und das `resource.type`-Log-Eingabefeld wird dem `target.resource.resource_subtype`-UDM-Feld zugeordnet. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `pubsub_topic` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `PIPE` festgelegt und das `resource.type`-Log-Eingabefeld wird dem `target.resource.resource_subtype`-UDM-Feld zugeordnet. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `cloudkms_cryptokey` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `CREDENTIAL` festgelegt und das `resource.type`-Log-Eingabefeld wird dem `target.resource.resource_subtype`-UDM-Feld zugeordnet. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `iam_role` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `ACCESS_POLICY` festgelegt und das `resource.type`-Log-Eingabefeld wird dem `target.resource.resource_subtype`-UDM-Feld zugeordnet. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `cloud_run_job` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `TASK` festgelegt und das `resource.type`-Log-Eingabefeld wird dem `target.resource.resource_subtype`-UDM-Feld zugeordnet. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `cloud_run_revision` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `BACKEND_SERVICE` festgelegt und das `resource.type`-Log-Eingabefeld wird dem `target.resource.resource_subtype`-UDM-Feld zugeordnet. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `gcs_bucket` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `STORAGE_BUCKET` festgelegt. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `bigquery\.googleapis\.com/SparkJob` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `TASK` festgelegt. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `bigquery_(biengine_model or dataset)` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `DATASET` festgelegt. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `bigquery_dts_config` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `SETTING` festgelegt. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `cloudsql or bigquery_project or bigquery_resource` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `DATABASE` festgelegt. Andernfalls, wenn der Wert des `resource.type`-Logfelds mit dem regulären `identitytoolkit_project` `storage.googleapis.com/Project` `videostitcher.googleapis.com/Project` . Andernfalls, wenn der Wert des `resource.type`-Protokollfelds mit dem regulären Ausdruck `project` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `CLOUD_PROJECT` festgelegt. Andernfalls, wenn der Wert des `resource.type`-Protokollfelds mit dem regulären Ausdruck `gke_` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `CLUSTER` festgelegt. Andernfalls wird das `target.resource.resource_type`-UDM-Feld auf `UNSPECIFIED` festgelegt und das `resource.type`-Log-Feld wird dem `target.resource.resource_subtype`-UDM-Feld zugeordnet.
`protoPayload.response.targetLink`	`target.url`
`protoPayload.metadata.event.eventName.parameter.name[WEB_ADDRESS]`	`target.url`
`protoPayload.request.httpRequest.url`	`target.url`
`resource.discoveryDocumentUri`	`target.url`
`httpRequest.requestUrl`	`target.url`
`protoPayload.request.role.included_permissions[]`	`target.user.attribute.permissions.name`
`protoPayload.metadata.event.eventName.parameter.name[ROLE_ID]`	`target.user.attribute.roles.description`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `ROLE_ID` ist, wird das Logfeld `Role_ID - protoPayload.metadata.event.eventName.parameter.value` dem UDM-Feld `target.user.attribute.roles.description` zugeordnet.
`protoPayload.response.bindings[].role`	`target.user.attribute.roles.name`
`protoPayload.metadata.event.eventName.parameter.name[ROLE_NAME]`	`target.user.attribute.roles.name`
`protoPayload.request.serviceAccounts[].email`	`target.user.email_addresses`
`protoPayload.metadata.event.eventName.parameter.value`	`target.user.email_addresses`	Wenn das `protoPayload.metadata.event.eventName.parameter.value`-Log Feldwert ist nicht leer und `protoPayload.metadata.event.eventName` Logfeldwert ist gleich `USER_EMAIL` oder `EMAIL_MONITOR_DEST_EMAIL` oder `DESTINATION_USER_EMAIL`, dann `protoPayload.metadata.event.eventName.parameter.value` Logfeld dem UDM-Feld `target.user.email_addresses` zugeordnet ist.
`protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]`	`target.user.first_name`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName` gleich FIRST_NAME ist und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `NEW_VALUE` ist, wird das Logfeld `protoPayload.metadata.event.eventName.parameter.value` dem UDM-Feld `target.user.first_name` zugeordnet.
`protoPayload.request.personIdentifier.canonicalPersonId`	`target.user.group_identifiers`
`protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]`	`target.user.last_name`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName` gleich LAST_NAME ist und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `NEW_VALUE` ist, wird das Logfeld `protoPayload.metadata.event.eventName.parameter.value` dem UDM-Feld `target.user.last_name` zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]`	`target.user.user_display_name`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName` gleich RENAME_USER ist und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `NEW_VALUE` ist, wird das Logfeld `protoPayload.metadata.event.eventName.parameter.value` dem UDM-Feld `target.user.user_display_name` zugeordnet.
`protoPayload.response.user`	`target.user.userid`
`protoPayload.metadata.event.eventName.parameter.name[USER_EMAIL]`	`target.user.userid`	Wenn der Wert des `protoPayload.metadata.event.eventName`-Logfelds `CREATE_EMAIL_MONITOR` oder `CREATE_DATA_TRANSFER_REQUEST` ist und der Wert des `protoPayload.metadata.event.eventName.parameter.name`-Logfelds `USER_EMAIL` ist, wird das `protoPayload.metadata.event.eventName.parameter.value`-Logfeld dem `principal.user.userid`-UDM-Feld zugeordnet. Andernfalls, wenn der Wert des `protoPayload.metadata.event.eventName.parameter.name`-Logfelds `USER_EMAIL` ist, wird das `protoPayload.metadata.event.eventName.parameter.value`-Logfeld dem `target.user.userid`-UDM-Feld zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_DEST_EMAIL]`	`target.user.userid`
`protoPayload.metadata.event.eventName.parameter.name[DESTINATION_USER_EMAIL]`	`target.user.userid`
`protoPayload.request.user`	`target.user.userid`
`protoPayload.serviceData.policyDelta.bindingDeltas[].member`	`target.user.userid`
`protoPayload.request.objects.db`	`about.labels [database_name]` (verworfen)
`jsonPayload.accesses[].methodName`	`about.labels [methodName]` (verworfen)
`protoPayload.request.objects.name`	`about.labels [objects_name]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME]`	`about.labels[api_client_name]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[API_SCOPES]`	`about.labels[api_scopes]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME]`	`about.labels[begin_date_time]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER]`	`about.labels[bulk_upload_fail_users_number]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER]`	`about.labels[bulk_upload_total_users_number]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW]`	`about.labels[caa_assignments_new]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD]`	`about.labels[caa_assignments_old]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW]`	`about.labels[caa_enforcement_endpoints_new]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD]`	`about.labels[caa_enforcement_endpoints_old]` (verworfen)
`protoPayload.requestMetadata.requestAttributes.size`	`about.labels[caller_network_request_size]` (verworfen)
`protoPayload.requestMetadata.requestAttributes.time`	`about.labels[caller_network_request_time]` (verworfen)
`protoPayload.requestMetadata.callerNetwork`	`about.labels[caller_network]` (verworfen)
`protoPayload.requestMetadata.requestAttributes.size`	`principal.labels[caller_network_request_size]` (verworfen)
`protoPayload.requestMetadata.requestAttributes.time`	`principal.labels[request_attributes_time]` (verworfen)
`protoPayload.requestMetadata.callerNetwork`	`principal.labels[caller_network]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED]`	`about.labels[chrome_licenses_enabled]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME]`	`about.labels[end_date_time]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[END_DATE]`	`about.labels[end_date]` (verworfen)
`protoType.metadata.event[].eventName`	`about.labels[event_name]` (verworfen)
`protoPayload.metadata.event.parameter[].label`	`about.labels[event_param_label]` (verworfen)
`protoPayload.metadata.event.parameter[].type`	`about.labels[event_param_type]` (verworfen)
`protoType.metadata.event[].eventType`	`about.labels[event_type]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME]`	`about.labels[field_name]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH]`	`about.labels[full_org_unit_path]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER]`	`about.labels[grp_member_bulk_upload_failed]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER]`	`about.labels[grp_member_bulk_upload_total]` (verworfen)
`httpRequest.cacheFillBytes`	`about.labels[httpreq_cache_fill_bytes]` (verworfen)
`httpRequest.cacheHit`	`about.labels[httpreq_cache_hit]` (verworfen)
`httpRequest.cacheLookup`	`about.labels[httpreq_cache_lookup]` (verworfen)
`httpRequest.cacheValidatedWithOriginServer`	`about.labels[httpreq_cache_validated_with_origin_server]` (verworfen)
`httpRequest.latency`	`about.labels[httprequest_latency]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE]`	`about.labels[info_type]` (verworfen)
`protoPayload.metadata.activityId.timeUsec`	`about.labels[metadata_activityId_time_usec]` (verworfen)
`protoPayload.metadata.activityId.uniqQualifier`	`about.labels[metadata_activityId_uniq_qualifier]` (verworfen)
`protoPayload.metadata.@type`	`about.labels[metadata_type]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE]`	`about.labels[new_permission_grant_state]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES]`	`about.labels[num_of_company_owned_device]` (verworfen)
`protoPayload.numResponseItems`	`about.labels[num_response_items]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE]`	`about.labels[old_permission_grant_state]` (verworfen)
`operation.first`	`about.labels[operation_first]` (verworfen)
`operation.id`	`about.labels[operation_id]` (verworfen)
`operation.last`	`about.labels[operation_last]` (verworfen)
`operation.producer`	`about.labels[operation_producer]` (verworfen)
`protoPayload.resourceOriginalState.selfLinkWithId`	`about.labels[rc_old_selflinkWithId]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW]`	`about.labels[reauth_setting_new]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD]`	`about.labels[reauth_setting_old]` (verworfen)
`protoPayload.request.alloweds[].ports`	`about.labels[req_alloweds_ports]` (verworfen)
`protoPayload.request.body.name`	`about.labels[req_body_name]` (verworfen)
`protoPayload.request.body.settings.activityPolicy`	`about.labels[req_body_settings_activity_policy]` (verworfen)
`protoPayload.request.deletionProtection`	`about.labels[req_deletion_protection]` (verworfen)
`protoPayload.request.disabled`	`about.labels[req_disabled]` (verworfen)
`protoPayload.request.displayDevice.enableDisplay`	`about.labels[req_display_device_enable_display]` (verworfen)
`protoPayload.request.enableFlowLogs`	`about.labels[req_enable_flow_logs]` (verworfen)
`protoPayload.request.fingerprint`	`about.labels[req_fingerprint]` (verworfen)
`protoPayload.request.shieldedInstanceConfig.enableSecureBoot`	`about.labels[req_instance_config_enable_secure_boot]` (verworfen)
`protoPayload.request.shieldedInstanceConfig.enableVtpm`	`about.labels[req_instance_config_enable_vtpm]` (verworfen)
`protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring`	`about.labels[req_instance_enable_integrity_monitoring]` (verworfen)
`protoPayload.request.key_types[]`	`about.labels[req_key_types]` (verworfen)
`protoPayload.request.logconfig.enable`	`about.labels[req_logconfig_enable]` (verworfen)
`protoPayload.request.networkTier`	`about.labels[req_network_tier]` (verworfen)
`protoPayload.request.network`	`about.labels[req_network]` (verworfen)
`protoPayload.request.page_size`	`about.labels[req_page_size]` (verworfen)
`request.pagesize`	`about.labels[req_page_size]` (verworfen)
`protoPayload.request.policy.etag`	`about.labels[req_policy_etag]` (verworfen)
`protoPayload.request.portRange`	`about.labels[req_port_range]` (verworfen)
`protoPayload.request.privateIpGoogleAccess`	`about.labels[req_private_ip_google_access]` (verworfen)
`protoPayload.request.private_key_type`	`about.labels[req_private_key_type]` (verworfen)
`protoPayload.request.remove_deleted_service_accounts`	`about.labels[req_remove_deleted_serviceAcc]` (verworfen)
`protoPayload.request.showDeleted`	`about.labels[req_show_deleted]` (verworfen)
`protoPayload.request.skip_visibility_check`	`about.labels[req_skip_visibility_check]` (verworfen)
`protoPayload.request.stackType`	`about.labels[req_stack_type]` (verworfen)
`protoPayload.request.type`	`about.labels[req_type]` (verworfen)
`protoPayload.request.updateMask`	`about.labels[req_update_mask]` (verworfen)
`protoPayload.request.version`	`about.labels[req_version]` (verworfen)
`protoPayload.response.clientOperationId`	`about.labels[res_client_operation_id]` (verworfen)
`protoPayload.response.endTime`	`about.labels[res_end_time]` (verworfen)
`protoPayload.response.id`	`about.labels[res_id]` (verworfen)
`protoPayload.response.key_algorithm`	`about.labels[res_key_algorithm]` (verworfen)
`protoPayload.response.key_origin`	`about.labels[res_key_origin]` (verworfen)
`protoPayload.response.key_type`	`about.labels[res_key_type]` (verworfen)
`protoPayload.response.kind`	`about.labels[res_kind]` (verworfen)
`protoPayload.response.private_key_type`	`about.labels[res_private_key_type]` (verworfen)
`protoPayload.response.progress`	`about.labels[res_progress]` (verworfen)
`protoPayload.response.startTime`	`about.labels[res_start_time]` (verworfen)
`protoPayload.response.status`	`about.labels[res_status]` (verworfen)	Wenn der Wert des `protoPayload.methodName`-Logfelds `cloudsql.instances.create` entspricht, wird das `protoPayload.response.status`-Logfeld dem `security_result.description`-UDM-Feld zugeordnet.
`protoPayload.response.type`	`about.labels[res_type]` (verworfen)
`protoPayload.response.unique_id`	`about.labels[res_unique_id]` (verworfen)	Wenn der Wert des Logfelds `protoPayload.methodName` mit dem regulären Ausdruck `(CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider)` übereinstimmt, wird das Logfeld `protoPayload.response.unique_id` dem UDM-Feld `target.resource.product_object_id` zugeordnet.
`protoPayload.response.valid_after_time.seconds`	`about.labels[res_valid_after_time]` (verworfen)
`protoPayload.response.valid_before_time.seconds`	`about.labels[res_valid_before_time]` (verworfen)
`protoPayload.response.version`	`about.labels[res_version]` (verworfen)
`protoPayload.response.zone`	`about.labels[res_zone]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP]`	`about.labels[search_query_for_dump]` (verworfen)
`spanId`	`about.labels[span_id]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[START_DATE]`	`about.labels[start_date]` (verworfen)
`traceSampled`	`about.labels[trace_sampled]` (verworfen)
`Trace`	`about.labels[trace]` (verworfen)
`protoPayload.@type`	`about.labels[type]` (verworfen)
`protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys`	`metadata.ingestion_labels [instance_metadata_key_added]`
`protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys`	`metadata.ingestion_labels [instance_metadata_key_deletion]`
`protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys`	`metadata.ingestion_labels [instance_metadata_key_modification]`
`protoPayload.metadata.projectMetadataDelta.addedMetadataKeys`	`metadata.ingestion_labels [AddedMetadataKeys]`
`protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys`	`metadata.ingestion_labels [DeletedMetadataKeys]`
`protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys`	`metadata.ingestion_labels [ModifiedMetadataKeys]`
`protoPayload.redactions.reason`	`principal.labels [protoPayload.redactions.field]` (verworfen)
`protoPayload.redactions.type`	`principal.labels [protoPayload.redactions.field]` (verworfen)
`authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata`	`principal.labels [service_metadata]` (verworfen)
`jsonPayload.sourceNetwork`	`principal.labels [source_network]` (verworfen)
`authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims`	`principal.labels [third_party_claims]` (verworfen)
`protoPayload.requestMetadata.requestAttributes.time`	`principal.labels[caller_network_request_time]` (verworfen)
`protoPayload.request.description`	`principal.labels[req_description]` (verworfen)
`protoPayload.request.ipCidrRange`	`principal.labels[req_ip_cidr_range]` (verworfen)
`protoPayload.request.sourceRanges[]`	`principal.labels[req_source_ranges]` (verworfen)
`protoPayload.requestMetadata.requestAttributes.reason`	`principal.labels[request_attributes_reason]` (verworfen)
`protoPayload.authenticationInfo.thirdPartyPrincipal`	`principal.labels[third_party_principal]` (verworfen)
`protoPayload.metadata.jobChange.after`	`target.resource_ancestors.attribute.labels[jobchange_after]`
`protoPayload.metadata.jobChange.before`	`target.resource_ancestors.attribute.labels[jobchange_before]`
`protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_query]`
`protoPayload.metadata.jobChange.job.jobConfig.queryConfig.createDisposition`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_createdisposition]`
`protoPayload.metadata.jobChange.job.jobConfig.queryConfig.destinationTable`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_destinationtable]`
`protoPayload.metadata.jobChange.job.jobConfig.queryConfig.priority`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_priority]`
`protoPayload.metadata.jobChange.job.jobConfig.queryConfig.writeDisposition`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_writedisposition]`
`protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.createDisposition`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_createdisposition]`
`protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.destinationTable`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_destinationtable]`
`protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.operationType`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_operationtype]`
`protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.writeDisposition`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_writedisposition]`
`protoPayload.metadata.jobChange.job.jobConfig.type`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_type]`
`protoPayload.metadata.jobChange.job.jobName`	`target.resource_ancestors.name`
`protoPayload.metadata.jobChange.job.jobStats.createTime`	`target.resource_ancestors.attribute.creation_time`
`protoPayload.metadata.jobChange.job.jobStats.endTime`	`target.resource_ancestors.attribute.labels[jobchange_jobstats_endtime]`
`protoPayload.metadata.jobChange.job.jobStats.queryStats`	`target.resource_ancestors.attribute.labels[jobchange_jobstats_querystats]`
`protoPayload.metadata.jobChange.job.jobStats.reservation`	`target.resource_ancestors.attribute.labels[jobchange_jobstats_reservation]`
`protoPayload.metadata.jobChange.job.jobStats.startTime`	`target.resource_ancestors.attribute.labels[jobchange_jobstats_starttime]`
`protoPayload.metadata.jobChange.job.jobStatus.errorResult.code`	`security_result.detection_fields[jobchange_jobstatus_errorresult_code]`
`protoPayload.metadata.jobChange.job.jobStatus.errorResult.message`	`security_result.detection_fields[jobchange_jobstatus_errorresult_message]`
`protoPayload.metadata.jobChange.job.jobStatus.jobState`	`target.resource_ancestors.attribute.labels[jobstatus_jobstate]`
`protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.sourceTables`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_sourcetables]`
`protoPayload.metadata.jobChange.job.jobStatus.errors.code`	`security_result.detection_fields[jobchange_jobstatus_errors_code]`
`protoPayload.metadata.jobChange.job.jobStatus.errors.message`	`security_result.detection_fields[jobchange_jobstatus_errors_message]`
`protoPayload.metadata.jobChange.job.jobConfig.extractConfig.sourceTable`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_sourcetable]`
`protoPayload.metadata.jobChange.job.jobConfig.extractConfig.destinationUris`	`target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_destinationuris]`
`protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_query]`
`protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.createDisposition`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_createdisposition]`
`protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.destinationTable`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_destinationtable]`
`protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.priority`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_priority]`
`protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.writeDisposition`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_writedisposition]`
`protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.createDisposition`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_createdisposition]`
`protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.destinationTable`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_destinationtable]`
`protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.operationType`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_operationtype]`
`protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.writeDisposition`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_writedisposition]`
`protoPayload.metadata.jobInsertion.job.jobConfig.type`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_type]`
`protoPayload.metadata.jobInsertion.job.jobName`	`target.resource_ancestors.name`
`protoPayload.metadata.jobInsertion.job.jobStats.createTime`	`target.resource_ancestors.attribute.creation_time`
`protoPayload.metadata.jobInsertion.job.jobStats.reservation`	`target.resource_ancestors.attribute.labels[jobinsertion_jobstats_reservation]`
`protoPayload.metadata.jobInsertion.job.jobStats.queryStats`	`target.resource_ancestors.attribute.labels[jobinsertion_jobstats_querystats]`
`protoPayload.metadata.jobInsertion.job.jobStats.startTime`	`target.resource_ancestors.attribute.labels[jobinsertion_jobstats_starttime]`
`protoPayload.metadata.jobInsertion.job.jobStats.endTime`	`target.resource_ancestors.attribute.labels[jobinsertion_jobstats_endtime]`
`protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.code`	`security_result.detection_fields[jobinsertion_jobstatus_errorresult_code]`
`protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.message`	`security_result.detection_fields[jobinsertion_jobstatus_errorresult_message]`
`protoPayload.metadata.jobInsertion.job.jobStatus.jobState`	`target.resource_ancestors.attribute.labels[jobinsertion_jobstatus_jobstate]`
`protoPayload.metadata.jobInsertion.reason`	`target.resource_ancestors.attribute.labels[jobinsertion_reason]`
`protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.sourceTables`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_sourcetables]`
`protoPayload.metadata.jobInsertion.job.jobStatus.errors.code`	`security_result.detection_fields[jobinsertion_jobstatus_errors_code]`
`protoPayload.metadata.jobInsertion.job.jobStatus.errors.message`	`security_result.detection_fields[jobinsertion_jobstatus_errors_message]`
`protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.sourceTable`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_sourcetable]`
`protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris`	`target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_destinationuris]`
`protoPayload.response.buildConfig.entryPoint`	`target.resource.attribute.labels[buildconfig_entrypoint]`
`protoPayload.request.member`	`target.user.email_addresses`
`protoPayload.request.email`	`target.user.email_addresses`
`protoPayload.metadata.jobInsertion.reason`	`target.resource.attribute.labels[job_insertion_reason]`
`protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.statementType`	`target.resource.attribute.labels[job_insertion_job_job_config_query_config_statement_type]`
`protoPayload.metadata.jobInsertion.job.jobStatus.jobState`	`target.resource.attribute.labels[job_insertion_job_job_status_job_state]`
`protoPayload.response.state`	`target.resource.attribute.labels[response_state]`
`protoPayload.request.metadata.state`	`target.resource.attribute.labels[request_state]`
`protoPayload.authenticationInfo.principalSubject`	`principal.user.userid`	Wenn der Wert des Logfelds `protoPayload.authenticationInfo.principalSubject` nicht leer ist, wird `new_user_id` mithilfe eines Grok-Musters aus dem `protoPayload.authenticationInfo.principalSubject`-Logfeld extrahiert und dem UDM-Feld `principal.user.userid` zugeordnet.
`protoPayload.authenticationInfo.principalSubject`	`principal.user.email_addresses`	Wenn der Wert des Logfelds `protoPayload.authenticationInfo.principalSubject` nicht leer ist, wird `new_email_id` mithilfe eines Grok-Musters aus dem `protoPayload.authenticationInfo.principalSubject`-Logfeld extrahiert und dem UDM-Feld `principal.user.email_addresses` zugeordnet.
`protoPayload.authenticationInfo.serviceAccountDelegationInfo.principalSubject`	`principal.user.attribute.labels[access_serviceAcc_principalSubject]`
`protoPayload.response.oauth2_client_id`	`principal.user.attribute.labels[response_oauth2_client_id]`
`protoPayload.authorizationInfo.resourceAttributes.service`	`principal.resource.attribute.labels[authorization_info_rcService]`
`protoPayload.authorizationInfo.granted`	`principal.user.attributes.labels[authorization_granted]`
`protoPayload.request.cryptoKey.versionTemplate.algorithm`	`security_result.detection_fields [algorithm]`
`protoPayload.response.details[].@type`	`security_result.detection_fields [details_type]`
`protoPayload.request.cryptoKey.nextRotationTime`	`security_result.detection_fields [next_rotation_time]`
`protoPayload.request.cryptoKey.versionTemplate.protectionLevel`	`security_result.detection_fields [protection_level]`
`protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value`	`security_result.detection_fields [protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind]`
`protoPayload.request.cryptoKey.purpose`	`security_result.detection_fields [purpose]`
`protoPayload.resourceName`	`security_result.detection_fields [resource_name]`
`protoPayload.authorizationInfo.resource`	`security_result.detection_fields [resource]`
`protoPayload.response.code`	`security_result.detection_fields [response_code]`
`protoPayload.request.cryptoKey.rotationPeriod`	`security_result.detection_fields [rotation_period]`
`protoPayload.metadata.securityPolicyInfo.organizationId`	`security_result.detection_fields [securityPolicyInfo.organizationId]`
`protoPayload.request.serviceAccounts[].scopes`	`security_result.detection_fields [service_account_scope]`
`protoPayload.response.details[].violations[].subject`	`security_result.detection_fields [violation_subject]`
`protoPayload.response.details[].violations[].type`	`security_result.detection_fields [violation_type]`
`protoPayload.metadata.event.eventName.parameter.name[ACTION_ID]`	`security_result.detection_fields[action_id]`
`protoPayload.serviceData.policyDelta.auditConfigDeltas[].action`	`security_result.detection_fields[action]`
`protoPayload.metadata.event.eventName.parameter.name[ALERT_NAME]`	`security_result.detection_fields[alert_name]`
`protoPayload.metadata.event.eventName.parameter.name[ALLOWED_TWO_STEP_VERIFICATION_METHOD]`	`security_result.detection_fields[allowed_two_step_verification_method]`
`protoPayload.requestMetadata.callerNetwork.requestAttributes.reason`	`security_result.detection_fields[caller_network_request_reason]`
`protoPayload.metadata.event.eventName.parameter.name[is_second_factor]`	`security_result.detection_fields[is_second_factor]`	Wenn der Wert des `protoPayload.metadata.event.eventName`-Logfelds `login_verification` und der Wert des `protoPayload.metadata.event.eventName.parameter.name`-Logfelds `is_second_factor` ist, wird das `protoPayload.metadata.event.eventName.parameter.value`-Logfeld dem `security_result.detection_fields.value`-UDM-Feld zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[is_suspicious]`	`security_result.detection_fields[is_suspicious]`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName` gleich `login_success` ist und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `is_suspicious` ist, wird das Logfeld `protoPayload.metadata.event.eventName.parameter.boolValue` dem UDM-Feld `security_result.detection_fields.value` zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[login_failure_type]`	`security_result.detection_fields[login_failure_type]`	Wenn der Wert des Logfelds `protoPayload.metadata.event.eventName` gleich `login_failure` ist und der Wert des Logfelds `protoPayload.metadata.event.eventName.parameter.name` gleich `login_failure_type` ist, wird das Logfeld `protoPayload.metadata.event.eventName.parameter.value` dem UDM-Feld `security_result.detection_fields.value` zugeordnet.
`protoPayload.metadata.event.eventName.parameter.name[login_type]`	`security_result.detection_fields[login_type]`	Wenn der Wert des `protoPayload.metadata.event.eventName`-Logfelds `login_failure`, `login_challenge`, `login_verification`, `login_success` oder `logout` ist und der Wert des `protoPayload.metadata.event.eventName.parameter.name`-Logfelds `login_type` ist, wird das `protoPayload.metadata.event.eventName.parameter.value`-Logfeld dem `about.labels.value`-UDM-Feld zugeordnet.
`protoPayload.request.bindings.members[]`	`security_result.detection_fields[members]`
`protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.checkedValue`	`security_result.detection_fields[policy_violation_checked_value]`
`protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.constraint`	`security_result.detection_fields[policy_violation_constraint]`
`protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags`	`security_result.detection_fields[policy_violation_resource_tags]`
`protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType`	`security_result.detection_fields[policy_violation_resource_type]`
`protoPayload.metadata.event.eventName.parameter.name[QUARANTINE_NAME]`	`security_result.detection_fields[quarantine_name]`
`protoPayload.resourceOriginalState.logconfig.enable`	`security_result.detection_fields[rc_orgState_logconfig_enable]`
`protoPayload.request.alloweds[].ports`	`security_result.detection_fields[req_alloweds_ports]`
`protoPayload.response.error.errors[].domain`	`security_result.detection_fields[res_error_domain]`
`protoPayload.resourceOriginalState.direction`	`security_result.detection_fields[resource_original_state_direction]`
`protoPayload.authenticationInfo.serviceAccountKeyName`	`security_result.detection_fields[service_account_key_name]`
`Referred this from Default parser.`	`security_result.detection_fields[SERVICE]`
`protoPayload.status.details.type`	`security_result.detection_fields[status_details_type]`
`protoPayload.status.details.violations.subject`	`security_result.detection_fields[status_details_violation_subject]`
`protoPayload.status.details.violations.type`	`security_result.detection_fields[status_details_violation_type]`
`sourceLocation.function`	`src.labels[src_location_function]`
`sourceLocation.line`	`src.labels[src_location_line]`
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_STATE]`	`target.asset.attribute.labels[dvc_new_state]`
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_STATE]`	`target.asset.attribute.labels[dvc_previous_state]`
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_TYPE]`	`target.asset.attribute.labels[dvc_type]`
`protoPayload.metadata.event.eventName.parameter.name[MANAGED_CONFIGURATION_NAME]`	`target.asset.attribute.labels[managed_config_name]`
`protoPayload.metadata.event.eventName.parameter.name[MOBILE_APP_PACKAGE_ID]`	`target.asset.attribute.labels[mobile_app_package_id]`
`protoPayload.metadata.event.eventName.parameter.name[MOBILE_CERTIFICATE_COMMON_NAME]`	`target.asset.attribute.labels[mobile_certificate_common_name]`
`protoPayload.metadata.event.eventName.parameter.name[MOBILE_WIRELESS_NETWORK_NAME]`	`target.asset.attribute.labels[mobile_wireless_network_name]`
`protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_MDM_VENDOR_NAME]`	`target.asset.attribute.labels[play_for_work_mdm_vendor_name]`
`protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_TOKEN_ID]`	`target.asset.attribute.labels[play_for_work_token_id]`
`resource.labels.instance_id`	`target.asset.attribute.labels[rc_instance_id]`
`protoPayload.metadata.event.eventName.parameter.name[SKU_NAME]`	`target.asset.attribute.labels[sku_name]`
`protoPayload.response.targetId`	`target.asset.attribute.labels[target_id]`	Wenn der Wert des Logfelds `protoPayload.methodName` nicht gleich `cloudsql.instances.create` ist, wird das Logfeld `protoPayload.response.targetId` dem UDM-Feld `target.asset.attribute.labels.value` zugeordnet.
`resource.labels.backend_service_name`	`target.labels [backend_service_name]` (verworfen)
`protoPayload.requestMetadata.requestAttributes.auth.claims`	`target.labels [request_auth_claims]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION]`	`target.labels[application_edition]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[ASP_ID]`	`target.labels[asp_id]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE]`	`target.labels[chrome_os_session_type]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT]`	`target.labels[device_new_org_unit]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT]`	`target.labels[device_previous_org_unit]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS]`	`target.labels[domain_alias]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED]`	`target.labels[email_export_include_deleted]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT]`	`target.labels[email_export_package_content]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE]`	`target.labels[email_log_search_end_date]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE]`	`target.labels[email_log_search_start_date]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT]`	`target.labels[email_monitor_level_chat]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL]`	`target.labels[email_monitor_level_draft_email]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL]`	`target.labels[email_monitor_level_in_email]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL]`	`target.labels[email_monitor_level_out_email]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON]`	`target.labels[email_reset_reason]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]`	`target.labels[new_value]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE]`	`target.labels[oauth2_app_type]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE]`	`target.labels[old_value]` (verworfen)
`protoPayload.requestMetadata.destinationAttributes.principal`	`target.labels[peer_principal]` (verworfen)
`protoPayload.requestMetadata.destinationAttributes.regionCode`	`target.labels[peer_region_code]` (verworfen)
`protoPayload.request.loadBalancingScheme`	`target.labels[req_load_balancing_scheme]` (verworfen)
`protoPayload.request.requestId`	`target.labels[request_id]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID]`	`target.labels[request_id]` (verworfen)
`protoPayload.resourceOriginalState.description`	`target.labels[res_originalState_description]` (verworfen)
`protoPayload.response.bindings[].members[]`	`target.labels[response_bindings_members]` (verworfen)
`protoPayload.response.description`	`target.labels[response_description]` (verworfen)
`protoPayload.response.display_name`	`target.labels[response_display_name]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME]`	`target.labels[secondary_domain_name]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME]`	`target.labels[setting_name]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD]`	`target.labels[user_custom_field]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME]`	`target.labels[user_defined_setting_name]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN]`	`target.labels[web_origin]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS]`	`target.labels[whitelisted_groups]` (verworfen)
`protoPayload.metadata.event.eventName.parameter.name[APP_LICENSES_ORDER_NUMBER]`	`target.asset.labels[app_licenses_order_number]`
`protoPayload.metadata.event.eventName.parameter.name[CHROME_NUM_LICENSES_PURCHASED]`	`target.asset.labels[chrome_num_licenses_purchased]`
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_COMMAND_DETAILS]`	`target.asset.labels[device_command_details]`
`protoPayload.metadata.event.eventName.parameter.name[DIRECTORY_API_ID]`	`target.asset.labels[directory_api_id]`
`protoPayload.metadata.event.eventName.parameter.name[GROUP_PRIORITIES]`	`target.group.attribute.labels[group_priorities]`
`protoPayload.request.cluster.subnetwork`	`target.resource_ancestor.attribute.labels[req_cls_subnetwork]`
`protoPayload.request.cluster.nodePools[].autoscaling.enabled`	`target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_enabled]`
`protoPayload.request.cluster.nodePools[].autoscaling.maxNodeCount`	`target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_max_node_cnt]`
`protoPayload.request.cluster.nodePools[].autoscaling.minNodeCount`	`target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_min_node_cnt]`
`protoPayload.request.cluster.nodePools[].management.autoupgrade`	`target.resource_ancestor.attribute.labels[req_clsNodePools_autoupgrade]`
`protoPayload.request.cluster.nodePools[].config.diskSizeGb`	`target.resource_ancestor.attribute.labels[req_clsNodePools_config_disksize]`
`protoPayload.request.cluster.nodePools[].config.imageType`	`target.resource_ancestor.attribute.labels[req_clsNodePools_config_imagetype]`
`protoPayload.request.cluster.nodePools[].config.machineType`	`target.resource_ancestor.attribute.labels[req_clsNodePools_config_machinetype]`
`protoPayload.request.cluster.nodePools[].config.oauthScopes[]`	`target.resource_ancestor.attribute.labels[req_clsNodePools_config_oauth_scopes]`
`protoPayload.request.cluster.nodePools[].name`	`target.resource_ancestor.attribute.labels[req_clsNodePools_name]`
`protoPayload.request.cluster.nodePools[].initialNodeCount`	`target.resource_ancestor.attribute.labels[req_clsterNodePools_autoscaling_initial_node_cnt]`
`resource.data.oauth2ClientId`	`target.resource.attribute.labels [oauth_client_id]`
`protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute`	`target.resource.attribute.labels [ enable_confidential_compute]`
`protoPayload.request.function.timeout`	`target.resource.attribute.labels [ function_time_out]`
`protoPayload.requestMetadata.requestAttributes.auth.accessLevels`	`target.resource.attribute.labels [accessLevel]`
`protoPayload.request.date`	`target.resource.attribute.labels [audit_event_occurred]`
`protoPayload.request.auditId`	`target.resource.attribute.labels [audit_id]`
`protoPayload.request.autoscalingPolicy.mode`	`target.resource.attribute.labels [autoscaling_policy_mode]`
`protoPayload.request.autoscalingPolicy.coolDownPeriodSec`	`target.resource.attribute.labels [cool_down_period]`
`protoPayload.request.denieds.0.IPProtocol`	`target.resource.attribute.labels [Denied Protocol]`
`protoPayload.request.destinationRanges`	`target.resource.attribute.labels [destination_ranges]`
`protoPayload.request.function.entryPoint`	`target.resource.attribute.labels [function_entry_point]`
`protoPayload.request.function.httpsTrigger.securityLevel`	`target.resource.attribute.labels [function_httptrigger_security_level]`
`protoPayload.request.function.runtime`	`target.resource.attribute.labels [function_runtime]`
`protoPayload.request.function.serviceAccountEmail`	`target.resource.attribute.labels [function_service_account_email]`
`protoPayload.request.function.sourceUploadUrl`	`target.resource.attribute.labels [function_source_upload_url]`
`protoPayload.metadata.iapEnabled`	`target.resource.attribute.labels [iapEnabled]`
`protoPayload.request.listManagedInstancesResults`	`target.resource.attribute.labels [managed_instances_result]`
`protoPayload.request.autoscalingPolicy.maxNumReplicas`	`target.resource.attribute.labels [max_replicas]`
`protoPayload.request.autoscalingPolicy.minNumReplicas`	`target.resource.attribute.labels [min_replicas]`
`protoPayload.request.msgType`	`target.resource.attribute.labels [msg_type]`
`protoPayload.metadata.oauth_client_id`	`target.resource.attribute.labels [oauth_client_id]`
`protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod`	`target.resource.attribute.labels [predictive_method]`
`protoPayload.request.labels.0.value`	`target.resource.attribute.labels [protoPayload.request.labels.0.key]`
`protoPayload.request.queryId`	`target.resource.attribute.labels [query_id]`
`protoPayload.request.constraint`	`target.resource.attribute.labels [request_constraint]`
`protoPayload.request.dataAccessed`	`target.resource.attribute.labels [request_data_accessed]`
`protoPayload.request.function.labels.deployment-tool`	`target.resource.attribute.labels [request_deployment_tool]`
`protoPayload.request.properties.description`	`target.resource.attribute.labels [request_description]`
`protoPayload.request.function.name`	`target.resource.attribute.labels [request_function_name]`
`protoPayload.request.location`	`target.resource.attribute.labels [request_location]`
`protoPayload.request.policy.constraint`	`target.resource.attribute.labels [request_policy_constraint]`
`protoPayload.request.@type`	`target.resource.attribute.labels [request_type]`
`protoPayload.request.cmd`	`target.resource.attribute.labels [sql_operation_type ]`
`protoPayload.request.threadId`	`target.resource.attribute.labels [thread_id]`
`protoPayload.metadata.unsatisfied_access_levels`	`target.resource.attribute.labels [unsatisfied_access_levels]`
`protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget`	`target.resource.attribute.labels [utilization_target]`
`protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled`	`target.resource.attribute.labels[backup_config_binarylog_enabled]`
`protoPayload.request.body.settings.backupConfiguration.enabled`	`target.resource.attribute.labels[backup_config_enabled]`
`protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays`	`target.resource.attribute.labels[backup_config_logRetention_days]`
`protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled`	`target.resource.attribute.labels[backup_config_point_in_time_recovery_enabled]`
`protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups`	`target.resource.attribute.labels[backup_config_retention_settings_retained_backups]`
`protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit`	`target.resource.attribute.labels[backup_config_retention_settings_unit]`
`protoPayload.request.body.settings.backupConfiguration.startTime`	`target.resource.attribute.labels[backup_config_start_time]`
`protoPayload.request.canIpForward`	`target.resource.attribute.labels[can_ip_forward]`
`resource.labels.cluster_name`	`target.resource.attribute.labels[cls_name]`
`request.cluster.name`	`target.resource.attribute.labels[cls_name]`
`protoPayload.request.body.settings.dataDiskSizeGb`	`target.resource.attribute.labels[data_disk_size_gb]`
`protoPayload.request.body.settings.dataDiskType`	`target.resource.attribute.labels[data_disk_type]`
`protoPayload.metadata.tableDataRead.fields`	`target.resource.attribute.labels[data_read_fields]`
`protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris[]`	`target.resource.attribute.labels[destination_uris]`
`protoPayload.request.direction`	`target.resource.attribute.labels[direction]`
`resource.labels.email_id`	`target.resource.attribute.labels[email_id]`
`resource.email_id`	`target.resource.attribute.labels[email_id]`
`resource.labels.forwarding_rule_name`	`target.resource.attribute.labels[forwarding_rule_name]`
`protoPayload.request.body.settings.ipConfiguration.ipv4Enabled`	`target.resource.attribute.labels[ip_config_ipv4_enabled]`
`protoPayload.request.body.settings.ipconfiguration.privatNetwork`	`target.resource.attribute.labels[ip_config_private_network]`
`protoPayload.request.body.settings.ipconfiguration.requireSsl`	`target.resource.attribute.labels[ip_config_require_ssl]`
`protoPayload.metadata.jobChange.job.jobConfig.type`	`target.resource.attribute.labels[job_type]`
`protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id`	`target.resource.attribute.labels[job_change_looker_studio_report_id]`
`protoPayload.metadata.jobChange.job.jobConfig.labels.requestor`	`target.resource.attribute.labels[job_change_requestor]`
`protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id`	`target.resource.attribute.labels[job_change_looker_studio_datasource_id]`
`protoPayload.metadata.tableChange.table.tableName`	`target.resource.attribute.labels[metadata_changedTable_name]`
`protoPayload.metadata.tableCreation.table.expireTime`	`target.resource.attribute.labels[metadata_creationTable_expire_time]`
`protoPayload.request.body.settings.pricingPlan`	`target.resource.attribute.labels[pricing_plan]`
`resource.data.projectId`	`target.resource.attribute.labels[projectId]`
`resource.labels.instance_group_name`	`target.resource.attribute.labels[rc_instance_groupName]`
`resource.labels.method`	`target.resource.attribute.labels[rc_method]`
`protoPayload.resourceOriginalState.disabled`	`target.resource.attribute.labels[rc_orgState_disabled]`
`protoPayload.resourceOriginalState.enableLogging`	`target.resource.attribute.labels[rc_orgState_enable_logging]`
`protoPayload.resourceOriginalState.logconfig.enable`	`target.resource.attribute.labels[rc_orgState_logconfig_enable]`
`protoPayload.resourceOriginalState.selfLink`	`target.resource.attribute.labels[rc_orgState_selflink]`
`protoPayload.resourceOriginalState.sourceRanges`	`target.resource.attribute.labels[rc_orgState_srcranges]`
`protoPayload.resourceOriginalState.targetTags`	`target.resource.attribute.labels[rc_orgState_target_tags]`
`protoPayload.resourceOriginalState.@type`	`target.resource.attribute.labels[rc_orgState_type]`
`resource.labels.service`	`target.resource.attribute.labels[rc_service]`
`resource.labels.subnetwork_name`	`target.resource.attribute.labels[rc_subnetwork_name]`
`resource.labels.version`	`target.resource.attribute.labels[rc_version]`
`protoPayload.request.body.databaseVersion`	`target.resource.attribute.labels[req_body_dbVersion]`
`protoPayload.request.cluster.releaseChannel.channel`	`target.resource.attribute.labels[req_cls_channel]`
`protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled`	`target.resource.attribute.labels[req_cls_policy_config_disabled]`
`protoPayload.request.reservationAffinity.consumeReservationType`	`target.resource.attribute.labels[req_consumeReservation_type]`
`protoPayload.request.disabled`	`target.resource.attribute.labels[req_disabled]`
`protoPayload.request.disks[].boot`	`target.resource.attribute.labels[req_disk_boot]`
`protoPayload.request.disks[].initializeParams.diskSizeGb`	`target.resource.attribute.labels[req_disk_initialize_disk_size]`
`protoPayload.request.disks[].initializeParams.diskType`	`target.resource.attribute.labels[req_disk_initialize_disk_type]`
`protoPayload.request.disks[].initializeParams.sourceImage`	`target.resource.attribute.labels[req_disk_initialize_source_image]`
`protoPayload.request.workloadIdentityPoolProvider.attributeCondition`	`target.resource.attribute.labels[req_identityPool_attribute_condition]`
`protoPayload.request.workloadIdentityPoolProvider.aws.accountId`	`target.resource.attribute.labels[req_identityPool_aws_accountId]`
`protoPayload.request.workloadIdentityPoolProvider.attributeMapping.attribute.aws_role`	`target.resource.attribute.labels[req_identityPool_aws_role]`
`protoPayload.request.workloadIdentityPool.description`	`target.resource.attribute.labels[req_identityPool_description]`
`protoPayload.request.workloadIdentityPool.disabled`	`target.resource.attribute.labels[req_identityPool_disabled]`
`protoPayload.request.workloadIdentityPoolProvider.displayName`	`target.resource.attribute.labels[req_identityPool_displayName]`
`protoPayload.request.workloadIdentityPoolProvider.attributeMapping.google.subject`	`target.resource.attribute.labels[req_identityPool_googleSubject]`
`protoPayload.request.workloadIdentityPoolProvider.disabled`	`target.resource.attribute.labels[req_identityPool_provider_disabled]`
`protoPayload.request.workloadIdentityPoolProviderId`	`target.resource.attribute.labels[req_identityPool_providerId]`
`protoPayload.request.instances[].instance`	`target.resource.attribute.labels[req_instance]`
`protoPayload.request.logconfig.enable`	`target.resource.attribute.labels[req_logconfig_enable]`
`protoPayload.serviceData.tabelDataListRequest.maxResults`	`target.resource.attribute.labels[req_max_results]`
`protoPayload.serviceData.jobGetQueryResultsRequest.maxResults`	`target.resource.attribute.labels[req_max_results]`
`protoPayload.request.maxResults`	`target.resource.attribute.labels[req_max_results]`
`protoPayload.request.name`	`target.resource.attribute.labels[req_name]`
`protoPayload.request.networkInterfaces[].accessConfig.name`	`target.resource.attribute.labels[req_network_access_config_name]`
`protoPayload.request.networkInterfaces[].accessConfig.networkTier`	`target.resource.attribute.labels[req_network_access_config_network_tier]`
`protoPayload.request.networkInterfaces[].accessConfig.type`	`target.resource.attribute.labels[req_network_access_config_type]`
`protoPayload.request.network`	`target.resource.attribute.labels[req_network]`
`protoPayload.request.network`	`target.resource.attribute.labels[req_network]`
`protoPayload.request.priority`	`target.resource.attribute.labels[Request Priority]`
`protoPayload.request.project`	`target.resource.attribute.labels[req_project]`
`protoPayload.request.role.stage`	`target.resource.attribute.labels[req_role_stage]`
`protoPayload.request.scheduling.automaticRestart`	`target.resource.attribute.labels[req_scheduling_automatic_restart]`
`protoPayload.request.scheduling.onHostMaintenance`	`target.resource.attribute.labels[req_scheduling_on_host_mainten]`
`protoPayload.request.scheduling.preemptible`	`target.resource.attribute.labels[req_scheduling_preemptible]`
`protoPayload.request.service_account.description`	`target.resource.attribute.labels[req_serviceAcc_description]`
`protoPayload.request.serviceAccounts[].email`	`target.resource.attribute.labels[req_serviceAcc_email]`
`protoPayload.request.policy.booleanPolicy.enforced`	`target.resource.attribute.labels[request_constraint]`
`protoPayload.response.email`	`target.resource.attribute.labels[res_email]`
`protoPayload.response.etag`	`target.resource.attribute.labels[res_etag]`
`protoPayload.response.name`	`target.resource.attribute.labels[res_name]`
`protoPayload.response.operationType`	`target.resource.attribute.labels[response_operation_type]`
`protoPayload.response.zone`	`target.resource.attribute.labels[res_zone]`
`resource.data.name`	`target.resource.attribute.labels[resource_data_name]`
`protoPayload.response.booleanPolicy.enforced`	`target.resource.attribute.labels[response_enforce_policy]`
`protoPayload.response.status`	`target.resource.attribute.labels[response_status]`
`protoPayload.response.status.conditions.message`	`target.resource.attribute.labels[response_status]`
`protoPayload.serviceData.permissionDelta.addedPermissions[]`	`target.resource.attribute.labels[ser_added_perm]`
`protoPayload.serviceData.policyDelta.bindingDeltas[].action`	`target.resource.attribute.labels[ser_binding_deltas_action]`
`protoPayload.serviceData.policyDelta.bindingDeltas[].member`	`target.resource.attribute.labels[ser_binding_deltas_member]`
`Referred this from default parser.`	`target.resource.attribute.labels[ser_binding_deltas_member]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.datasetId`	`target.resource.attribute.labels[ser_destTable_datasetId]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.projectId`	`target.resource.attribute.labels[ser_destTable_projectId]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.tableId`	`target.resource.attribute.labels[ser_destTable_tableId]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime`	`target.resource.attribute.labels[ser_jobCreate_time]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.jobId`	`target.resource.attribute.labels[ser_req_jobId]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.query`	`target.resource.attribute.labels[ser_req_query]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.createDisposotion`	`target.resource.attribute.labels[ser_reqCreate_disposotion]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.location`	`target.resource.attribute.labels[ser_reqJob_location]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.projectId`	`target.resource.attribute.labels[ser_reqJob_projectid]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.startTime`	`target.resource.attribute.labels[ser_reqJob_start_time]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatus.state`	`target.resource.attribute.labels[ser_reqJob_state]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.totalSlotMs`	`target.resource.attribute.labels[ser_reqJob_total_slot_ms]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.statementType`	`target.resource.attribute.labels[ser_reqStatement_type]`
`protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.writeDisposition`	`target.resource.attribute.labels[ser_reqWrite_disposition]`
`protoPayload.serviceData.tableInsertRequest.resource.view.query`	`target.resource.attribute.labels[ser_tableInsert_query]`
`protoPayload.serviceData.@type`	`target.resource.attribute.labels[ser_type]`
`protoPayload.request.sourceRanges[]`	`target.resource.attribute.labels[source_ranges]`
`protoPayload.request.body.settings.storageAutoResize`	`target.resource.attribute.labels[storage_auto_resize]`
`resource.labels.target_proxy_name`	`target.resource.attribute.labels[target_proxy_name]`
`protoPayload.request.body.settings.tier`	`target.resource.attribute.labels[tier]`
`resource.labels.url_map_name`	`target.resource.attribute.labels[url_map_name]`
`protoPayload.request.cluster.network`	`target.resource_ancestors.attribute.labels[req_cls_network]`
`protoPayload.request.cluster.nodePools[].management.autoRepair`	`target.resource_ancestors.attribute.labels[req_clsNodePools_autorepair]`
`protoPayload.request.body.settings.availabilityType`	`target.resource.attributes.labels[resource_avaibilitytype]`
`protoPayload.metadata.tableCreation.table.schemaJSON`	`target.resource.attributes.labels[table_schemaJson]`
`protoPayload.metadata.event.eventName.parameter.name[BIRTHDATE]`	`target.user.attribute.labels[birthdate]`
`protoPayload.metadata.event.eventName.parameter.name[PRIVILEGE_NAME]`	`target.user.attribute.labels[privilege_name]`
`protoPayload.metadata.event.eventName.parameter.name[USER_NICKNAME]`	`target.user.attribute.labels[user_nickname]`
`resource.type`	`target.resource_ancestors.resource_type`	Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `gce_(firewall or forwarding_rule)` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `FIREWALL_RULE` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `gce_(subnetwork or network)` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `VPC_NETWORK` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `dataproc` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `CLUSTER` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `k8s or gke_` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `CLUSTER` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit `gce_backend_service` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `BACKEND_SERVICE` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `(gce_ or dns_query)` übereinstimmt, wird das `target.resource.resource_type`-UDM-Feld auf `VIRTUAL_MACHINE` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `gcs_bucket` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `STORAGE_BUCKET` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `bigquery` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `DATABASE` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `cloudsql` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `DATABASE` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `service_account` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `SERVICE_ACCOUNT` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `project` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `CLOUD_PROJECT` festgelegt. Wenn der Wert des `resource.type`-Logfelds mit dem regulären Ausdruck `organization` übereinstimmt, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `CLOUD_ORGANIZATION` festgelegt. Andernfalls wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `UNSPECIFIED` festgelegt. Wenn der Wert des `resource.labels.project_id`-Logfelds nicht leer ist, wird das `target.resource_ancestors.resource_type`-UDM-Feld auf `CLOUD_PROJECT` festgelegt.
`jsonPayload.end_time`	`about.labels[jsonPayload_end_time]` (verworfen)
`jsonPayload.packets_sent`	`network.sent_packets`
`jsonPayload.reporter`	`about.labels[jsonPayload_reporter]` (verworfen)
`jsonPayload.src_vpc.vpc_name`	`principal.resource.name`
`jsonPayload.src_vpc.project_id`	`principal.resource.product_object_id`
`jsonPayload.src_vpc.subnetwork_name`	`principal.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]`
`jsonPayload.start_time`	`about.labels[jsonPayload_start_time]` (verworfen)
`jsonPayload.src_instance.region`	`principal.location.name`
`jsonPayload.src_instance.project_id`	`principal.labels[jsonPayload_src_instance_project_id]` (verworfen)
`jsonPayload.src_instance.zone`	`principal.cloud.availability_zone`
`resource.labels.subnetwork_id`	`target.resource.attribute.labels[resource_labels_subnetwork_id]`
`jsonPayload.dest_vpc.project_id`	`target.resource.product_object_id`
`jsonPayload.dest_vpc.subnetwork_name`	`target.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]`
`jsonPayload.dest_vpc.vpc_name`	`target.resource.name`
`jsonPayload.dest_instance.region`	`target.location.name`
`jsonPayload.dest_instance.project_id`	`target.labels[jsonPayload_dest_instance_project_id]` (verworfen)
`jsonPayload.dest_instance.zone`	`target.cloud.availability_zone`
`jsonPayload.src_location.asn`	`principal.labels[jsonPayload_src_location_asn]` (verworfen)
`jsonPayload.src_location.city`	`principal.location.city`
`jsonPayload.src_location.continent`	`principal.labels[jsonPayload_src_location_continent]` (verworfen)
`jsonPayload.src_location.country`	`principal.location.country_or_region`
`jsonPayload.src_location.region`	`principal.labesl[jsonPayload_src_location_region]`
`jsonPayload.dest_location.asn`	`target.labels[jsonPayload_dest_location_asn]` (verworfen)
`jsonPayload.dest_location.city`	`target.location.city`
`jsonPayload.dest_location.continent`	`target.labels[jsonPayload_dest_location_continent]` (verworfen)
`jsonPayload.dest_location.region`	`target.labesl[jsonPayload_dest_location_region]`
`protoPayload.metadata.ingressViolations.servicePerimeter`	`security_result.detection_fields[protoPayload_metadata_ingressViolations_serviceParameter]`
`protoPayload.metadata.ingressViolations.source`	`security_result.detection_fields[protoPayload_metadata_ingressViolations_source]`
`protoPayload.metadata.ingressViolations.sourceType`	`security_result.detection_fields[protoPayload_metadata_ingressViolations_sourceType]`
`protoPayload.metadata.ingressViolations.targetResource`	`security_result.detection_fields[protoPayload_metadata_ingressViolations_targetResource]`
`protoPayload.request.subjects.name`	`target.user.attribute.labels[subject_name]`
`protoPayload.request.spec.containers.0.image`	`target.process.command_line`
`protoPayload.request.spec.containers.0.name`	`target.resource.attribute.labels[name]`
`protoPayload.request.spec.containers.0.terminationMessagePolicy`	`traget.resource.attribute.labels[terminationMessagePolicy]`
`protoPayload.request.spec.containers.0.terminationMessagePath`	`traget.resource.attribute.labels[terminationMessagePath]`
`protoPayload.request.spec.containers.0.imagePullPolicy`	`traget.resource.attribute.labels[imagePullPolicy]`
`protoPayload.request.spec.dnsPolicy`	`target.resource.attribute.labels[imagePullPolicy]`
`protoPayload.request.spec.enableServiceLinks`	`traget.resource.attribute.labels[enableServiceLinks]`
`protoPayload.request.spec.restartPolicy`	`target.resource.attribute.labels[restartPolicy]`
`protoPayload.request.spec.schedulerName`	`target.resource.attribute.labels[schedulerName]`
`protoPayload.request.spec.terminationGracePeriodSeconds`	`traget.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds]`
`protoPayload.request.metadata.namespace`	`principal.namespace`
`protoPayload.request.apiVersion`	`target.resource.attribute.labels [request apiVersion]`
`protoPayload.request.kind`	`target.resource.attribute.labels[request.kind]`
`protoPayload.request.metadata.name`	`target.resource.attribute.labels[request.metadata.name]`
`labels.mutation.webhook.admission.k8s.io/round_0_index_0`	`security_result.about.resource.attribute.labels[labels_round_0_index_0]`
`protoPayload.request.spec.containers.0.args`	`about.file.capabilities_tags`
`protoPayload.request.properties.disks.0.initializeParams.diskSizeGb`	`principal.resource.attribute.labels[diskSizeGb]`
`protoPayload.request.properties.disks.0.initializeParams.diskType`	`principal.resource.attribute.labels[diskType]`
`protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type`	`principal.resource.attribute.labels[guestOsFeatures type]`
`protoPayload.request.properties.disks.0.initializeParams.labels.0.key`	`principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key]`
`protoPayload.request.properties.disks.0.initializeParams.sourceImage`	`principal.resource.attribute.labels[sourceImage]`
`protoPayload.request.properties.disks.0.type`	`principal.resource.attribute.labels[disks Type]`
`key_id`	`security_result.detection_field[key_id]`	Der Feldwert „`key_id`“ wird aus dem `message`-Log extrahiert mithilfe eines Grok-Musters.
`protoPayload.request.securityHealthAnalyticsSettings.modules.PUBLIC_BUCKET_ACL.moduleEnablementState`	`target.resource.attribute.labels[PUBLIC_BUCKET_ACL_module_enablement_state]`
`protoPayload.response.serviceEnablementState`	`target.resource.attribute.labels[service_enablement_state]`
`protoPayload.request.metadata.creationTimestamp`	`target.resource.attribute.creation_time`
`protoPayload.request.metadata.labels.trivy.automatic.created`	`target.resource.attribute.labels[req_metadata_trivy_automatic_created]`
`protoPayload.request.metadata.labels.trivy.collector.name`	`target.resource.attribute.labels[req_metadata_trivy_collector_name]`
`protoPayload.request.metadata.labels.trivy.resource.kind`	`target.resource.attribute.labels[req_metadata_trivy_resource_kind]`
`protoPayload.request.metadata.labels.trivy.resource.name`	`target.resource.attribute.labels[req_metadata_trivy_resource_name]`
`protoPayload.request.spec.backoffLimit`	`target.resource.attribute.labels[req_spec_backoff_limit]`
`protoPayload.request.spec.completionMode`	`target.resource.attribute.labels[req_spec_completion_mode]`
`protoPayload.request.spec.completions`	`target.resource.attribute.labels[req_spec_completions]`
`protoPayload.request.spec.parallelism`	`target.resource.attribute.labels[req_spec_parallelism]`
`protoPayload.request.spec.suspend`	`target.resource.attribute.labels[req_spec_suspend]`
`protoPayload.request.spec.template.metadata.creationTimestamp`	`target.resource.attribute.labels[req_spec_template_metadata_creation_time]`
`protoPayload.request.spec.template.metadata.labels.app`	`target.resource.attribute.labels[req_spec_template_metadata_app]`
`protoPayload.request.spec.template.spec.automountServiceAccountToken`	`target.resource.attribute.labels[req_spec_template_spec_automount_service_account_token]`
`protoPayload.request.spec.template.spec.containers.command`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_command]`
`protoPayload.request.spec.template.spec.containers.image`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image]`
`protoPayload.request.spec.template.spec.containers.imagePullPolicy`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image_pull_policy]`
`protoPayload.request.spec.template.spec.containers.name`	`target.resource_ancestors.name`
`protoPayload.request.spec.template.spec.containers.resources.limits.cpu`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_cpu]`
`protoPayload.request.spec.template.spec.containers.resources.limits.memory`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_memory]`
`protoPayload.request.spec.template.spec.containers.resources.requests.cpu`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_cpu]`
`protoPayload.request.spec.template.spec.containers.resources.requests.memory`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_memory]`
`protoPayload.request.spec.template.spec.containers.securityContext.allowPrivilegeEscalation`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_allow_privilege_escalation]`
`protoPayload.request.spec.template.spec.containers.securityContext.capabilities.drop`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_capabilities_drop]`
`protoPayload.request.spec.template.spec.containers.securityContext.privileged`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_privileged]`
`protoPayload.request.spec.template.spec.containers.securityContext.readOnlyRootFilesystem`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_read_only_root_filesystem]`
`protoPayload.request.spec.template.spec.containers.terminationMessagePath`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_path]`
`protoPayload.request.spec.template.spec.containers.terminationMessagePolicy`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_policy]`
`protoPayload.request.spec.template.spec.containers.volumeMounts.mountPath`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_mount_path]`
`protoPayload.request.spec.template.spec.containers.volumeMounts.name`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_name]`
`protoPayload.request.spec.template.spec.containers.volumeMounts.readOnly`	`target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_readonly]`
`protoPayload.request.spec.template.spec.dnsPolicy`	`target.resource.attribute.labels[req_spec_template_spec_dns_policy]`
`protoPayload.request.spec.template.spec.hostPID`	`target.resource.attribute.labels[req_spec_template_spec_host_pid]`
`protoPayload.request.spec.template.spec.restartPolicy`	`target.resource.attribute.labels[req_spec_template_spec_restart_policy]`
`protoPayload.request.spec.template.spec.schedulerName`	`target.resource.attribute.labels[req_spec_template_spec_scheduler_name]`
`protoPayload.request.spec.template.spec.securityContext.runAsGroup`	`target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_group]`
`protoPayload.request.spec.template.spec.securityContext.runAsUser`	`target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_user]`
`protoPayload.request.spec.template.spec.securityContext.seccompProfile.type`	`target.resource.attribute.labels[req_spec_template_spec_security_context_seccomp_profile_type]`
`protoPayload.request.spec.template.spec.terminationGracePeriodSeconds`	`target.resource.attribute.labels[req_spec_template_spec_termination_grace_period_seconds]`
`protoPayload.request.spec.template.spec.volumes.hostPath.path`	`target.resource.attribute.labels[req_spec_template_spec_volumes_host_path]`
`protoPayload.request.spec.template.spec.volumes.hostPath.type`	`target.resource.attribute.labels[req_spec_template_spec_volumes_host_path_type]`
`protoPayload.request.spec.template.spec.volumes.name`	`target.resource.attribute.labels[req_spec_template_spec_volumes_name]`
`protoPayload.request.spec.automountServiceAccountToken`	`target.resource.attribute.labels[req_spec_automount_service_account_token]`
`protoPayload.request.spec.containers.command`	`target.resource.attribute.labels[req_spec_container_command]`
`protoPayload.request.spec.containers.securityContext.privileged`	`target.resource.attribute.labels[req_spec_container_security_context_privileged]`
`protoPayload.request.spec.containers.securityContext.allowPrivilegeEscalation`	`target.resource.attribute.labels[req_spec_container_security_context_allow_privilege_escalation]`
`protoPayload.request.spec.containers.securityContext.readOnlyRootFilesystem`	`target.resource.attribute.labels[req_spec_container_security_context_read_only_root_filesystem]`
`protoPayload.request.spec.containers.securityContext.capabilities.drop`	`target.resource.attribute.labels[req_spec_container_security_context_capabilities_drop]`
`protoPayload.request.spec.containers.volumeMounts.mountPath`	`target.resource.attribute.labels[req_spec_container_volume_mount_path]`
`protoPayload.request.spec.containers.volumeMounts.name`	`target.resource.attribute.labels[req_spec_container_volume_mount_name]`
`protoPayload.request.spec.containers.volumeMounts.readOnly`	`target.resource.attribute.labels[req_spec_container_volume_mount_read_only]`
`protoPayload.request.metadata.annotations.deprecated.daemonset.template.generation`	`target.resource.attribute.labels[req_metadata_annotations_deprecated_daemonset_template_generation]`
`protoPayload.request.metadata.labels.app`	`target.resource.attribute.labels[req_metadata_app]`
`protoPayload.request.metadata.labels.type`	`target.resource.attribute.labels[req_metadata_labels_type]`
`protoPayload.request.spec.serviceAccount`	`target.resource.attribute.labels[req_spec_service_account]`
`protoPayload.request.spec.serviceAccountName`	`target.resource.attribute.labels[req_spec_serivce_account_name]`
`protoPayload.request.spec.hostIPC`	`target.resource.attribute.labels[req_spec_host_ipc]`
`protoPayload.request.spec.hostNetwork`	`target.resource.attribute.labels[req_spec_host_network]`
`protoPayload.request.spec.hostPID`	`target.resource.attribute.labels[req_spec_host_pid]`
`protoPayload.request.spec.nodeName`	`target.resource.attribute.labels[req_spec_node_name]`
`protoPayload.request.spec.securityContext.privileged`	`target.resource.attribute.labels[req_spec_security_context_privileged]`
`protoPayload.request.spec.securityContext.allowPrivilegeEscalation`	`target.resource.attribute.labels[req_spec_security_context_allow_privilege_escalation]`
`protoPayload.request.spec.securityContext.readOnlyRootFilesystem`	`target.resource.attribute.labels[req_spec_security_context_read_only_root_filesystem]`
`protoPayload.request.spec.securityContext.capabilities.drop`	`target.resource.attribute.labels[req_spec_security_context_capabilities_drop]`
`protoPayload.request.spec.volumes.hostPath.path`	`target.resource.attribute.labels[req_spec_volume_host_path]`
`protoPayload.request.spec.volumes.hostPath.type`	`target.resource.attribute.labels[req_spec_volume_host_path_type]`
`protoPayload.request.spec.volumes.name`	`target.resource.attribute.labels[req_spec_volume_name]`
`protoPayload.request.spec.revisionHistoryLimit`	`target.resource.attribute.labels[req_spec_revision_history_limit]`
`protoPayload.request.spec.selector.matchLabels.app`	`target.resource.attribute.labels[req_spec_selector_match_label_app]`
`protoPayload.request.spec.selector.matchLabels.type`	`target.resource.attribute.labels[req_spec_selector_match_label_type]`
`protoPayload.request.spec.template.metadata.labels.type`	`target.resource.attribute.labels[req_spec_template_metadata_labels_type]`
`protoPayload.request.spec.template.spec.containers.args`	`target.resource.attribute.labels[req_spec_template_spec_container_arg]`
`protoPayload.request.spec.template.spec.hostIPC`	`target.resource.attribute.labels[req_spec_template_spec_host_ipc]`
`protoPayload.request.spec.template.spec.hostNetwork`	`target.resource.attribute.labels[req_spec_template_spec_host_network]`
`protoPayload.request.spec.updateStrategy.rollingUpdate.maxSurge`	`target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_surge]`
`protoPayload.request.spec.updateStrategy.rollingUpdate.maxUnavailable`	`target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_unavailable]`
`protoPayload.request.spec.updateStrategy.type`	`target.resource.attribute.labels[req_spec_update_strategy_type]`
`protoPayload.request.status.currentNumberScheduled`	`target.resource.attribute.labels[req_status_current_number_scheduled]`
`protoPayload.request.status.desiredNumberScheduled`	`target.resource.attribute.labels[req_status_desired_number_scheduled]`
`protoPayload.request.status.numberMisscheduled`	`target.resource.attribute.labels[req_status_number_miss_scheduled]`
`protoPayload.request.status.numberReady`	`target.resource.attribute.labels[req_status_number_ready]`
`protoPayload.response.@type`	`target.resource.attribute.labels[res_type]`
`protoPayload.response.apiVersion`	`target.resource.attribute.labels[res_api_version]`
`protoPayload.response.metadata.annotations.deprecated.daemonset.template.generation`	`target.resource.attribute.labels[res_metadata_annotations_deprecated_daemonset_template_generation]`
`protoPayload.response.metadata.generation`	`target.resource.attribute.labels[res_metadata_generation]`
`protoPayload.response.metadata.labels.type`	`target.resource.attribute.labels[res_metadata_labels_type]`
`protoPayload.response.metadata.labels.app`	`target.resource.attribute.labels[res_metadata_label_app]`
`protoPayload.response.metadata.creationTimestamp`	`target.resource.attribute.labels[res_metadata_creation_time]`
`protoPayload.response.metadata.name`	`target.resource.attribute.labels[res_metadata_name]`
`protoPayload.response.metadata.namespace`	`target.resource.attribute.labels[res_metadata_namespace]`
`protoPayload.response.metadata.resourceVersion`	`target.resource.attribute.labels[res_metadata_resource_version]`
`protoPayload.response.metadata.uid`	`target.resource.attribute.labels[res_metadata_uid]`
`protoPayload.response.spec.revisionHistoryLimit`	`target.resource.attribute.labels[res_spec_revision_history_limit]`
`protoPayload.response.spec.selector.matchLabels.app`	`target.resource.attribute.labels[res_spec_selector_match_label_app]`
`protoPayload.response.spec.selector.matchLabels.type`	`target.resource.attribute.labels[res_spec_selector_match_label_type]`
`protoPayload.response.spec.template.metadata.creationTimestamp`	`target.resource.attribute.labels[res_spec_template_metadata_creation_time]`
`protoPayload.response.spec.template.metadata.labels.app`	`target.resource.attribute.labels[res_spec_template_metadata_app]`
`protoPayload.response.spec.template.metadata.labels.type`	`target.resource.attribute.labels[res_spec_template_metadata_type]`
`protoPayload.response.spec.template.spec.containers.args`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_arg]`
`protoPayload.response.spec.template.spec.containers.command`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_command]`
`protoPayload.response.spec.template.spec.containers.image`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image]`
`protoPayload.response.spec.template.spec.containers.imagePullPolicy`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image_pull_policy]`
`protoPayload.response.spec.template.spec.containers.name`	`target.resource_ancestors.name`
`protoPayload.response.spec.template.spec.containers.resources.limits.cpu`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_cpu]`
`protoPayload.response.spec.template.spec.containers.resources.limits.memory`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_memory]`
`protoPayload.response.spec.template.spec.containers.resources.requests.cpu`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_cpu]`
`protoPayload.response.spec.template.spec.containers.resources.requests.memory`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_memory]`
`protoPayload.response.spec.template.spec.containers.securityContext.privileged`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_privileged]`
`protoPayload.response.spec.template.spec.containers.securityContext.allowPrivilegeEscalation`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_allow_privilege_escalation]`
`protoPayload.response.spec.template.spec.containers.securityContext.readOnlyRootFilesystem`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_read_only_root_filesystem]`
`protoPayload.response.spec.template.spec.containers.securityContext.capabilities.drop`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_capabilities_drop]`
`protoPayload.response.spec.template.spec.containers.terminationMessagePath`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_path]`
`protoPayload.response.spec.template.spec.containers.terminationMessagePolicy`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_policy]`
`protoPayload.response.spec.template.spec.containers.volumeMounts.mountPath`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_mount_path]`
`protoPayload.response.spec.template.spec.containers.volumeMounts.name`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_name]`
`protoPayload.response.spec.template.spec.containers.volumeMounts.readOnly`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_read_only]`
`protoPayload.response.spec.template.spec.dnsPolicy`	`target.resource.attribute.labels[res_spec_template_spec_dns_policy]`
`protoPayload.response.spec.template.spec.hostIPC`	`target.resource.attribute.labels[res_spec_template_spec_host_pid]`
`protoPayload.response.spec.template.spec.hostNetwork`	`target.resource.attribute.labels[res_spec_template_spec_host_network]`
`protoPayload.response.spec.template.spec.hostPID`	`target.resource.attribute.labels[res_spec_template_spec_host_ipc]`
`protoPayload.response.spec.template.spec.nodeName`	`target.resource.attribute.labels[res_spec_template_spec_node_name]`
`protoPayload.response.spec.template.spec.restartPolicy`	`target.resource.attribute.labels[res_spec_template_spec_restart_policy]`
`protoPayload.response.spec.template.spec.schedulerName`	`target.resource.attribute.labels[res_spec_template_spec_scheduler_name]`
`protoPayload.response.spec.template.spec.securityContext.runAsGroup`	`target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_group]`
`protoPayload.response.spec.template.spec.securityContext.runAsUser`	`target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_user]`
`protoPayload.response.spec.template.spec.securityContext.seccompProfile.type`	`target.resource.attribute.labels[res_spec_template_spec_security_context_seccomp_profile_type]`
`protoPayload.response.spec.template.spec.terminationGracePeriodSeconds`	`target.resource.attribute.labels[res_spec_template_spec_termination_grace_period_seconds]`
`protoPayload.response.spec.template.spec.volumes.hostPath.path`	`target.resource.attribute.labels[res_spec_template_spec_volumes_host_path]`
`protoPayload.response.spec.template.spec.volumes.hostPath.type`	`target.resource.attribute.labels[res_spec_template_spec_volumes_host_path_type]`
`protoPayload.response.spec.template.spec.volumes.name`	`target.resource.attribute.labels[res_spec_template_spec_volumes_name]`
`protoPayload.response.spec.updateStrategy.rollingUpdate.maxSurge`	`target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_surge]`
`protoPayload.response.spec.updateStrategy.rollingUpdate.maxUnavailable`	`target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_unavailable]`
`protoPayload.response.spec.updateStrategy.type`	`target.resource.attribute.labels[res_spec_update_strategy_type]`
`protoPayload.response.spec.containers.args`	`target.resource_ancestors.attribute.labels[res_spec_container_arg]`
`protoPayload.response.spec.containers.command`	`target.resource_ancestors.attribute.labels[res_spec_container_command]`
`protoPayload.response.spec.containers.image`	`target.resource_ancestors.attribute.labels[res_spec_container_image]`
`protoPayload.response.spec.containers.imagePullPolicy`	`target.resource_ancestors.attribute.labels[res_spec_container_image_pull_policy]`
`protoPayload.response.spec.containers.name`	`target.resource_ancestors.name`
`protoPayload.response.spec.containers.securityContext.privileged`	`target.resource_ancestors.attribute.labels[res_spec_container_security_context_privileged]`
`protoPayload.response.spec.containers.securityContext.allowPrivilegeEscalation`	`target.resource_ancestors.attribute.labels[res_spec_container_security_context_allow_privilege_escalation]`
`protoPayload.response.spec.containers.securityContext.readOnlyRootFilesystem`	`target.resource_ancestors.attribute.labels[res_spec_container_security_context_read_only_root_filesystem]`
`protoPayload.response.spec.containers.securityContext.capabilities.drop`	`target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_drop]`
`protoPayload.response.spec.containers.terminationMessagePath`	`target.resource_ancestors.attribute.labels[res_spec_container_termination_message_path]`
`protoPayload.response.spec.containers.terminationMessagePolicy`	`target.resource_ancestors.attribute.labels[res_spec_container_termination_message_policy]`
`protoPayload.response.spec.containers.volumeMounts.mountPath`	`target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_path]`
`protoPayload.response.spec.containers.volumeMounts.name`	`target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_name]`
`protoPayload.response.spec.containers.volumeMounts.readOnly`	`target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_read_only]`
`protoPayload.response.spec.dnsPolicy`	`target.resource.attribute.labels[res_spec_dns_policy]`
`protoPayload.response.spec.enableServiceLinks`	`target.resource.attribute.labels[res_spec_enable_service_links]`
`protoPayload.response.spec.hostIPC`	`target.resource.attribute.labels[res_spec_host_ipc]`
`protoPayload.response.spec.hostNetwork`	`target.resource.attribute.labels[res_spec_host_network]`
`protoPayload.response.spec.hostPID`	`target.resource.attribute.labels[res_spec_host_pid]`
`protoPayload.response.spec.nodeName`	`target.resource.attribute.labels[res_spec_node_name]`
`protoPayload.response.spec.preemptionPolicy`	`target.resource.attribute.labels[res_spec_preemption_policy]`
`protoPayload.response.spec.priority`	`target.resource.attribute.labels[res_spec_priority]`
`protoPayload.response.spec.restartPolicy`	`target.resource.attribute.labels[res_spec_restart_policy]`
`protoPayload.response.spec.schedulerName`	`target.resource.attribute.labels[res_spec_scheduler_name]`
`protoPayload.response.spec.serviceAccount`	`target.resource.attribute.labels[res_spec_service_account]`
`protoPayload.response.spec.serviceAccountName`	`target.resource.attribute.labels[res_spec_serivce_account_name]`
`protoPayload.response.spec.terminationGracePeriodSeconds`	`target.resource.attribute.labels[res_spec_termination_grace_period_seconds]`
`protoPayload.response.spec.tolerations.effect`	`target.resource.attribute.labels[res_spec_toleration_effect]`
`protoPayload.response.spec.tolerations.key`	`target.resource.attribute.labels[res_spec_toleration_key]`
`protoPayload.response.spec.tolerations.operator`	`target.resource.attribute.labels[res_spec_toleration_operator]`
`protoPayload.response.spec.tolerations.tolerationSeconds`	`target.resource.attribute.labels[res_spec_toleration_second]`
`protoPayload.response.spec.volumes.hostPath.path`	`target.resource.attribute.labels[res_spec_volume_host_path]`
`protoPayload.response.spec.volumes.hostPath.type`	`target.resource.attribute.labels[res_spec_volume_host_path_type]`
`protoPayload.response.spec.volumes.name`	`target.resource.attribute.labels[res_spec_volume_name]`
`protoPayload.response.spec.volumes.projected.defaultMode`	`target.resource.attribute.labels[res_spec_volume_projected_default_mode]`
`protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.expirationSeconds`	`target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_ecpiration_sec]`
`protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.path`	`target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_path]`
`protoPayload.response.spec.volumes.projected.sources.configMap.items.key`	`target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_key]`
`protoPayload.response.spec.volumes.projected.sources.configMap.items.path`	`target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_path]`
`protoPayload.response.spec.volumes.projected.sources.configMap.name`	`target.resource.attribute.labels[res_spec_volume_projected_src_config_map_name]`
`protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.apiVersion`	`target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_api_version]`
`protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.fieldPath`	`target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_field_path]`
`protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.path`	`target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_path]`
`protoPayload.response.status.phase`	`target.resource.attribute.labels[res_status_phase]`
`protoPayload.response.status.qosClass`	`target.resource.attribute.labels[res_status_qos_class]`
`protoPayload.response.status.currentNumberScheduled`	`target.resource.attribute.labels[res_status_current_number_scheduled]`
`protoPayload.response.status.desiredNumberScheduled`	`target.resource.attribute.labels[res_status_desired_number_scheduled]`
`protoPayload.response.status.numberMisscheduled`	`target.resource.attribute.labels[res_status_number_miss_scheduled]`
`protoPayload.response.status.numberReady`	`target.resource.attribute.labels[res_status_number_ready]`
`protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor`	`target.resource.attribute.labels[ser_jobconf_requestor]`
`protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id`	`target.resource.attribute.labels[ser_jobconf_looker_studio_datasource_id]`
`protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id`	`target.resource.attribute.labels[ser_jobconf_looker_studio_report_id]`
`labels.authorization.k8s.io/decision`	`security_result.action`	Wenn der Wert des `labels.authorization.k8s.io/decision`-Logfelds `allow` entspricht, wird das UDM-Feld `security_result.action` auf `ALLOW` gesetzt. Andernfalls, wenn der Wert des `labels.authorization.k8s.io/decision`-Logfelds `block` entspricht, wird das UDM-Feld `security_result.action` auf `BLOCK` gesetzt.
`labels.pod-security.kubernetes.io/enforce-policy`	`security_result.detection_fields[pod_security_kubernetes_io_enforce_policy]`
`labels.authorization.k8s.io/reason`	`security_result.action_details`
`protoPayload.request.roleRef.apiGroup`	`target.user.attribute.labels[req_role_ref_api_group]`
`protoPayload.request.roleRef.kind`	`target.user.attribute.labels[req_role_ref_kind]`
`protoPayload.request.roleRef.name`	`target.user.attribute.roles.name`
`protoPayload.request.subjects.apiGroup`	`target.user.attribute.labels[req_subject_api_group]`
`protoPayload.request.subjects.kind`	`target.user.attribute.labels[req_subject_kind]`
`protoPayload.request.rules.apiGroups`	`security_result.rule_labels[req_rule_api_group]`
`protoPayload.request.rules.resources`	`security_result.rule_labels[req_rule_resource]`
`protoPayload.request.rules.verbs`	`security_result.rule_labels[req_rule_verb]`
`protoPayload.request.rules.resourceNames`	`security_result.rule_labels[req_rule_resource_name]`
`protoPayload.response.metadata.managedFields.apiVersion`	`target.resource.attribute.labels[res_managed_field_api_version]`
`protoPayload.response.metadata.managedFields.fieldsType`	`target.resource.attribute.labels[res_managed_field_type]`
`protoPayload.response.metadata.managedFields.manager`	`target.resource.attribute.labels[res_managed_field_manager]`
`protoPayload.response.metadata.managedFields.operation`	`target.resource.attribute.labels[res_managed_field_operation]`
`protoPayload.response.metadata.managedFields.time`	`target.resource.attribute.labels[res_managed_field_time]`
`protoPayload.request.spec.containers.securityContext.capabilities.add`	`target.resource_ancestors.attribute.labels[req_spec_container_security_context_capabilities_add]`
`protoPayload.request.spec.containers.securityContext.seccompProfile.type`	`target.resource_ancestors.attribute.labels[req_spec_container_security_context_seccomp_profile_type]`
`protoPayload.request.spec.shareProcessNamespace`	`target.resource.attribute.labels[req_spec_share_process_namespace]`
`protoPayload.response.spec.containers.securityContext.capabilities.add`	`target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_add]`
`protoPayload.response.spec.containers.securityContext.seccompProfile.type`	`target.resource_ancestors.attribute.labels[res_spec_container_security_context_seccomp_profile_type]`
`protoPayload.response.spec.shareProcessNamespace`	`target.resource.attribute.labels[res_spec_share_process_namespace]`
`protoPayload.metadata.membershipDelta.member`	`target.resource.attribute.labels[membership_delta_member]`
`protoPayload.metadata.membershipDelta.roleDeltas.action`	`target.resource.attribute.labels[membership_role_deltas_action]`
`protoPayload.metadata.membershipDelta.roleDeltas.role`	`target.resource.attribute.labels[membership_role_deltas_role]`
`protoPayload.request.spec.resourceAttributes.namespace`	`target.resource.attribute.labels[req_spec_resource_attribute_namespace]`
`protoPayload.request.spec.resourceAttributes.resource`	`target.resource.attribute.labels[req_spec_resource_attribute_resource]`
`protoPayload.request.spec.resourceAttributes.verb`	`target.resource.attribute.labels[req_spec_resource_attribute_verb]`
`protoPayload.request.status.allowed`	`target.resource.attribute.labels[req_status_allowed]`
`protoPayload.response.spec.resourceAttributes.namespace`	`target.resource.attribute.labels[res_spec_resource_attribute_namespace]`
`protoPayload.response.spec.resourceAttributes.resource`	`target.resource.attribute.labels[res_spec_resource_attribute_resource]`
`protoPayload.response.spec.resourceAttributes.verb`	`target.resource.attribute.labels[res_spec_resource_attribute_verb]`
`protoPayload.response.status.allowed`	`target.resource.attribute.labels[res_status_allowed]`
`protoPayload.request.objects.db`	`additional.fields[database_name]`
`jsonPayload.accesses.methodName`	`additional.fields[methodName]`
`protoPayload.request.objects.name`	`additional.fields[objects_name]`
`protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME]`	`additional.fields[api_client_name]`
`protoPayload.metadata.event.eventName.parameter.name[API_SCOPES]`	`additional.fields[api_scopes]`
`protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME]`	`additional.fields[begin_date_time]`
`protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER]`	`additional.fields[bulk_upload_fail_users_number]`
`protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER]`	`additional.fields[bulk_upload_total_users_number]`
`protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW]`	`additional.fields[caa_assignments_new]`
`protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD]`	`additional.fields[caa_assignments_old]`
`protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW]`	`additional.fields[caa_enforcement_endpoints_new]`
`protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD]`	`additional.fields[caa_enforcement_endpoints_old]`
`protoPayload.requestMetadata.requestAttributes.size`	`additional.fields[caller_network_request_size]`
`protoPayload.requestMetadata.requestAttributes.time`	`additional.fields[caller_network_request_time]`
`protoPayload.requestMetadata.callerNetwork`	`additional.fields[caller_network]`
`protoPayload.requestMetadata.requestAttributes.size`	`additional.fields[caller_network_request_size]`
`protoPayload.requestMetadata.requestAttributes.time`	`additional.fields[request_attributes_time]`
`protoPayload.requestMetadata.callerNetwork`	`additional.fields[caller_network]`
`protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED]`	`additional.fields[chrome_licenses_enabled]`
`protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME]`	`additional.fields[end_date_time]`
`protoPayload.metadata.event.eventName.parameter.name[END_DATE]`	`additional.fields[end_date]`
`protoType.metadata.event.eventName`	`additional.fields[event_name]`
`protoPayload.metadata.event.parameter.label`	`additional.fields[event_param_label]`
`protoPayload.metadata.event.parameter.type`	`additional.fields[event_param_type]`
`protoType.metadata.event.eventType`	`additional.fields[event_type]`
`protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME]`	`additional.fields[field_name]`
`protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH]`	`additional.fields[full_org_unit_path]`
`protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER]`	`additional.fields[grp_member_bulk_upload_failed]`
`protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER]`	`additional.fields[grp_member_bulk_upload_total]`
`httpRequest.cacheFillBytes`	`additional.fields[httpreq_cache_fill_bytes]`
`httpRequest.cacheHit`	`additional.fields[httpreq_cache_hit]`
`httpRequest.cacheLookup`	`additional.fields[httpreq_cache_lookup]`
`httpRequest.cacheValidatedWithOriginServer`	`additional.fields[httpreq_cache_validated_with_origin_server]`
`httpRequest.latency`	`additional.fields[httprequest_latency]`
`protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE]`	`additional.fields[info_type]`
`protoPayload.metadata.activityId.timeUsec`	`additional.fields[metadata_activityId_time_usec]`
`protoPayload.metadata.activityId.uniqQualifier`	`additional.fields[metadata_activityId_uniq_qualifier]`
`protoPayload.metadata.@type`	`additional.fields[metadata_type]`
`protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE]`	`additional.fields[new_permission_grant_state]`
`protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES]`	`additional.fields[num_of_company_owned_device]`
`protoPayload.numResponseItems`	`additional.fields[num_response_items]`
`protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE]`	`additional.fields[old_permission_grant_state]`
`operation.first`	`additional.fields[operation_first]`
`operation.id`	`additional.fields[operation_id]`
`operation.last`	`additional.fields[operation_last]`
`operation.producer`	`additional.fields[operation_producer]`
`protoPayload.resourceOriginalState.selfLinkWithId`	`additional.fields[rc_old_selflinkWithId]`
`protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW]`	`additional.fields[reauth_setting_new]`
`protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD]`	`additional.fields[reauth_setting_old]`
`protoPayload.request.alloweds.ports`	`additional.fields[req_alloweds_ports]`
`protoPayload.request.body.name`	`additional.fields[req_body_name]`
`protoPayload.request.body.settings.activityPolicy`	`additional.fields[req_body_settings_activity_policy]`
`protoPayload.request.deletionProtection`	`additional.fields[req_deletion_protection]`
`protoPayload.request.disabled`	`additional.fields[req_disabled]`
`protoPayload.request.displayDevice.enableDisplay`	`additional.fields[req_display_device_enable_display]`
`protoPayload.request.enableFlowLogs`	`additional.fields[req_enable_flow_logs]`
`protoPayload.request.fingerprint`	`additional.fields[req_fingerprint]`
`protoPayload.request.shieldedInstanceConfig.enableSecureBoot`	`additional.fields[req_instance_config_enable_secure_boot]`
`protoPayload.request.shieldedInstanceConfig.enableVtpm`	`additional.fields[req_instance_config_enable_vtpm]`
`protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring`	`additional.fields[req_instance_enable_integrity_monitoring]`
`protoPayload.request.key_types`	`additional.fields[req_key_types]`
`protoPayload.request.logconfig.enable`	`additional.fields[req_logconfig_enable]`
`protoPayload.request.networkTier`	`additional.fields[req_network_tier]`
`protoPayload.request.network`	`additional.fields[req_network]`
`protoPayload.request.page_size`	`additional.fields[req_page_size]`
`request.pagesize`	`additional.fields[req_page_size]`
`protoPayload.request.policy.etag`	`additional.fields[req_policy_etag]`
`protoPayload.request.portRange`	`additional.fields[req_port_range]`
`protoPayload.request.privateIpGoogleAccess`	`additional.fields[req_private_ip_google_access]`
`protoPayload.request.private_key_type`	`additional.fields[req_private_key_type]`
`protoPayload.request.remove_deleted_service_accounts`	`additional.fields[req_remove_deleted_serviceAcc]`
`protoPayload.request.showDeleted`	`additional.fields[req_show_deleted]`
`protoPayload.request.skip_visibility_check`	`additional.fields[req_skip_visibility_check]`
`protoPayload.request.stackType`	`additional.fields[req_stack_type]`
`protoPayload.request.type`	`additional.fields[req_type]`
`protoPayload.request.updateMask`	`additional.fields[req_update_mask]`
`protoPayload.request.version`	`additional.fields[req_version]`
`protoPayload.response.clientOperationId`	`additional.fields[res_client_operation_id]`
`protoPayload.response.endTime`	`additional.fields[res_end_time]`
`protoPayload.response.id`	`additional.fields[res_id]`
`protoPayload.response.key_algorithm`	`additional.fields[res_key_algorithm]`
`protoPayload.response.key_origin`	`additional.fields[res_key_origin]`
`protoPayload.response.key_type`	`additional.fields[res_key_type]`
`protoPayload.response.kind`	`additional.fields[res_kind]`
`protoPayload.response.private_key_type`	`additional.fields[res_private_key_type]`
`protoPayload.response.progress`	`additional.fields[res_progress]`
`protoPayload.response.startTime`	`additional.fields[res_start_time]`
`protoPayload.response.status`	`security_result.action`	`security_result.action` wird auf `FAIL` gesetzt, wenn die folgenden Bedingungen erfüllt sind: Der Wert im `protoPayload.response.status`-Logfeld ist `Failure`. Der Wert im UDM-Feld `security_result.action` ist gleich `ALLOW`.
`protoPayload.response.status`	`additional.fields[res_status]`
`protoPayload.response.type`	`additional.fields[res_type]`
`protoPayload.response.unique_id`	`additional.fields[res_unique_id]`
`protoPayload.response.valid_after_time.seconds`	`additional.fields[res_valid_after_time]`
`protoPayload.response.valid_before_time.seconds`	`additional.fields[res_valid_before_time]`
`protoPayload.response.version`	`additional.fields[res_version]`
`protoPayload.response.zone`	`additional.fields[res_zone]`
`protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP]`	`additional.fields[search_query_for_dump]`
`spanId`	`additional.fields[span_id]`
`protoPayload.metadata.event.eventName.parameter.name[START_DATE]`	`additional.fields[start_date]`
`traceSampled`	`additional.fields[trace_sampled]`
`Trace`	`additional.fields[trace]`
`protoPayload.@type`	`additional.fields[type]`
`protoPayload.redactions.reason`	`additional.fields[protoPayload.redactions.field]`
`protoPayload.redactions.type`	`additional.fields[protoPayload.redactions.field]`
`authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata`	`additional.fields[service_metadata]`
`jsonPayload.sourceNetwork`	`additional.fields[source_network]`
`authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims`	`additional.fields[third_party_claims]`
`protoPayload.requestMetadata.requestAttributes.time`	`additional.fields[caller_network_request_time]`
`protoPayload.request.ipCidrRange`	`additional.fields[req_ip_cidr_range]`
`protoPayload.request.description`	`additional.labels[req_description]`
`protoPayload.request.sourceRanges`	`additional.fields[req_source_ranges]`
`protoPayload.requestMetadata.requestAttributes.reason`	`additional.fields[request_attributes_reason]`
`protoPayload.authenticationInfo.thirdPartyPrincipal`	`additional.fields[third_party_principal]`
`sourceLocation.function`	`additional.fields[src_location_function]`
`sourceLocation.line`	`additional.fields[src_location_line]`
`resource.labels.backend_service_name`	`additional.fields[backend_service_name]`
`protoPayload.requestMetadata.requestAttributes.auth.claims`	`additional.fields[request_auth_claims]`
`protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION]`	`additional.fields[application_edition]`
`protoPayload.metadata.event.eventName.parameter.name[ASP_ID]`	`additional.fields[asp_id]`
`protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE]`	`additional.fields[chrome_os_session_type]`
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT]`	`additional.fields[device_new_org_unit]`
`protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT]`	`additional.fields[device_previous_org_unit]`
`protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS]`	`additional.fields[domain_alias]`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED]`	`additional.fields[email_export_include_deleted]`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT]`	`additional.fields[email_export_package_content]`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE]`	`additional.fields[email_log_search_end_date]`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE]`	`additional.fields[email_log_search_start_date]`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT]`	`additional.fields[email_monitor_level_chat]`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL]`	`additional.fields[email_monitor_level_draft_email]`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL]`	`additional.fields[email_monitor_level_in_email]`
`protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL]`	`additional.fields[email_monitor_level_out_email]`
`protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON]`	`additional.fields[email_reset_reason]`
`protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]`	`additional.fields[new_value]`
`protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE]`	`additional.fields[oauth2_app_type]`
`protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE]`	`additional.fields[old_value]`
`protoPayload.requestMetadata.destinationAttributes.principal`	`additional.fields[peer_principal]`
`protoPayload.requestMetadata.destinationAttributes.regionCode`	`additional.fields[peer_region_code]`
`protoPayload.request.loadBalancingScheme`	`additional.fields[req_load_balancing_scheme]`
`protoPayload.request.requestId`	`additional.fields[request_id]`
`protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID]`	`additional.fields[request_id]`
`protoPayload.resourceOriginalState.description`	`additional.fields[res_originalState_description]`
`protoPayload.response.bindings.members`	`additional.fields[response_bindings_members]`
`protoPayload.response.description`	`additional.fields[response_description]`
`protoPayload.response.display_name`	`additional.fields[response_display_name]`
`protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME]`	`additional.fields[secondary_domain_name]`
`protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME]`	`additional.fields[setting_name]`
`protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD]`	`additional.fields[user_custom_field]`
`protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME]`	`additional.fields[user_defined_setting_name]`
`protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN]`	`additional.fields[web_origin]`
`protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS]`	`additional.fields[whitelisted_groups]`
`jsonPayload.end_time`	`additional.fields[jsonPayload_end_time]`
`jsonPayload.reporter`	`additional.fields[jsonPayload_reporter]`
`jsonPayload.start_time`	`additional.fields[jsonPayload_start_time]`
`jsonPayload.src_instance.project_id`	`additional.fields[jsonPayload_src_instance_project_id]`
`jsonPayload.dest_instance.project_id`	`additional.fields[jsonPayload_dest_instance_project_id]`
`jsonPayload.src_location.asn`	`additional.fields[jsonPayload_src_location_asn]`
`jsonPayload.src_location.continent`	`additional.fields[jsonPayload_src_location_continent]`
`jsonPayload.dest_location.asn`	`additional.fields[jsonPayload_dest_location_asn]`
`jsonPayload.dest_location.continent`	`additional.fields[jsonPayload_dest_location_continent]`
`protoPayload.request.spec.expirationSeconds`	`target.resource.attribute.labels[req_spec_expiration_seconds]`
`protoPayload.request.spec.request`	`target.resource.attribute.labels[req_spec_request]`
`protoPayload.request.spec.signerName`	`target.resource.attribute.labels[req_spec_signer_name]`
`protoPayload.request.spec.usages`	`target.resource.attribute.labels[req_spec_usage]`
`protoPayload.response.spec.expirationSeconds`	`target.resource.attribute.labels[res_spec_expiration_seconds]`
`protoPayload.response.spec.extra.iam.gke.io/user-assertion`	`target.resource.attribute.labels[res_spec_extra_iam_gke_io/user_assertion]`
`protoPayload.response.spec.extra.user-assertion.cloud.google.com`	`target.resource.attribute.labels[res_spec_extra_user_assertion_cloud_google_com]`
`protoPayload.response.spec.groups`	`target.resource.attribute.labels[res_spec_group]`
`protoPayload.response.spec.request`	`target.resource.attribute.labels[res_spec_request]`
`protoPayload.response.spec.signerName`	`target.resource.attribute.labels[res_spec_signer_name]`
`protoPayload.response.spec.usages`	`target.resource.attribute.labels[res_spec_usage]`
`protoPayload.response.spec.username`	`target.resource.attribute.labels[res_spec_username]`
`protoPayload.request.cryptoKeyVersion.state`	`target.resource.attribute.labels[req_cryptokey_version_state]`
`protoPayload.serviceData.policyDelta.auditConfigDeltas.action`	`target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_action]`
`protoPayload.serviceData.policyDelta.auditConfigDeltas.service`	`target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_service]`
`protoPayload.serviceData.policyDelta.auditConfigDeltas.exemptedMember`	`target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_exempted_member]`
`protoPayload.serviceData.policyDelta.auditConfigDeltas.logType`	`target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_log_type]`
`protoPayload.request.policy.bindings.role`	`target.resource.attribute.labels[req_policy_bindings_role]`
`protoPayload.request.policy.bindings.members`	`target.resource.attribute.labels[req_bindings_members]`
`protoPayload.metadata.tableChange.bindingDeltas.action`	`target.resource.attribute.labels[table_change_binding_deltas_action]`
`protoPayload.metadata.tableChange.bindingDeltas.member`	`target.resource.attribute.labels[table_change_binding_deltas_member]`
`protoPayload.metadata.tableChange.bindingDeltas.role`	`target.resource.attribute.labels[table_change_binding_deltas_role]`
`protoPayload.metadata.datasetChange.bindingDeltas.action`	`target.resource.attribute.labels[dataset_change_binding_deltas_action]`
`protoPayload.metadata.datasetChange.bindingDeltas.member`	`target.resource.attribute.labels[dataset_change_binding_deltas_member]`
`protoPayload.metadata.datasetChange.bindingDeltas.role`	`target.resource.attribute.labels[dataset_change_binding_deltas_role]`
`protoPayload.metadata.tableChange.table.policy.etag`	`target.resource.attribute.labels[table_change_table_policy_etag]`
`protoPayload.metadata.tableChange.table.policy.bindings.role`	`target.resource.attribute.labels[table_change_table_policy_bindings_{index}_role]`
`protoPayload.metadata.tableChange.table.policy.bindings.members`	`target.resource.attribute.labels[table_change_table_policy_bindings_{index}_members_{index1}]`
`protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.role`	`target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_role]`
`protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members`	`target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_members_{index1}]`
`protoPayload.request.bindings.role`	`target.resource.attribute.labels[request_bindings_{index}_role]`
`protoPayload.request.bindings.members`	`target.resource.attribute.labels[request_bindings_{index}_members_{index1}]`
`protoPayload.metadata.groupDelta.newGroup.description`	`target.group.attribute.labels[metadata_group_delta_new_group_description]`
`protoPayload.metadata.groupDelta.newGroup.email`	`target.group.email_addresses`
`protoPayload.metadata.groupDelta.newGroup.name`	`target.group.group_display_name`
`protoPayload.metadata.groupDelta.action`	`target.group.attribute.labels[metadata_group_delta_action]`
`protoPayload.response.spec.template.metadata.labels.client.knative.dev/nonce`	`target.resource.attribute.labels[res_spec_template_metadata_nonce]`
`protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-name`	`target.resource.attribute.labels[res_spec_template_metadata_client_name]`
`protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-version`	`target.resource.attribute.labels[res_spec_template_metadata_client_version]`
`protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/execution-environment`	`target.resource.attribute.labels[res_spec_template_metadata_exection_environment]`
`protoPayload.response.spec.template.spec.taskCount`	`target.resource.attribute.labels[res_spec_template_spec_taskcount]`
`protoPayload.response.spec.template.spec.template.spec.containers.image`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_image]`
`protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.memory`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_memory]`
`protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.cpu`	`target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_cpu]`
`protoPayload.response.spec.template.spec.template.spec.maxRetries`	`target.resource.attribute.labels[res_spec_template_spec_template_spec_max_retries]`
`protoPayload.response.spec.template.spec.template.spec.timeoutSeconds`	`target.resource.attribute.labels[res_spec_template_spec_template_spec_timeout_seconds]`
`protoPayload.response.spec.template.spec.template.spec.serviceAccountName`	`principal.user.email_addresses`
`protoPayload.request.service.metadata.annotations.run.googleapis.com/client-name`	`target.resource_ancestors.attribute.labels[req_service_metadata_client_name]`
`protoPayload.request.service.metadata.annotations.serving.knative.dev/creator`	`target.resource_ancestors.attribute.labels[req_service_metadata_creator]`
`protoPayload.request.service.metadata.annotations.run.googleapis.com/client-version`	`target.resource_ancestors.attribute.labels[req_service_metadata_client_version]`
`protoPayload.request.service.metadata.annotations.run.googleapis.com/operation-id`	`target.resource_ancestors.attribute.labels[req_service_metadata_client_operation_id]`
`protoPayload.request.service.metadata.annotations.run.googleapis.com/binary-authorization`	`target.resource_ancestors.attribute.labels[req_service_metadata_binary_authorization]`
`protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress-status`	`target.resource_ancestors.attribute.labels[req_service_metadata_client_ingress_status]`
`protoPayload.request.service.metadata.annotations.serving.knative.dev/lastModifier`	`target.resource_ancestors.attribute.labels[req_service_metadata_last_modifier]`
`protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress`	`target.resource_ancestors.attribute.labels[req_service_metadata_ingress]`
`protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-name`	`target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_name]`
`protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-version`	`target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_version]`
`protoPayload.request.service.spec.template.metadata.annotations.autoscaling.knative.dev/maxScale`	`target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_max_scale]`
`protoPayload.request.New Data`	`target.resource_ancestors.attribute.labels[req_new_data]`
`protoPayload.response.Original Data`	`target.resource_ancestors.attribute.labels[req_original_data]`
`protoPayload.request.timestampRange.startTime`	`target.resource.attribute.labels[timestamp_range_start_time]`
`protoPayload.request.timestampRange.endTime`	`target.resource.attribute.labels[timestamp_range_end_time]`
`protoPayload.request.regexSearch`	`target.resource.attribute.labels[request_regex_search]`
`protoPayload.request.productSources`	`target.resource.attribute.labels[request_product_sources]`
`protoPayload.request.query`	`target.resource.attribute.labels[request_query]`
`protoPayload.request.caseSensitive`	`target.resource.attribute.labels[request_case_sensitive]`
`protoPayload.request.baselineQuery`	`target.resource.attribute.labels[baseline_query]`
`protoPayload.request.baselineTimeRange.startTime`	`target.resource.attribute.labels[baseline_time_range_start_time]`
`protoPayload.request.baselineTimeRange.endTime`	`target.resource.attribute.labels[baseline_time_range_end_time]`
`protoPayload.response.serviceConfig.timeoutSeconds`	`target.resource.attribute.labels[response_service_config_timeout_seconds]`
`labels.execution_id`	`additional.fields[execution_id]`
`labels.instance_id`	`additional.fields[instance_id]`
`labels.runtime_version`	`additional.fields[runtime_version]`
`protoPayload.metadata.updatedGrant.requester`	`principal.user.userid`	Wenn der Wert des `protoPayload.serviceName`-Logfelds `privilegedaccessmanager.googleapis.com` entspricht, wird das `protoPayload.metadata.updatedGrant.requester`-Logfeld dem `principal.user.userid`-UDM-Feld zugeordnet.
`protoPayload.metadata.updatedGrant.requestedDuration`	`target.resource.attribute.labels[requestedDuration]`	Wenn der Wert des `protoPayload.serviceName`-Logfelds `privilegedaccessmanager.googleapis.com` entspricht, wird das `protoPayload.metadata.updatedGrant.requestedDuration`-Logfeld dem `target.resource.attribute.labels`-UDM-Feld zugeordnet.
`protoPayload.metadata.updatedGrant.justification.unstructuredJustification`	`target.resource.attribute.labels[justification]`	Wenn der Wert des Logfelds `protoPayload.serviceName` gleich `privilegedaccessmanager.googleapis.com` ist, wird das Logfeld `protoPayload.metadata.updatedGrant.justification.unstructuredJustification` dem UDM-Feld `target.resource.attribute.labels` zugeordnet.
`protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role`	`target.resource.attribute.roles.name`	Wenn der Wert des `protoPayload.serviceName`-Logfelds `privilegedaccessmanager.googleapis.com` entspricht, wird das `protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role`-Logfeld dem `target.resource.attribute.roles.name`-UDM-Feld zugeordnet.
`protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType`	`target.resource.attribute.labels[resourceType]`	Wenn der Wert des Logfelds `protoPayload.serviceName` gleich `privilegedaccessmanager.googleapis.com` ist, wird das Logfeld `protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType` dem UDM-Feld `target.resource.attribute.labels` zugeordnet.
`protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource`	`target.resource.attribute.labels[resource]`	Wenn der Wert des Logfelds `protoPayload.serviceName` gleich `privilegedaccessmanager.googleapis.com` ist, wird das Logfeld `protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource` dem UDM-Feld `target.resource.attribute.labels` zugeordnet.
`protoPayload.metadata.updatedGrant.state`	`target.resource.attribute.labels[state]`	Wenn der Wert des `protoPayload.serviceName`-Logfelds `privilegedaccessmanager.googleapis.com` entspricht, wird das `protoPayload.metadata.updatedGrant.state`-Logfeld dem `target.resource.attribute.labels`-UDM-Feld zugeordnet.
`protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id`	`target.resource.attribute.labels[job_insertion_looker_studio_report_id]`	Wenn der Wert des `protoPayload.serviceName`-Logfelds `privilegedaccessmanager.googleapis.com` entspricht, wird das `protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id`-Logfeld dem `target.resource.attribute.labels`-UDM-Feld zugeordnet.
`protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor`	`target.resource.attribute.labels[job_insertion_requestor]`	Wenn der Wert des `protoPayload.serviceName`-Logfelds `privilegedaccessmanager.googleapis.com` entspricht, wird das `protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor`-Logfeld dem `target.resource.attribute.labels`-UDM-Feld zugeordnet.
`protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id`	`target.resource.attribute.labels[job_insertion_looker_studio_datasource_id]`	Wenn der Wert des `protoPayload.serviceName`-Logfelds `privilegedaccessmanager.googleapis.com` entspricht, wird das `protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id`-Logfeld dem `target.resource.attribute.labels`-UDM-Feld zugeordnet.
`protoPayload.response.displayName`	`security_result.associations.name`	Wenn der Wert des Logfelds `protoPayload.response.displayName` nicht leer ist, wird das Logfeld `protoPayload.response.displayName` dem UDM-Feld `security_result.associations.name` zugeordnet.
`protoPayload.request.referenceList.displayName`	`security_result.associations.name`	Wenn das Log-Feld `protoPayload.response.displayName` leer ist, wird das Log-Feld `protoPayload.request.referenceList.displayName` dem UDM-Feld `security_result.associations.name` zugeordnet.
`protoPayload.resourceName`	`security_result.detection_fields[rule_id]`	Wenn der Wert des Logfelds `protoPayload.resourceName` nicht leer und der Wert des Logfelds `protoPayload.response.@type` `type.googleapis.com/google.cloud.chronicle.v1alpha.Rule` ist, wird `new_rule_id` mithilfe eines Grok-Musters aus dem Logfeld `protoPayload.resourceName` extrahiert und dem UDM-Feld `security_result.detection_fields[rule_id]` zugeordnet.
`protoPayload.request.projection`	`target.resource.attribute.labels[req_projection]`
`protoPayload.response.items.metageneration`	`target.resource.attribute.labels[res_items_metageneration]`
`protoPayload.response.items.labels.created_date`	`target.resource.attribute.labels[res_items_labels_created_date]`
`protoPayload.response.items.labels.team_email`	`target.resource.attribute.labels[res_items_labels_team_email]`
`protoPayload.response.items.labels.team_name`	`target.resource.attribute.labels[res_items_labels_team_name]`
`protoPayload.response.items.labels.office_number`	`target.resource.attribute.labels[res_items_labels_official_number]`
`protoPayload.response.items.labels.department`	`target.resource.attribute.labels[res_items_labels_department]`
`protoPayload.response.items.labels.business_project_number`	`target.resource.attribute.labels[res_items_labels_business_project_number]`
`protoPayload.response.items.labels.owner_email`	`target.resource.attribute.labels[res_items_labels_owner_email]`
`protoPayload.response.items.labels.purchase_order_number`	`target.resource.attribute.labels[res_items_labels_purchase_order_number]`
`protoPayload.response.items.labels.office_name`	`target.resource.attribute.labels[res_items_labels_office_name]`
`protoPayload.response.items.labels.environment`	`target.resource.attribute.labels[res_items_labels_environment]`
`protoPayload.response.items.labels.created_by`	`target.resource.attribute.labels[res_items_labels_created_by]`
`protoPayload.response.items.labels.project_name`	`target.resource.attribute.labels[res_items_labels_project_name]`
`protoPayload.response.items.labels.finops_tag`	`target.resource.attribute.labels[res_items_labels_finops_tag]`
`protoPayload.response.items.labels.owner_role`	`target.resource.attribute.labels[res_items_labels_owner_role]`
`protoPayload.response.items.versioning.enabled`	`target.resource.attribute.labels[res_items_versioning_enabled]`
`protoPayload.response.items.iamConfiguration.publicAccessPrevention`	`target.resource.attribute.labels[res_items_iam_conf_public_access_prevention]`
`protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime`	`target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_locked_time]`
`protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled`	`target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_enabled]`
`protoPayload.response.items.id`	`target.resource.attribute.labels[res_items_id]`
`protoPayload.response.items.updated`	`target.resource.attribute.labels[res_items_updated]`
`protoPayload.response.items.storageClass`	`target.resource.attribute.labels[res_items_storage_class]`
`protoPayload.response.items.timeCreated`	`target.resource.attribute.labels[res_items_time_created]`
`protoPayload.response.items.location`	`target.resource.attribute.labels[res_items_location]`
`protoPayload.response.items.locationType`	`target.resource.attribute.labels[res_items_location_type]`
`protoPayload.response.items.projectNumber`	`target.resource.attribute.labels[res_items_project_number]`
`protoPayload.response.items.name`	`target.resource.attribute.labels[res_items_name]`
`protoPayload.response.items.softDeletePolicy.effectiveTime`	`target.resource.attribute.labels[res_items_soft_delete_policy_effective_time]`
`protoPayload.response.items.softDeletePolicy.retentionDurationSeconds`	`target.resource.attribute.labels[res_items_soft_delete_policy_retention_duration_seconds]`
`protoPayload.response.items.etag`	`target.resource.attribute.labels[res_items_etag]`
`protoPayload.response.code`	`network.http.response_code`
`protoPayload.response.reason`	`additional.fields[res_reason]`

Nächste Schritte

Datenaufnahme in Google Security Operations