Cloud-Audit-Logs erfassen
Unterstützt in:
Google SecOps
SIEM
In diesem Dokument wird beschrieben, wie Sie Cloud-Audit-Logs exportieren, indem Sie die Google CloudAufnahme von Telemetriedaten in Google Security Operations aktivieren. Außerdem wird erläutert, wie die Felder von Cloud-Audit-Logs den Feldern des Unified Data Model (UDM) von Google Security Operations zugeordnet werden.
Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.
Eine typische Bereitstellung besteht aus Cloud-Audit-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Jede Kundenimplementierung kann von dieser Darstellung abweichen und komplexer sein.
Die Bereitstellung umfasst die folgenden Komponenten:
Google Cloud: Die Google Cloud Dienste und Produkte, von denen Sie Protokolle erfassen
Cloud-Audit-Logs: Cloud-Audit-Logs, die für die Aufnahme in Google Security Operations aktiviert sind
Google Workspace-Audit-Logs: Die Google Workspace-Audit-Logs, die für die Aufnahme in Google Security Operations aktiviert sind
Google Security Operations: Cloud-Audit-Logs und Google Workspace-Audit-Logs werden aufbewahrt und analysiert.
Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Datenaufnahmelabel GCP_CLOUDAUDIT.
Hinweise
- Sie müssen eine Google Cloud eingerichtet haben.
Sie müssen die Zugriffssteuerung für Ihre Organisation und Ihre Ressourcen mithilfe der Identitäts- und Zugriffsverwaltung (Identity and Access Management, IAM) eingerichtet haben. Weitere Informationen zur Zugriffssteuerung finden Sie unter Zugriffssteuerung für Organisationen mit IAM.
Konfigurieren Sie Audit-Logs zum Datenzugriff für Ihre Google Cloud Ressourcen und Dienste.
Alle Systeme in der Bereitstellungsarchitektur müssen in der Zeitzone UTC konfiguriert sein.
Prüfen Sie, welche Protokolltypen vom Parser für Cloud-Audit-Logs unterstützt werden. In der folgenden Tabelle sind die Logquellen und ‑typen aufgeführt, die vom Cloud Audit Logs-Parser unterstützt werden:
| Logquellen | Logquelle |
|---|---|
| Cloud DNS | – |
| syslog | – |
| Audit-Logs für Google Workspace | Prüfen von Anmeldeaktivitäten |
| Audit-Logs für Google Workspace | Admin Audit |
| Cloud-Audit-Logs | Administratoraktivität |
| Cloud-Audit-Logs | Prüfung von VPC Service Controls |
| Cloud-Audit-Logs | Google Kubernetes Engine-Datenzugriff |
| Cloud-Audit-Logs | Resource Manager-Datenzugriff |
| Cloud-Audit-Logs | Zugriff auf BigQuery-Audit-Metadaten |
| Cloud-Audit-Logs | MySQL-Datenzugriff, Administratoraktivitäten |
| Cloud-Audit-Logs | PostgreSQL-Datenzugriff, Administratoraktivitäten |
| Cloud-Audit-Logs | SQL Server-Datenzugriff, Administratoraktivitäten |
| Cloud Load Balancing | Cloud-HTTP-Load-Balancer |
| Cloud DNS | Administratoraktivität |
| Virtual Private Cloud-Zugriff | Virtual Private Cloud-Zugriff |
| Firewallregeln | Firewallregeln |
| Cloud NAT | Cloud NAT |
Aufnahme von Cloud-Audit-Logs konfigurieren
Wenn Sie Cloud-Audit-Logs in Google Security Operations aufnehmen möchten, folgen Sie der Anleitung auf der Seite Logs in Google Security Operations aufnehmen Google Cloud .
Wenn beim Aufnehmen von Cloud-Audit-Logs Probleme auftreten, wenden Sie sich an den Support von Google Security Operations.
Referenz für die Feldzuordnung
In diesem Abschnitt wird erläutert, wie der Google Security Operations-Parser Cloud-Audit-Log-Felder den Feldern des Unified Data Model (UDM) von Google Security Operations zuordnet.
GCP_CLOUDAUDIT-Logtypen in UDM-Ereignistyp
In der folgenden Tabelle sind die Ereignis-IDs von GCP_CLOUDAUDIT und die zugehörigen Ereignistypen aufgeführt.| Event identifier | Event type |
|---|---|
dns.managedZones.get |
USER_RESOURCE_ACCESS |
dns.managedZones.list |
USER_RESOURCE_ACCESS |
dns.changes.get |
USER_RESOURCE_ACCESS |
dns.changes.list |
USER_RESOURCE_ACCESS |
dns.activePeeringZones.list |
USER_RESOURCE_ACCESS |
dns.activePeeringZones.getpeeringzoneinfo |
USER_RESOURCE_ACCESS |
dns.resourceRecordSets.get |
USER_RESOURCE_ACCESS |
dns.resourceRecordSets.list |
USER_RESOURCE_ACCESS |
dns.responsePolicies.get |
USER_RESOURCE_ACCESS |
dns.responsePolicies.list |
USER_RESOURCE_ACCESS |
dns.responsePolicyRules.get |
USER_RESOURCE_ACCESS |
dns.responsePolicyRules.list |
USER_RESOURCE_ACCESS |
dns.policies.get |
USER_RESOURCE_ACCESS |
dns.policies.list |
USER_RESOURCE_ACCESS |
dns.projects.get |
USER_RESOURCE_ACCESS |
dns.managedZones.create |
USER_RESOURCE_CREATION |
dns.managedZones.delete |
RESOURCE_DELETION |
dns.managedZones.update |
RESOURCE_WRITTEN |
dns.managedZones.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.changes.create |
USER_RESOURCE_CREATION |
dns.changes.delete |
RESOURCE_DELETION |
dns.activePeeringZones.deactivate |
USER_RESOURCE_UPDATE_CONTENT |
dns.resourceRecordSets.create |
USER_RESOURCE_CREATION |
dns.resourceRecordSets.delete |
RESOURCE_DELETION |
dns.resourceRecordSets.update |
RESOURCE_WRITTEN |
dns.resourceRecordSets.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.responsePolicies.create |
USER_RESOURCE_CREATION |
dns.responsePolicies.delete |
RESOURCE_DELETION |
dns.responsePolicies.update |
RESOURCE_WRITTEN |
dns.responsePolicies.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.responsePolicyRules.create |
USER_RESOURCE_CREATION |
dns.responsePolicyRules.delete |
RESOURCE_DELETION |
dns.responsePolicyRules.update |
RESOURCE_WRITTEN |
dns.responsePolicyRules.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.policies.create |
USER_RESOURCE_CREATION |
dns.policies.delete |
RESOURCE_DELETION |
dns.policies.update |
RESOURCE_WRITTEN |
dns.policies.patch |
USER_RESOURCE_UPDATE_CONTENT |
CreateRole |
USER_RESOURCE_CREATION |
DeleteRole |
RESOURCE_DELETION |
UndeleteRole |
RESOURCE_CREATION |
UpdateRole |
RESOURCE_WRITTEN |
google.iam.v2beta.Policies.CreatePolicy |
USER_RESOURCE_CREATION |
google.iam.v2beta.Policies.DeletePolicy |
RESOURCE_DELETION |
google.iam.v2beta.Policies.UpdatePolicy |
RESOURCE_WRITTEN |
CreateServiceAccount |
USER_CREATION |
DeleteServiceAccount |
RESOURCE_DELETION |
DisableServiceAccount |
USER_CHANGE_PERMISSIONS |
EnableServiceAccount |
USER_CHANGE_PERMISSIONS |
GetServiceAccount |
USER_RESOURCE_ACCESS |
PatchServiceAccount |
USER_RESOURCE_UPDATE_CONTENT |
SetIAMPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
UndeleteServiceAccount |
USER_CREATION |
UpdateServiceAccount |
RESOURCE_WRITTEN |
CreateServiceAccountKey |
USER_CHANGE_PASSWORD |
DeleteServiceAccountKey |
USER_DELETION |
UploadServiceAccountKey |
USER_CHANGE_PASSWORD |
CreateWorkloadIdentityPool |
USER_RESOURCE_CREATION |
DeleteWorkloadIdentityPool |
RESOURCE_DELETION |
UndeleteWorkloadIdentityPool |
RESOURCE_CREATION |
UpdateWorkloadIdentityPool |
RESOURCE_WRITTEN |
CreateWorkloadIdentityPoolProvider |
USER_RESOURCE_CREATION |
DeleteWorkloadIdentityPoolProvider |
RESOURCE_DELETION |
UndeleteWorkloadIdentityPoolProvider |
RESOURCE_DELETION |
UpdateWorkloadIdentityPoolProvider |
RESOURCE_WRITTEN |
CreateWorkforcePool |
USER_RESOURCE_CREATION |
DeleteWorkforcePool |
RESOURCE_DELETION |
UndeleteWorkforcePool |
RESOURCE_DELETION |
UpdateWorkforcePool |
RESOURCE_WRITTEN |
CreateWorkforcePoolProvider |
USER_RESOURCE_CREATION |
DeleteWorkforcePoolProvider |
RESOURCE_DELETION |
UndeleteWorkforcePoolProvider |
RESOURCE_DELETION |
UpdateWorkforcePoolProvider |
RESOURCE_WRITTEN |
GetEffectivePolicy1 |
USER_RESOURCE_ACCESS |
google.iam.admin.v1.GetPolicyDetails2 |
USER_RESOURCE_ACCESS |
ExchangeToken |
USER_RESOURCE_ACCESS |
Google Cloud console (federated) sign in |
USER_RESOURCE_UPDATE_PERMISSIONS |
GetRole |
USER_RESOURCE_ACCESS |
ListRoles |
USER_RESOURCE_ACCESS |
google.iam.v2beta.Policies.GetPolicy |
USER_RESOURCE_ACCESS |
google.iam.v2beta.Policies.ListPolicies |
USER_RESOURCE_ACCESS |
QueryGrantableRoles |
USER_RESOURCE_ACCESS |
GenerateAccessToken |
USER_RESOURCE_UPDATE_CONTENT |
GenerateIdToken |
USER_RESOURCE_UPDATE_CONTENT |
ListServiceAccounts |
USER_RESOURCE_ACCESS |
SignBlob |
USER_RESOURCE_UPDATE_CONTENT |
SignJwt |
USER_RESOURCE_UPDATE_CONTENT |
GetServiceAccountKey |
USER_RESOURCE_ACCESS |
ListServiceAccountKeys |
USER_RESOURCE_ACCESS |
GetWorkloadIdentityPool |
USER_RESOURCE_ACCESS |
ListWorkloadIdentityPools |
USER_RESOURCE_ACCESS |
GetWorkloadIdentityPoolProvider |
USER_RESOURCE_ACCESS |
ListWorkloadIdentityPoolProviders |
USER_RESOURCE_ACCESS |
GetWorkforcePool |
USER_RESOURCE_ACCESS |
ListWorkforcePools |
USER_RESOURCE_ACCESS |
GetWorkforcePoolProvider |
USER_RESOURCE_ACCESS |
ListWorkforcePoolProviders |
USER_RESOURCE_ACCESS |
io.k8s.authorization.rbac.v1 |
STATUS_UPDATE |
io.k8s.authorization.rbac.v1.roles |
STATUS_UPDATE |
io.k8s.batch.v1.jobs.create |
RESOURCE_CREATION |
io.k8s.authorization.rbac.v1.clusterroles.create |
RESOURCE_CREATION |
io.k8s.apps.v1.daemonsets.create |
RESOURCE_CREATION |
io.k8s.authorization.v1.selfsubjectaccessreviews.create |
RESOURCE_CREATION |
google.container.v1.ClusterManager.CreateCluster |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.TableService.InsertTable |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.TableService.UpdateTable |
RESOURCE_WRITTEN |
google.cloud.bigquery.v2.TableService.PatchTable |
USER_RESOURCE_UPDATE_CONTENT |
google.cloud.bigquery.v2.TableService.DeleteTable |
RESOURCE_DELETION |
google.cloud.bigquery.v2.DatasetService.InsertDataset |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.DatasetService.UpdateDataset |
RESOURCE_WRITTEN |
google.cloud.bigquery.v2.DatasetService.PatchDataset |
USER_RESOURCE_UPDATE_CONTENT |
google.cloud.bigquery.v2.DatasetService.DeleteDataset |
USER_RESOURCE_DELETION |
google.cloud.bigquery.v2.TableDataService.List |
USER_RESOURCE_ACCESS |
google.cloud.bigquery.v2.JobService.InsertJob |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.JobService.Query |
USER_RESOURCE_ACCESS |
google.cloud.bigquery.v2.JobService.GetQueryResults |
USER_RESOURCE_ACCESS |
InternalTableExpired |
USER_RESOURCE_DELETION |
google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection |
USER_RESOURCE_CREATION |
google.cloud.bigquery.connection.v1.ConnectionService.DeleteConnection |
RESOURCE_DELETION |
google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection |
RESOURCE_WRITTEN |
google.cloud.bigquery.connection.v1.ConnectionService.SetIamPolicy |
RESOURCE_PERMISSIONS_CHANGE |
google.cloud.bigquery.reservation.v1.ReservationService.CreateReservation |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteReservation |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.UpdateReservation |
RESOURCE_WRITTEN |
google.cloud.bigquery.reservation.v1.ReservationService.CreateCapacityCommitment |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteCapacityCommitment |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.CreateAssignment |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteAssignment |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.MoveAssignment |
STATUS_UPDATE |
cloudsql.backupRuns.get |
USER_RESOURCE_ACCESS |
cloudsql.backupRuns.list |
USER_RESOURCE_ACCESS |
cloudsql.databases.create |
USER_RESOURCE_CREATION |
cloudsql.databases.delete |
RESOURCE_DELETION |
cloudsql.databases.get |
USER_RESOURCE_ACCESS |
cloudsql.databases.list |
USER_RESOURCE_ACCESS |
cloudsql.databases.update |
RESOURCE_WRITTEN |
cloudsql.instances.export |
USER_RESOURCE_ACCESS |
cloudsql.instances.get |
USER_RESOURCE_ACCESS |
cloudsql.instances.import |
STATUS_UNCATEGORIZED |
cloudsql.instances.list |
USER_RESOURCE_ACCESS |
cloudsql.instances.listEffectiveTags |
USER_RESOURCE_ACCESS |
cloudsql.instances.listServerCas |
USER_RESOURCE_ACCESS |
cloudsql.instances.listTagBindings |
USER_RESOURCE_ACCESS |
cloudsql.instances.login |
USER_LOGIN |
cloudsql.sslCerts.get |
USER_RESOURCE_ACCESS |
cloudsql.sslCerts.list |
USER_RESOURCE_ACCESS |
cloudsql.users.create |
USER_RESOURCE_CREATION |
cloudsql.users.delete |
RESOURCE_DELETION |
cloudsql.users.get |
USER_RESOURCE_ACCESS |
cloudsql.users.list |
USER_RESOURCE_ACCESS |
cloudsql.users.update |
RESOURCE_WRITTEN |
cloudsql.backupRuns.create |
USER_RESOURCE_CREATION |
cloudsql.backupRuns.delete |
RESOURCE_DELETION |
cloudsql.instances.addServerCa |
USER_RESOURCE_CREATION |
cloudsql.instances.clone |
USER_RESOURCE_CREATION |
cloudsql.instances.connect |
USER_LOGIN |
cloudsql.instances.create |
USER_RESOURCE_CREATION |
cloudsql.instances.createTagBinding |
USER_RESOURCE_CREATION |
cloudsql.instances.delete |
RESOURCE_DELETION |
cloudsql.instances.deleteTagBinding |
RESOURCE_DELETION |
cloudsql.instances.demoteMaster |
STATUS_UPDATE |
cloudsql.instances.failover |
STATUS_UPDATE |
cloudsql.instances.promoteReplica |
STATUS_UPDATE |
cloudsql.instances.resetSslConfig |
USER_RESOURCE_UPDATE_CONTENT |
cloudsql.instances.restart |
STATUS_STARTUP |
cloudsql.instances.restoreBackup |
STATUS_UPDATE |
cloudsql.instances.rotateServerCa |
STATUS_UPDATE |
cloudsql.instances.startReplica |
STATUS_STARTUP |
cloudsql.instances.stopReplica |
STATUS_UPDATE |
cloudsql.instances.truncateLog |
STATUS_UPDATE |
cloudsql.instances.update |
RESOURCE_WRITTEN |
cloudsql.sslCerts.create |
USER_RESOURCE_CREATION |
cloudsql.sslCerts.createEphemeral |
USER_RESOURCE_CREATION |
cloudsql.sslCerts.delete |
RESOURCE_DELETION |
compute.instances.insert |
RESOURCE_CREATION |
compute.instanceGroups.removeInstances |
RESOURCE_DELETION |
compute.instances.setMetadata |
USER_RESOURCE_UPDATE_CONTENT |
compute.instances.setLabels |
USER_RESOURCE_CREATION |
compute.instances.setTags |
USER_RESOURCE_CREATION |
compute.instances.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
compute.instances.list |
USER_RESOURCE_ACCESS |
compute.images.get |
USER_RESOURCE_ACCESS |
compute.interconnectAttachments.aggregatedList |
USER_RESOURCE_ACCESS |
compute.instance.getSerialPortOutput |
USER_RESOURCE_ACCESS |
compute.instances.migrateOnHostMaintenance |
RESOURCE_CREATION |
compute.instances.automaticRestart |
USER_RESOURCE_UPDATE_CONTENT |
compute.instanceGroupManagers.resizeAdvanced |
USER_RESOURCE_UPDATE_CONTENT |
google.ssh-serialport.v1.connect |
NETWORK_CONNECTION |
firewalls.delete |
RESOURCE_DELETION |
firewalls.insert |
RESOURCE_CREATION |
firewalls.patch |
USER_RESOURCE_UPDATE_CONTENT |
firewalls.update |
RESOURCE_WRITTEN |
forwardingRules.delete |
RESOURCE_DELETION |
forwardingRules.insert |
RESOURCE_CREATION |
forwardingRules.patch |
USER_RESOURCE_UPDATE_CONTENT |
forwardingRules.setTarget |
STATUS_UPDATE |
networks.addPeering |
STATUS_UPDATE |
networks.delete |
RESOURCE_DELETION |
networks.insert |
RESOURCE_CREATION |
networks.patch |
USER_RESOURCE_UPDATE_CONTENT |
networks.removePeering |
RESOURCE_DELETION |
networks.switchToCustomMode |
STATUS_UPDATE |
networks.updatePeering |
RESOURCE_WRITTEN |
routes.delete |
RESOURCE_DELETION |
routes.insert |
USER_RESOURCE_CREATION |
subnetworks.delete |
RESOURCE_DELETION |
subnetworks.expandIpCidrRange |
STATUS_UPDATE |
subnetworks.insert |
RESOURCE_CREATION |
subnetworks.patch |
USER_RESOURCE_UPDATE_CONTENT |
subnetworks.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
subnetworks.setPrivateIpGoogleAccess |
STATUS_UPDATE |
subnetworks.testIamPermissions |
USER_RESOURCE_ACCESS |
firewalls.get |
USER_RESOURCE_ACCESS |
firewalls.list |
USER_RESOURCE_ACCESS |
forwardingRules.aggregatedList |
USER_RESOURCE_ACCESS |
forwardingRules.get |
USER_RESOURCE_ACCESS |
forwardingRules.list |
USER_RESOURCE_ACCESS |
networks.get |
USER_RESOURCE_ACCESS |
networks.list |
USER_RESOURCE_ACCESS |
networks.listPeeringRoutes |
USER_RESOURCE_ACCESS |
routes.get |
USER_RESOURCE_ACCESS |
routes.list |
USER_RESOURCE_ACCESS |
subnetworks.aggregatedList |
USER_RESOURCE_ACCESS |
subnetworks.get |
USER_RESOURCE_ACCESS |
subnetworks.getIamPolicy |
USER_RESOURCE_ACCESS |
subnetworks.list |
USER_RESOURCE_ACCESS |
subnetworks.listUsable |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterBatchDeleteAlerts |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterBatchUndeleteAlerts |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterCreateAlert |
USER_RESOURCE_CREATION |
google.admin.AdminService.alertCenterCreateFeedback |
USER_RESOURCE_CREATION |
google.admin.AdminService.alertCenterDeleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterGetAlertMetadata |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterGetCustomerSettings |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterGetSitLink |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListChange |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListFeedback |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListRelatedAlerts |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterUndeleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterUpdateAlert |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterUpdateAlertMetadata |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterUpdateCustomerSettings |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterView |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createApplicationSetting |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteApplicationSetting |
RESOURCE_DELETION |
google.admin.AdminService.reorderGroupBasedPoliciesEvent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.gplusPremiumFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createManagedConfiguration |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteManagedConfiguration |
RESOURCE_DELETION |
google.admin.AdminService.updateManagedConfiguration |
RESOURCE_WRITTEN |
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createBuilding |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteBuilding |
RESOURCE_DELETION |
google.admin.AdminService.updateBuilding |
RESOURCE_WRITTEN |
google.admin.AdminService.createCalendarResource |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteCalendarResource |
RESOURCE_DELETION |
google.admin.AdminService.createCalendarResourceFeature |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteCalendarResourceFeature |
RESOURCE_DELETION |
google.admin.AdminService.updateCalendarResourceFeature |
RESOURCE_WRITTEN |
google.admin.AdminService.renameCalendarResource |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateCalendarResource |
RESOURCE_WRITTEN |
google.admin.AdminService.changeCalendarSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.cancelCalendarEvents |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.releaseCalendarResources |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.meetInteropCreateGateway |
USER_RESOURCE_CREATION |
google.admin.AdminService.meetInteropDeleteGateway |
RESOURCE_DELETION |
google.admin.AdminService.meetInteropModifyGateway |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChatSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsAndroidApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.sendChromeOsDeviceCommand |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceAnnotation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceState |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsPublicSessionSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.insertChromeOsPrinter |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteChromeOsPrinter |
RESOURCE_DELETION |
google.admin.AdminService.updateChromeOsPrinter |
RESOURCE_WRITTEN |
google.admin.AdminService.changeChromeOsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsUserSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeChromeOsApplicationSettings |
RESOURCE_DELETION |
google.admin.AdminService.changeContactsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.assignRole |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.createRole |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteRole |
RESOURCE_DELETION |
google.admin.AdminService.addPrivilege |
USER_RESOURCE_CREATION |
google.admin.AdminService.removePrivilege |
RESOURCE_DELETION |
google.admin.AdminService.renameRole |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateRole |
RESOURCE_WRITTEN |
google.admin.AdminService.unassignRole |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.deleteDevice |
RESOURCE_DELETION |
google.admin.AdminService.moveDeviceToOrgUnit |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.transferDocumentOwnership |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.driveDataRestore |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDocsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAccountAutoRenewal |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addApplication |
USER_RESOURCE_CREATION |
google.admin.AdminService.addApplicationToWhitelist |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeAdvertisementOption |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createAlert |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeAlertCriteria |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertReceiversChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.renameAlert |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.alertStatusChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addDomainAlias |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeDomainAlias |
RESOURCE_DELETION |
google.admin.AdminService.skipDomainAliasMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifyDomainAliasMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifyDomainAlias |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOauthAccessToAllApis |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAllowAdminPasswordReset |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableApiAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.authorizeApiClientAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeApiClientAccess |
RESOURCE_DELETION |
google.admin.AdminService.chromeLicensesRedeemed |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAutoAddNewService |
USER_RESOURCE_CREATION |
google.admin.AdminService.changePrimaryDomain |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeWhitelistSetting |
USER_RESOURCE_ACCESS |
google.admin.AdminService.communicationPreferencesSettingChange |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeConflictAccountAction |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableFeedbackSolicitation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleContactSharing |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createPlayForWorkToken |
USER_RESOURCE_CREATION |
google.admin.AdminService.toggleUseCustomLogo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCustomLogo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataLocalizationForRussia |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataLocalizationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataProtectionOfficerContactInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deletePlayForWorkToken |
RESOURCE_DELETION |
google.admin.AdminService.viewDnsLoginDetails |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainDefaultLocale |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainDefaultTimezone |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleEnablePreReleaseFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainSupportMessage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addTrustedDomains |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeTrustedDomains |
RESOURCE_DELETION |
google.admin.AdminService.changeEduType |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleEnableOauthConsumerKey |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleSsoEnabled |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleSsl |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeEuRepresentativeContactInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.generateTransferToken |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginBackgroundColor |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginBorderColor |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginActivityTrace |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.playForWorkEnroll |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.playForWorkUnenroll |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.mxRecordVerificationClaim |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleNewAppFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleUseNextGenControlPanel |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.uploadOauthCertificate |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.regenerateOauthConsumerSecret |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOpenIdEnabled |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeOrganizationName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOutboundRelay |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePasswordMaxLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePasswordMinLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateDomainPrimaryAdminEmail |
RESOURCE_WRITTEN |
google.admin.AdminService.enableServiceOrFeatureNotifications |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeApplication |
RESOURCE_DELETION |
google.admin.AdminService.removeApplicationFromWhitelist |
RESOURCE_DELETION |
google.admin.AdminService.changeRenewDomainRegistration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeResellerAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.ruleActionsChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createRule |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeRuleCriteria |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteRule |
RESOURCE_DELETION |
google.admin.AdminService.renameRule |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.ruleStatusChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addSecondaryDomain |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeSecondaryDomain |
RESOURCE_DELETION |
google.admin.AdminService.skipSecondaryDomainMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifySecondaryDomainMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifySecondaryDomain |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateDomainSecondaryEmail |
RESOURCE_WRITTEN |
google.admin.AdminService.changeSsoSettings |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.generatePin |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateRule |
RESOURCE_WRITTEN |
google.admin.AdminService.dropFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.emailLogSearch |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.emailUndelete |
RESOURCE_DELETION |
google.admin.AdminService.changeEmailSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGmailSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createGmailSetting |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteGmailSetting |
RESOURCE_DELETION |
google.admin.AdminService.rejectFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.releaseFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createGroup |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteGroup |
RESOURCE_DELETION |
google.admin.AdminService.changeGroupDescription |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.groupListDownload |
USER_RESOURCE_ACCESS |
google.admin.AdminService.addGroupMember |
GROUP_MODIFICATION |
google.admin.AdminService.removeGroupMember |
RESOURCE_DELETION |
google.admin.AdminService.updateGroupMember |
RESOURCE_WRITTEN |
google.admin.AdminService.updateGroupMemberDeliverySettings |
RESOURCE_WRITTEN |
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride |
RESOURCE_WRITTEN |
google.admin.AdminService.groupMemberBulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.groupMembersDownload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGroupName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGroupSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.whitelistedGroupsUpdated |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationAction |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionCancellation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionCompletion |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionRetry |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationConfirmation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationRequest |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationChartCreate |
USER_RESOURCE_CREATION |
google.admin.AdminService.securityInvestigationContentAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationDownloadAttachment |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationExportActionResults |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationExportQuery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation |
USER_RESOURCE_CREATION |
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation |
RESOURCE_DELETION |
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectSaveInvestigation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationQuery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationSettingUpdate |
RESOURCE_WRITTEN |
google.admin.AdminService.addToTrustedOauth2Apps |
USER_RESOURCE_CREATION |
google.admin.AdminService.allowAspWithout2Sv |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.allowServiceForOauth2Access |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.allowStrongAuthentication |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.blockOnDeviceAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAllowedTwoStepVerificationMethods |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAppAccessSettingsCollectionId |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaAppAssignments |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaDefaultAssignments |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaErrorMessage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeSessionLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationFrequency |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationStartDate |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.disallowServiceForOauth2Access |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableNonAdminUserPasswordRecovery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enforceStrongAuthentication |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.removeFromTrustedOauth2Apps |
RESOURCE_DELETION |
google.admin.AdminService.sessionControlSettingsChange |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleCaaEnablement |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.trustDomainOwnedOauth2Apps |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unblockOnDeviceAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.untrustDomainOwnedOauth2Apps |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps |
RESOURCE_WRITTEN |
google.admin.AdminService.weakProgrammaticLoginSettingsChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.delete2SvScratchCodes |
RESOURCE_DELETION |
google.admin.AdminService.generate2SvScratchCodes |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revoke3LoDeviceTokens |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revoke3LoToken |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addRecoveryEmail |
USER_RESOURCE_CREATION |
google.admin.AdminService.addRecoveryPhone |
USER_RESOURCE_CREATION |
google.admin.AdminService.grantAdminPrivilege |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeAdminPrivilege |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeAsp |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAutomaticContactSharing |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.bulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.bulkUploadNotificationSent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.cancelUserInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserCustomField |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserExternalId |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserGender |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserIm |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableUserIpWhitelist |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserKeyword |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserLanguage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserLocation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserOrganization |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserPhoneNumber |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeRecoveryEmail |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeRecoveryPhone |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserRelation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserAddress |
USER_RESOURCE_CREATION |
google.admin.AdminService.createEmailMonitor |
USER_RESOURCE_CREATION |
google.admin.AdminService.createDataTransferRequest |
USER_RESOURCE_CREATION |
google.admin.AdminService.grantDelegatedAdminPrivileges |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteAccountInfoDump |
RESOURCE_DELETION |
google.admin.AdminService.deleteEmailMonitor |
RESOURCE_DELETION |
google.admin.AdminService.deleteMailboxDump |
RESOURCE_DELETION |
google.admin.AdminService.changeFirstName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.gmailResetUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLastName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.mailRoutingDestinationAdded |
USER_RESOURCE_CREATION |
google.admin.AdminService.mailRoutingDestinationRemoved |
RESOURCE_DELETION |
google.admin.AdminService.addNickname |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeNickname |
RESOURCE_DELETION |
google.admin.AdminService.changePassword |
USER_CHANGE_PASSWORD |
google.admin.AdminService.changePasswordOnNextLogin |
USER_CHANGE_PASSWORD |
google.admin.AdminService.downloadPendingInvitesList |
USER_RESOURCE_ACCESS |
google.admin.AdminService.removeRecoveryEmail |
RESOURCE_DELETION |
google.admin.AdminService.removeRecoveryPhone |
RESOURCE_DELETION |
google.admin.AdminService.requestAccountInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.requestMailboxDump |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.resendUserInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.resetSigninCookies |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityKeyRegisteredForUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeSecurityKey |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.viewTempPassword |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.turnOff2StepVerification |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unblockUserSession |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unenrollUserFromTitanium |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.archiveUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateBirthdate |
RESOURCE_WRITTEN |
google.admin.AdminService.createUser |
USER_CREATION |
google.admin.AdminService.deleteUser |
RESOURCE_DELETION |
google.admin.AdminService.downgradeUserFromGplus |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userEnrolledInTwoStepVerification |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.downloadUserlistCsv |
USER_RESOURCE_ACCESS |
google.admin.AdminService.moveUserToOrgUnit |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.renameUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unenrollUserFromStrongAuth |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.suspendUser |
USER_CHANGE_PERMISSIONS |
google.admin.AdminService.unarchiveUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.undeleteUser |
RESOURCE_DELETION |
google.admin.AdminService.upgradeUserToGplus |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.usersBulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.usersBulkUploadNotificationSent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createAccessLevelV2 |
USER_RESOURCE_CREATION |
google.admin.AdminService.systemDefinedRuleUpdated |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.createDeviceEnrollmentToken |
USER_RESOURCE_CREATION |
google.login.LoginService.2svDisable |
STATUS_UPDATE |
google.login.LoginService.2svEnroll |
STATUS_UPDATE |
google.login.LoginService.accountDisabledPasswordLeak |
STATUS_UPDATE |
google.login.LoginService.accountDisabledGeneric |
USER_LOGIN |
google.login.LoginService.accountDisabledSpammingThroughRelay |
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledSpamming |
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledHijacked |
USER_LOGIN
Security category: |
google.login.LoginService.emailForwardingOutOfDomain |
EMAIL_TRANSACTION |
google.login.LoginService.govAttackWarning |
USER_LOGIN
Security category: |
google.login.LoginService.loginChallenge |
USER_LOGIN |
google.login.LoginService.loginFailure |
USER_LOGIN
Security category: |
google.login.LoginService.loginVerification |
USER_LOGIN |
google.login.LoginService.logout |
USER_LOGOUT |
google.login.LoginService.loginSuccess |
USER_LOGIN |
google.login.LoginService.passwordEdit |
USER_CHANGE_PASSWORD |
google.login.LoginService.recoveryEmailEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.recoveryPhoneEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.recoverySecretQaEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.suspiciousLogin |
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousLoginLessSecureApp |
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousProgrammaticLogin |
USER_LOGIN
Security category: |
google.login.LoginService.titaniumEnroll |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.titaniumUnenroll |
USER_RESOURCE_CREATION |
google.identity.accesscontextmanager.v1.AccessContextManager.CreateAccessLevel |
USER_RESOURCE_CREATION |
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.core.v1.pods.create |
RESOURCE_CREATION |
io.k8s.authorization.rbac.v1.clusterrolebindings.create |
RESOURCE_CREATION |
beta.compute.instanceTemplates.insert |
RESOURCE_CREATION |
SetOrgPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
beta.compute.instanceGroupManagers.patch |
RESOURCE_WRITTEN |
beta.compute.autoscalers.update |
RESOURCE_WRITTEN |
compute.v1.InstancesService.Get |
USER_RESOURCE_ACCESS |
google.storage.objects.list |
USER_RESOURCE_ACCESS |
google.cloudresourcemanager.v1.Projects.SetIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
cloudsql.instances.query |
USER_RESOURCE_ACCESS |
cloudtrace.googleapis.com/ListInsights |
RESOURCE_READ |
google.cloud.functions.v1.CloudFunctionsService.CreateFunction |
RESOURCE_CREATION |
google.api.servicemanagement.v1.ServiceManager.ActivateServices |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePassword |
USER_CHANGE_PASSWORD |
google.api.serviceusage.v1.ServiceUsage.DisableService |
USER_RESOURCE_UPDATE_CONTENT |
AuthorizeUser |
USER_LOGIN |
google.cloud.oslogin.v1.OsLoginService.CheckPolicy |
USER_LOGIN |
google.admin.AdminService.unsuspendUser |
USER_CHANGE_PERMISSIONS |
jobservice.jobcompleted |
RESOURCE_WRITTEN |
compute.v1.ProjectsService.Get |
USER_RESOURCE_ACCESS |
v1.compute.projects.setCommonInstanceMetadata |
USER_RESOURCE_UPDATE_CONTENT |
CreateCryptoKey |
RESOURCE_CREATION |
storage.buckets.get |
RESOURCE_READ |
google.longrunning.Operations.GetOperation |
RESOURCE_READ |
io.k8s.core.v1.pods.delete |
RESOURCE_DELETION |
v1.compute.disks.delete |
RESOURCE_DELETION |
v1.compute.disks.insert |
RESOURCE_CREATION |
ScheduledSnapshots |
RESOURCE_WRITTEN |
v1.compute.disks.setLabels |
RESOURCE_WRITTEN |
google.cloud.healthcare.v1alpha2.dataset.DatasetService.AccessEhrSearch |
STATUS_UPDATE |
io.k8s.apiextensions.v1.customresourcedefinitions.patch |
RESOURCE_WRITTEN |
io.k8s.post |
USER_UNCATEGORIZED |
v1.compute.instances.delete |
RESOURCE_DELETION |
storage.buckets.list |
RESOURCE_READ |
storage.objects.create |
RESOURCE_CREATION |
google.pubsub.v1.Publisher.CreateTopic |
RESOURCE_CREATION |
google.devtools.cloudbuild.v1.CloudBuild.ListBuilds |
USER_RESOURCE_ACCESS |
google.cloud.asset.v1.AssetService.UpdateFeed |
USER_RESOURCE_UPDATE_PERMISSIONS |
storage.objects.update |
RESOURCE_WRITTEN |
datasetservice.insert |
USER_RESOURCE_CREATION |
storage.setIamPermissions |
USER_RESOURCE_UPDATE_PERMISSIONS |
io.k8s.coordination.v1.leases.update |
RESOURCE_WRITTEN |
datasetservice.delete |
USER_RESOURCE_DELETION |
compute.instances.repair.recreateInstance |
RESOURCE_CREATION |
tableservice.delete |
USER_RESOURCE_DELETION |
io.k8s.core.v1.configmaps.update |
RESOURCE_WRITTEN |
io.k8s.core.v1.nodes.proxy.get |
RESOURCE_READ |
compute.instances.repair.deleteInstance |
RESOURCE_DELETION |
google.cloud.dataproc.v1.JobController.SubmitJob |
RESOURCE_WRITTEN |
google.cloud.dataproc.v1beta2.ClusterController.UpdateCluster |
RESOURCE_WRITTEN |
io.k8s.app.v1beta1.applications.update |
RESOURCE_WRITTEN |
io.gke.networking.v1beta1.managedcertificates.update |
RESOURCE_WRITTEN |
io.k8s.extensions.v1beta1.deployments.patch |
RESOURCE_WRITTEN |
compute.instanceGroupManagers.deleteInstances |
RESOURCE_DELETION |
io.k8s.authorization.rbac.v1.rolebindings.patch |
RESOURCE_WRITTEN |
google.admin.AdminService.toggleServiceEnabled |
USER_UNCATEGORIZED |
io.k8s.core.v1.services.proxy.get |
RESOURCE_READ |
google.datastore.v1.Datastore.RunQuery |
STATUS_UPDATE |
google.appengine.Datastore.Put |
STATUS_UPDATE |
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateSecurityHealthAnalyticsSettings |
RESOURCE_WRITTEN |
v1.compute.securityPolicies.patchRule |
RESOURCE_WRITTEN |
beta.compute.images.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.iam.v1.IAMPolicy.SetIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
io.k8s.certificates.v1.certificatesigningrequests.create |
RESOURCE_CREATION |
io.k8s.core.v0.id.create |
RESOURCE_CREATION |
google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy |
RESOURCE_WRITTEN |
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings |
RESOURCE_DELETION |
UpdateCryptoKeyVersion |
RESOURCE_WRITTEN |
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup |
RESOURCE_WRITTEN |
v1 |
STATUS_UPDATE |
google.cloud.run.v1.Services.ReplaceService |
SERVICE_UNCATEGORIZED |
updatePolicy |
RESOURCE_WRITTEN |
updateBackup |
RESOURCE_WRITTEN |
Referenz für die Feldzuordnung: GCP_CLOUDAUDIT
In der folgenden Tabelle sind die Protokollfelder des Protokolltyps „GCP_CLOUDAUDIT“ und die zugehörigen UDM-Felder aufgeführt.| Logfeld | UDM-Zuordnung | Logik |
|---|---|---|
jsonPayload.accesses[].resourceName |
about.resource.name |
|
protoPayload.response.selfLink |
about.url |
|
protoPayload.metadata.event.eventName.parameter.name[login_challenge_method] |
extensions.auth.auth_details |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds login_failure, login_verification, login_challenge oder login_success ist und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds login_challenge_method ist, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem extensions.auth.auth_details-UDM-Feld zugeordnet. |
extensions.auth.auth_mechanism |
Wenn protoPayload.metadata.event.eventName mit login_failure, login_verification, login_challenge oder logic_success übereinstimmt, hat das UDM-Feld extensions.auth.auth_mechanism folgende Werte:
|
|
extensions.auth.type |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds login_failure, login_verification, login_challenge oder login_success ist und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds login_challenge_method ist, wird das extensions.auth.type-UDM-Feld auf MACHINE gesetzt. |
|
protoPayload.response.vulnerability.shortDescription |
extensions.vulns.vulnerabilities.cve_id |
|
protoPayload.response.vulnerability.effectiveSeverity |
extensions.vulns.vulnerabilities.severity |
Wenn der Wert des protoPayload.response.vulnerability.effectiveSeverity-Logfelds einen der folgenden Werte enthält, wird das protoPayload.response.vulnerability.effectiveSeverity-Logfeld dem extensions.vulns.vulnerabilities.severity-UDM-Feld zugeordnet.
|
protoPayload.request.occurrence.vulnerability.shortDescription |
extensions.vulns.vulnerabilities.cve_id |
|
protoPayload.request.occurrence.vulnerability.effectiveSeverity |
extensions.vulns.vulnerabilities.severity |
Wenn der Wert des protoPayload.request.occurrence.vulnerability.effectiveSeverity-Logfelds einen der folgenden Werte enthält, wird das protoPayload.request.occurrence.vulnerability.effectiveSeverity-Logfeld dem extensions.vulns.vulnerabilities.severity-UDM-Feld zugeordnet.
|
protoPayload.request.occurrence.resourceUri |
additional.fields[request_resourceuri] |
|
protoPayload.request.spec.type |
target.resource.attribute.labels[request_spec_type] |
|
protoPayload.response.spec.type |
target.resource.attribute.labels[response_spec_type] |
|
protoPayload.request.spec.template.spec.shareProcessNamespace |
target.resource.attribute.labels[req_spec_template_spec_share_process_namespace] |
|
protoPayload.response.spec.template.spec.shareProcessNamespace |
target.resource.attribute.labels[resp_spec_template_spec_share_process_namespace] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.shareProcessNamespace |
target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_share_process_namespace] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.restartPolicy |
target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_restart_policy] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.args |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_arg_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_command_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image_pull_policy] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_memory] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_capabilities_drop_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_privileged] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_path] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_policy] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_mount_path_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_name_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_readonly_{index}] |
|
protoPayload.metadata.event.eventName.parameter.name[GATEWAY_NAME] |
intermediary.resource.name |
|
receiveTimestamp |
metadata.collected_timestamp |
|
protoPayload.response.operationType |
metadata.description |
Wenn der Wert des protoPayload.methodName-Logfelds cloudsql.instances.create entspricht, wird das protoPayload.response.operationType - protoPayload.response.kind-Logfeld dem metadata.description-UDM-Feld zugeordnet. |
protoPayload.response.kind |
target.resource.attribute.labels[response_kind] |
|
protoPayload.status.message |
metadata.description |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_DESCRIPTION] |
metadata.description |
|
timestamp |
metadata.event_timestamp |
|
protoPayload.methodName |
metadata.product_event_type |
|
resource.labels.method |
metadata.product_event_type |
|
jsonPayload.event_subtype |
metadata.product_event_type |
|
insertId |
metadata.product_log_id |
|
protoPayload.metadata.event.eventName.parameter.name[PRODUCT_NAME] |
metadata.product_name |
Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (compute.googleapis.com) übereinstimmt, wird das metadata.product_name-UDM-Feld auf Google Compute Engine festgelegt.Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (bigquery.googleapis.com) übereinstimmt, wird das metadata.product_name-UDM-Feld auf BigQuery festgelegt.Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com) übereinstimmt, wird das metadata.product_name-UDM-Feld auf G Suite festgelegt.Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (k8s.io) übereinstimmt, wird das metadata.product_name-UDM-Feld auf Google Kubernetes Engine festgelegt.Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (servicemanagement.googleapis.com) übereinstimmt, wird das metadata.product_name-UDM-Feld auf Google Service Management festgelegt.Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (storage.googleapis.com) übereinstimmt, wird das metadata.product_name-UDM-Feld auf Google Cloud Storage festgelegt.Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (cloudsql.googleapis.com) übereinstimmt, wird das metadata.product_name-UDM-Feld auf Google Cloud SQL festgelegt.Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (dataproc.googleapis.com) übereinstimmt, wird das metadata.product_name-UDM-Feld auf Google Dataproc festgelegt.Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (iam.googleapis.com) übereinstimmt, wird das metadata.product_name-UDM-Feld auf Google Cloud IAM festgelegt.Wenn der Wert des protoPayload.serviceName-Log-Felds mit dem regulären Ausdruck (accesscontextmanager.googleapis.com) übereinstimmt, wird das metadata.product_name-UDM-Feld auf Context Manager API festgelegt. |
logName |
metadata.url_back_to_product |
|
protoPayload.response.selfLinkWithId |
metadata.url_back_to_product |
|
metadata.vendor_name |
Das UDM-Feld metadata.vendor_name ist auf Google Cloud Platform gesetzt. |
|
httpRequest.protocol |
network.application_protocol |
|
protoPayload.metadata.request_id |
network.community_id |
|
protoPayload.resourceOriginalState.direction |
network.direction |
|
protoPayload.request.direction |
network.direction |
|
protoPayload.response.duration |
network.session_duration |
|
protoPayload.request.serialConsoleOptions |
principal.port |
Durch das Log-Feld protoPayload.request.serialConsoleOptions iterierenWenn der Wert protoPayload.request.serialConsoleOptions.name gleich port ist, wird das Log-Feld protoPayload.request.serialConsoleOptions.value dem UDM-Feld principal.port zugeordnet. Andernfalls wird das protoPayload.request.serialConsoleOptions.name-Logfeld dem principal.resource.attribute.labels.key-UDM-Feld und das protoPayload.request.serialConsoleOptions.value-Logfeld dem principal.resource.attribute.labels.value-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SENDER] |
network.email.from |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_MSG_ID] |
network.email.mail_id |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_RECIPIENT] |
network.email.to |
|
httpRequest.requestMethod |
network.http.method |
|
protoPayload.requestMetadata.requestAttributes.method |
network.http.method |
|
httpRequest.referer |
network.http.referral_url |
|
protoPayload.requestMetadata.requestAttributes.path |
network.http.referral_url |
|
httpRequest.requestUrl |
network.http.referral_url |
|
protoPayload.resourceOriginalState.network |
network.http.referral_url |
|
httpRequest.status |
network.http.response_code |
|
protoPayload.response.error.code |
network.http.response_code |
|
protoPayload.status.code |
security_result.detection_fields [status_code] |
|
protoPayload.requestMetadata.callerSuppliedUserAgent |
network.http.user_agent |
Wenn der Wert des protoPayload.requestMetadata.callerSuppliedUserAgent-Logfelds mit dem regulären Ausdruck Group übereinstimmt, wird das protoPayload.requestMetadata.callerSuppliedUserAgent-Logfeld dem UDM-Feld principal.group.group_display_name zugeordnet. |
httpRequest.userAgent |
network.http.user_agent |
|
protoPayload.resourceOriginalState.alloweds.IPProtocol |
network.ip_protocol |
|
protoPayload.requestMetadata.requestAttributes.protocol |
network.ip_protocol |
|
protoPayload.request.IPProtocol |
network.ip_protocol |
|
protoPayload.request.alloweds.IPProtocol |
network.ip_protocol |
|
jsonPayload.connection.protocol |
network.ip_protocol |
|
protoPayload.metadata.event.eventName.parameter.name[ORG_UNIT_NAME] |
network.organization_name |
|
httpRequest.responseSize |
network.received_bytes |
|
httpRequest.requestSize |
network.sent_bytes |
|
jsonPayload.bytes_sent |
network.sent_bytes |
|
protoPayload.requestMetadata.requestAttributes.id |
network.session_id |
|
ProtoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail |
principal.email |
|
jsonPayload.src_instance.vm_name |
principal.hostname |
|
protoPayload.requestMetadata.callerIp |
principal.ip |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_SENDER_IP] |
principal.ip |
|
jsonPayload.connection.src_ip |
principal.ip |
|
httpRequest.serverIp |
principal.ip |
|
resourceLocation.originalLocations |
principal.location.name |
|
jsonPayload.connection.nat_ip |
principal.nat_ip |
|
jsonPayload.connection.nat_port |
principal.nat_port |
|
jsonPayload.connection.src_port |
principal.port |
|
protoPayload.authorizationInfo.resource |
principal.resource.name |
Wenn der Wert des protoPayload.authorizationInfo.resource-Logfelds nicht leer ist, wird das protoPayload.authorizationInfo.resource-Logfeld dem principal.resource.name-UDM-Feld zugeordnet. |
protoPayload.authorizationInfo.resourceAttributes.name |
principal.resource.name |
Wenn der Wert des protoPayload.authorizationInfo.resourceAttributes.name-Logfelds nicht leer ist, wird das protoPayload.authorizationInfo.resourceAttributes.name-Logfeld dem principal.resource.name-UDM-Feld zugeordnet. |
protoPayload.authorizationInfo.permission |
target.resource_ancestors.attribute.permissions.name |
|
protoPayload.authorizationInfo.permissionType |
target.resource_ancestors.attribute.permissions.type |
|
protoPayload.authorizationInfo.resourceAttributes.service |
target.resource_ancestors.attribute.labels[resource_attribute_service] |
|
protoPayload.authorizationInfo.granted |
target.resource_ancestors.attribute.labels[authorization_granted] |
|
protoPayload.resourceOriginalState.name |
principal.resource.name |
|
protoPayload.authorizationInfo.resourceAttributes.type |
principal.resource.resource_subtype |
|
principal.user.account_type |
Wenn der Wert des access.principalSubject-Logfelds mit dem regulären Ausdruck serviceAccount übereinstimmt, wird das principal.user.account_type-UDM-Feld auf SERVICE_ACCOUNT_TYPE festgelegt.Wenn der Wert des access.principalSubject-Logfelds mit dem regulären Ausdruck user übereinstimmt, wird das principal.user.account_type-UDM-Feld auf CLOUD_ACCOUNT_TYPE festgelegt. |
|
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType |
principal.user.attribute.permissions.description |
|
protoPayload.request.serviceAccounts[].scopes |
principal.user.attribute.permissions.name |
|
protoPayload.authorizationInfo.permission |
principal.user.attribute.permissions.name |
|
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType |
principal.user.attribute.permissions.type |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].action |
principal.user.attribute.roles.description |
|
protoPayload.request.bindings.role |
principal.user.attribute.roles.name |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].role |
principal.user.attribute.roles.name |
|
jsonPayload.location.principalEmployingEntity |
principal.user.company_name |
|
jsonPayload.location.principalOfficeCountry |
principal.user.office_address.country_or_region |
|
protoPayload.authenticationInfo.principalEmail |
principal.user.userid |
Wenn der Wert des protoPayload.authenticationInfo.principalEmail-Logfelds nicht leer ist, wird userid_auth mithilfe eines Grok-Musters aus dem protoPayload.authenticationInfo.principalEmail-Logfeld extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query |
additional.fields[job_insertion_query_org_id_{index}] |
Wenn der Wert des protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query-Logfelds nicht leer ist, werden org_ids mithilfe eines Grok-Musters aus dem protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query-Logfeld extrahiert und dem UDM-Feld additional.fields.job_insertion_query_org_id_{index} zugeordnet. |
protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query |
additional.fields[job_insert_request_query_org_id_{index}] |
Wenn der Wert des protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query-Logfelds nicht leer ist, werden org_ids mithilfe eines Grok-Musters aus dem protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query-Logfeld extrahiert und dem UDM-Feld additional.fields.job_insert_request_query_org_id_{index} zugeordnet. |
protoPayload.request.permissions |
target.resource.attribute.labels.permission |
|
protoPayload.request.username |
principal.user.userid |
|
protoPayload.metadata.event.eventName.parameter.value |
principal.user.userid |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds CREATE_EMAIL_MONITOR oder CREATE_DATA_TRANSFER_REQUEST entspricht:
protoPayload.metadata.event.eventName.parameter.name-Logfelds mit USER_EMAIL übereinstimmt, wird userid mithilfe eines Grok-Musters aus dem protoPayload.metadata.event.eventName.parameter.value-Logfeld extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
protoPayload.authenticationInfo.authoritySelector |
principal.user.userid |
Wenn der Wert des protoPayload.authenticationInfo.authoritySelector-Logfelds nicht leer ist, wird userid_selector mithilfe eines Grok-Musters aus dem protoPayload.authenticationInfo.authoritySelector-Logfeld extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
jsonPayload.actor.user |
principal.user.userid |
Wenn der Wert des jsonPayload.actor.user-Logfelds nicht leer ist, wird userid_actor mithilfe eines Grok-Musters aus dem jsonPayload.actor.user-Logfeld extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
protoPayload.authenticationInfo.principalEmail |
principal.user.email_addresses |
Wenn der Wert des protoPayload.authenticationInfo.principalEmail-Logfelds nicht leer ist und mit dem regulären Ausdruck .@. übereinstimmt, wird das protoPayload.authenticationInfo.principalEmail-Logfeld dem principal.user.email_addresses-UDM-Feld zugeordnet.protoPayload.authenticationInfo.principalEmail |
protoPayload.metadata.event.eventName.parameter.value |
principal.user.email_addresses |
protoPayload.metadata.event.eventName.parameter.value wird principal.user.email_addresses zugeordnet, wenn die folgenden Bedingungen erfüllt sind:
|
protoPayload.authenticationInfo.authoritySelector |
principal.user.email_addresses |
Wenn der Wert des protoPayload.authenticationInfo.authoritySelector-Logfelds nicht leer ist und mit dem regulären Ausdruck .@. übereinstimmt, wird das protoPayload.authenticationInfo.authoritySelector-Logfeld dem principal.user.email_addresses-UDM-Feld zugeordnet.protoPayload.authenticationInfo.authoritySelector |
jsonPayload.actor.user |
principal.user.email_addresses |
Wenn der Wert des jsonPayload.actor.user-Logfelds nicht leer ist und mit dem regulären Ausdruck .@. übereinstimmt, wird das jsonPayload.actor.user-Logfeld dem principal.user.email_addresses-UDM-Feld zugeordnet.jsonPayload.actor.user |
protoPayload.metadata.event.eventName.parameter.name[login_challenge_status] |
security_result.action |
security_result.action wird auf ALLOW gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf FAIL gesetzt, wenn die folgenden Bedingungen erfüllt sind:
|
protoPayload.metadata.event.eventName.parameter.name[ACTION_TYPE] |
security_result.action |
security_result.action wird auf ALLOW gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf BLOCK gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf ALLOW_WITH_MODIFICATION gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf QUARANTINE gesetzt, wenn die folgenden Bedingungen erfüllt sind:
security_result.action wird auf QUARANTINE gesetzt, wenn die folgenden Bedingungen erfüllt sind:
|
security_result.action_details |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds login_challenge oder login_verification ist und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds login_challenge_status, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem security_result.action_details-UDM-Feld zugeordnet.Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds ACTION_CANCELLED oder ACTION_REQUESTED ist und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds ACTION_TYPE, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem security_result.action_details-UDM-Feld zugeordnet. |
|
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] |
security_result.category |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds login_success ist, der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds is_suspicious und der Wert des protoPayload.metadata.event.eventName.parameter.value-Logfelds True ist, wird das UDM-Feld security_result.category auf NETWORK_SUSPICIOUS gesetzt. |
logName |
security_result.category_details |
|
protoPayload.response.status |
security_result.description |
|
protoPayload.response.error.errors[].reason |
security_result.description |
|
protoPayload.metadata.tableCreation.reason |
security_result.description |
|
protoPayload.metadata.tableChange.reason |
security_result.description |
|
protoPayload.metadata.tableDeletion.reason |
security_result.description |
|
protoPayload.metadata.datasetCreation.reason |
security_result.description |
|
protoPayload.metadata.datasetDeletion.reason |
security_result.description |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.errorMessage |
security_result.description |
|
protoPayload.status.message |
security_result.description |
|
protoPayload.request.status |
security_result.description |
|
jsonPayload.reason[].detail |
security_result.description |
|
protoPayload.response.status.state |
security_result.description |
|
protoPayload.response.status.conditions[].message |
security_result.description |
Wenn der Wert des message-Logfelds mit dem regulären Ausdruck response.*status.*conditions.*message übereinstimmt, wird das protoPayload.response.status.conditions.0.message-Logfeld dem UDM-Feld security_result.description zugeordnet. |
protoPayload.resourceOriginalState.priority |
security_result.priority_details |
|
protoPayload.request.priority |
security_result.priority_details |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.queryPriority |
security_result.priority_details |
|
protoPayload.metadata.vpcServiceControlsUniqueId |
security_result.rule_id |
|
protoPayload.request.body.settings.activationPolicy |
security_result.rule_name |
|
protoPayload.request.policy |
security_result.rule_name |
|
protoPayload.metadata.violationReason |
security_result.rule_name |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.policyType |
security_result.rule_type |
|
protoPayload.metadata.dryRun |
security_result.rule_type |
|
severity |
security_result.severity |
|
security_result.severity_details |
Wenn der Wert des severity-Logfelds CRITICAL ist, wird das security_result.severity-UDM-Feld auf CRITICAL gesetzt.Wenn der Wert des severity-Logfelds ERROR ist, wird das security_result.severity-UDM-Feld auf ERROR gesetzt.Wenn der Wert des severity-Logfelds ALERT oder EMERGENCY ist, wird das security_result.severity-UDM-Feld auf HIGH gesetzt.Wenn der Wert des severity-Logfelds INFO oder NOTICE ist, wird das security_result.severity-UDM-Feld auf INFORMATIONAL gesetzt.Wenn der Wert des severity-Logfelds DEBUG ist, wird das security_result.severity-UDM-Feld auf LOW gesetzt.Wenn der Wert des severity-Logfelds WARNING ist, wird das security_result.severity-UDM-Feld auf MEDIUM gesetzt.Andernfalls wird das security_result.severity-UDM-Feld auf UNKNOWN_SEVERITY gesetzt. |
|
protoPayload.response.error.message |
security_result.summary |
|
protoPayload.response.error.errors[].message |
security_result.summary |
|
protoPayload.status.details.violations.description |
security_result.summary |
|
protoPayload.response.message |
security_result.summary |
|
protoPayload.request.description |
security_result.summary |
|
jsonPayload.reason[].type |
security_result.summary |
|
sourceLocation.file |
src.file.full_path |
|
protoPayload.serviceName |
target.application |
|
resource.labels.service |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[APP_NAME] |
target.application |
Wenn der Wert des protoPayload.metadata.event.eventName.parameter.name1-Logfelds APP_NAME und der Wert des protoPayload.metadata.event.eventName.parameter.name2-Logfelds APP_ID ist, wird das protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1-Logfeld dem target.application-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[APP_ID] |
target.application |
Wenn der Wert des protoPayload.metadata.event.eventName.parameter.name1-Logfelds APP_NAME und der Wert des protoPayload.metadata.event.eventName.parameter.name2-Logfelds APP_ID ist, wird das protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1-Logfeld dem target.application-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[SERVICE_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_SERVICE_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_NAME] |
target.application |
Wenn der Wert des protoPayload.metadata.event.eventName.parameter.name1-Logfelds OAUTH2_APP_NAME und der Wert des protoPayload.metadata.event.eventName.parameter.name2-Logfelds OAUTH2_APP_ID ist, wird das protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1-Logfeld dem target.application-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_ID] |
target.application |
Wenn der Wert des protoPayload.metadata.event.eventName.parameter.name1-Logfelds OAUTH2_APP_NAME und der Wert des protoPayload.metadata.event.eventName.parameter.name2-Logfelds OAUTH2_APP_ID ist, wird das protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1-Logfeld dem target.application-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[REAUTH_APPLICATION, SITE_NAME] |
target.application |
|
jsonPayload.product |
target.application |
|
protoPayload.metadata.device_id |
target.asset.asset_id |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_SERIAL_NUMBER] |
target.asset.hardware.serial_number |
|
protoPayload.metadata.event.eventName.parameter.name[PRINT_SERVER_NAME] |
target.asset.hostname |
|
protoPayload.metadata.event.eventName.parameter.name[PRINTER_NAME] |
target.asset.hostname |
|
protoPayload.request.instances.instance |
target.asset.product_object_id |
Das protoPayload.request.instances.instance-Logfeld wird dem target.asset.product_object_id-UDM-Feld zugeordnet, wenn der Indexwert in protoPayload.request.instances.instance 0 entspricht.Bei allen anderen Indexwerten wird das target.asset.labels.key-UDM-Feld auf request_instance festgelegt und das protoPayload.request.instances.instance-Logfeld wird dem target.asset.labels.value-UDM-Feld zugeordnet. |
protoPayload.request.instance |
target.asset.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_ID] |
target.asset.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[COMPANY_DEVICE_ID] |
target.asset.product_object_id |
|
target.asset.type |
Wenn der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds PRINTER_SERVER_NAME entspricht, wird das target.asset.type-UDM-Feld auf SERVER gesetzt.Wenn der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds PRINTER_NAME entspricht, wird das target.asset.type-UDM-Feld auf PRINTER gesetzt.Wenn der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds DEVICE_TYPE entspricht, wird das target.asset.type-UDM-Feld auf ROLE_UNSPECIFIED gesetzt. |
|
protoPayload.metadata.event.eventName.parameter.name[SITE_LOCATION] |
target.file.full_path |
|
protoPayload.metadata.event.eventName.parameter.name[PERMISSION_GROUP_NAME] |
target.group.attribute.permissions.name |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_EMAIL] |
target.group.email_addresses |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_NAME] |
target.hostname |
|
jsonPayload.dest_instance.vm_name |
target.hostname |
|
protoPayload.requestMetadata.requestAttributes.host |
target.hostname |
|
httpRequest.remoteIp |
target.ip |
|
protoPayload.requestMetadata.destinationAttributes.ip |
target.ip |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP] |
target.ip |
|
protoPayload.request.ip |
target.ip |
|
jsonPayload.connection.dest_ip |
target.ip |
|
resource.labels.region |
target.location.country_or_region |
|
protoPayload.response.region |
target.location.country_or_region |
|
protoPayload.request.body.region |
target.location.country_or_region |
|
protoPayload.request.region |
target.location.country_or_region |
|
resource.labels.region |
target.location.country_or_region |
|
jsonPayload.dest_location.country |
target.location.country_or_region |
|
jsonPayload.dest_location.continent |
target.location.country_or_region |
|
protoPayload.request.override.overrideValue |
target.resource.attribute.labels[request_override_value] |
|
protoPayload.response.overrideValue |
target.resource.attribute.labels[response_override_value] |
|
resource.labels.location |
target.location.name |
|
protoPayload.resourceOriginalState.alloweds.ports |
target.port |
|
protoPayload.requestMetadata.destinationAttributes.port |
target.port |
|
jsonPayload.connection.dest_port |
target.port |
|
protoPayload.metadata.tableCreation.table.view.query |
target.process.command_line |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query |
target.process.command_line |
|
protoPayload.serviceData.jobQueryRequest.query |
target.process.command_line |
|
protoPayload.serviceData.tableInsertResponse.resource.view.query |
target.process.command_line |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query |
target.process.command_line |
|
protoPayload.metadata.tableChange.jobName |
target.process.pid |
|
protoPayload.metadata.tableCreation.jobName |
target.process.pid |
|
protoPayload.request.networkInterfaces[].subnetwork |
target.resource_ancestors.name |
|
protoPayload.request.body.instanceUid |
target.resource_ancestors.product_object_id |
|
protoPayload.response.instanceUid |
target.resource_ancestors.product_object_id |
|
protoPayload.request.disk[].mode |
target.resource_ancestors.attributes.permission.name |
|
protoPayload.request.disk[].autoDelete |
target.resource_ancestors.attributes.permission.name |
|
protoPayload.response.project_id |
target.resource_ancestors.id |
|
protoPayload.response.targetProject |
target.resource_ancestors.name |
|
protoPayload.request.target |
target.resource_ancestors.name |
|
protoPayload.resourceName |
target.resource_ancestors.name |
Wenn der Wert des protoPayload.methodName-Logfelds mit dem regulären Ausdruck (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) übereinstimmt, wird das protoPayload.resourceName-Logfeld dem UDM-Feld target.resource_ancestors.name zugeordnet. |
protoPayload.resource.role_name |
target.resource_ancestors.name |
|
protoPayload.request.parent |
target.resource_ancestors.name |
|
protoPayload.request.disks[].deviceName |
target.resource_ancestors.name |
|
protoPayload.request.network |
target.resource_ancestors.name |
|
resource.labels.project_id |
target.cloud.project.name |
|
resource.labels.project_id |
target.resource_ancestors.name |
|
protoPayload.request.disk[].type |
target.resource_ancestors.resource_subtype |
Wenn der Wert des protoPayload.request.cluster.subnetwork-Logfelds nicht leer ist, wird das target.resource_ancestors.resource_subtype-UDM-Feld auf subnetwork gesetzt.Wenn der Wert des protoPayload.request.cluster.network-Logfelds nicht leer ist, wird das target.resource_ancestors.resource_subtype-UDM-Feld auf network gesetzt.Wenn der Wert des protoPayload.request.cluster.nodePools.name-Logfelds nicht leer ist, wird das target.resource_ancestors.resource_subtype-UDM-Feld auf nodepool gesetzt. |
resource.location |
target.resource.attribute.cloud.availability_zone |
|
resourceLocation.currentLocations |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.zone |
target.resource.attribute.cloud.availability_zone |
|
protoPayload.request.body.settings.locationPreference.zone |
target.resource.attribute.cloud.availability_zone |
|
protoPayload.metadata.tableChange.table.createTime |
target.resource.attribute.creation_time |
|
protoPayload.metadata.tableCreation.table.createTime |
target.resource.attribute.creation_time |
|
protoPayload.resourceOriginalState.creationTimestamp |
target.resource.attribute.creation_time |
|
protoPayload.response.insertTime |
target.resource.attribute.creation_time |
|
protoPayload.metadata.tableChange.table.updateTime |
target.resource.attribute.last_update_time |
|
protoPayload.metadata.tableCreation.table.updateTime |
target.resource.attribute.last_update_time |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas[].logType |
target.resource.attribute.permissions.type |
|
request.role.title |
target.resource.attribute.roles.name |
|
protoPayload.request.role.included_permissions[] |
target.resource.attributes.permission.name |
|
protoPayload.request.role.description |
target.resource.attributes.roles.description |
|
protoPayload.resource.labels.firewall_rule_id |
target.resource.id |
|
protoPayload.resourceName |
target.resource.name |
Wenn der Wert des protoPayload.resourceName-Logfelds nicht leer ist, wird das protoPayload.resourceName-Logfeld dem target.resource.name-UDM-Feld zugeordnet. |
protoPayload.resource.labels.role_name |
target.resource.name |
Wenn der Wert des protoPayload.methodName-Logfelds google.iam.admin.v1.CreateRole entspricht, wird das protoPayload.resource.labels.role_name-Logfeld dem target.resource.name-UDM-Feld zugeordnet. |
protoPayload.resource.role_name |
target.resource.name |
|
protoPayload.request.service_account.display_name |
target.resource.name |
|
protoPayload.request.workloadIdentityPool.displayName |
target.resource.name |
|
protoPayload.request.name |
target.resource.name |
Wenn der Wert des protoPayload.methodName-Logfelds beta.compute.instances.insert entspricht, wird das protoPayload.request.name-Logfeld dem target.resource.name-UDM-Feld zugeordnet. |
protoPayload.request.cluster.name |
target.resource.name |
|
protoPayload.metadata.tableCreation.table.tableName |
target.resource.name |
|
protoPayload.metadata.datasetCreation.dataset.datasetName |
target.resource.name |
|
jsonPayload.accessApprovals[] |
target.resource.name |
|
jsonPayload.resource.name |
target.resource.name |
|
resource.labels.email_id |
target.resource.name |
Wenn der Wert des resource.labels.email_id-Logfelds nicht leer ist, wird das resource.labels.email_id-Logfeld dem target.resource.name-UDM-Feld zugeordnet. |
protoPayload.request.accessLevel.title |
target.resource.name |
|
resource.discoveryName |
target.resource.name |
|
protoPayload.response.name |
target.resource.name |
|
protoPayload.request.name |
target.resource.name |
|
resource.labels.network_id |
target.resource.name |
|
request.cluster.name |
target.resource.name |
|
resource.labels.cluster_name |
target.resource.name |
|
protoPayload.metadata.tableChange.table.tableName |
target.resource.name |
|
resource.labels.function_name |
target.resource.name |
Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck cloud_function übereinstimmt, wird das resource.labels.function_name-Logfeld dem UDM-Feld target.resource.name zugeordnet. |
resource.parent |
target.resource.parent |
|
resource.labels.bucket_name |
target.resource.parent |
Wenn der Wert des resource.type-Logfelds gcs_bucket entspricht, wird das resource.labels.bucket_name-Logfeld dem target.resource.parent-UDM-Feld zugeordnet. |
resource.labels.dataset_id |
target.resource.product_object_id |
|
resource.labels.instance_group_id |
target.resource.product_object_id |
|
resource.labels.subnetwork_id |
target.resource.product_object_id |
|
resource.labels.firewall_rule_id |
target.resource.product_object_id |
|
resource.labels.forwarding_rule_id |
target.resource.product_object_id |
|
resource.labels.network_id |
target.resource.product_object_id |
|
resource.labels.unique_id |
target.resource.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[RESOURCE_IDENTIFIER] |
target.resource.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[SHARED_DRIVE_ID] |
target.resource.product_object_id |
|
protoPayload.response.unique_id |
target.resource.product_object_id |
Wenn der Wert des protoPayload.methodName-Logfelds mit dem regulären Ausdruck (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) übereinstimmt, wird das protoPayload.response.unique_id-Logfeld dem UDM-Feld target.resource.product_object_Id zugeordnet. |
protoPayload.request.account_id |
target.resource.product_object_id |
|
protoPayload.request.role_id |
target.resource.product_object_id |
Wenn der Wert des protoPayload.methodName-Logfelds google.iam.admin.v1.CreateRole entspricht, wird das protoPayload.request.role_id-Logfeld dem target.resource.product_object_id-UDM-Feld zugeordnet. |
protoPayload.request.workloadIdentityPoolId |
target.resource.product_object_id |
|
jsonPayload.resource.id |
target.resource.product_object_id |
|
resource.labels.instance_id |
target.resource.product_object_id |
|
resource.data.uniqueId |
target.resource.product_object_id |
|
protoPayload.request.workloadIdentityPoolProviderId |
target.resource.product_object_id |
|
protoPayload.request.machineType |
target.resource.resource_subtype |
Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck gce_(autoscaler or instance_group) or gae_app" übereinstimmt, wird das resource.type-Log-Eingabefeld dem target.resource.resource_subtype-UDM-Feld zugeordnet. |
target.resource.resource_type |
Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck gce_(firewall or forwarding_rule) or network_security_policy übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf FIREWALL_RULE festgelegt und das resource.type-Log-Eingabefeld wird dem target.resource.resource_subtype-UDM-Feld zugeordnet.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck gce_(subnetwork or network) übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf VPC_NETWORK festgelegt.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck cloud_dataproc_(batch or session) übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf TASK festgelegt.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck gce_backend_service übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf BACKEND_SERVICE festgelegt.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck build übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf TASK festgelegt und das resource.type-Log-Eingabefeld wird dem target.resource.resource_subtype-UDM-Feld zugeordnet.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck pubsub_topic übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf PIPE festgelegt und das resource.type-Log-Eingabefeld wird dem target.resource.resource_subtype-UDM-Feld zugeordnet.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck cloudkms_cryptokey übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf CREDENTIAL festgelegt und das resource.type-Log-Eingabefeld wird dem target.resource.resource_subtype-UDM-Feld zugeordnet.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck iam_role übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf ACCESS_POLICY festgelegt und das resource.type-Log-Eingabefeld wird dem target.resource.resource_subtype-UDM-Feld zugeordnet.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck cloud_run_job übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf TASK festgelegt und das resource.type-Log-Eingabefeld wird dem target.resource.resource_subtype-UDM-Feld zugeordnet.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck cloud_run_revision übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf BACKEND_SERVICE festgelegt und das resource.type-Log-Eingabefeld wird dem target.resource.resource_subtype-UDM-Feld zugeordnet.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck gcs_bucket übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf STORAGE_BUCKET festgelegt.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck bigquery\.googleapis\.com/SparkJob übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf TASK festgelegt.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck bigquery_(biengine_model or dataset) übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf DATASET festgelegt.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck bigquery_dts_config übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf SETTING festgelegt.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck cloudsql or bigquery_project or bigquery_resource übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf DATABASE festgelegt.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulärenresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typeresource.typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_typetarget.resource.resource_subtypeBACKEND_SERVICEBACKEND_SERVICEBACKEND_SERVICESETTINGSETTINGservice_accountSERVICE_ACCOUNTorganizationCLOUD_ORGANIZATIONaudited_resource or gae_appcloud_functionFUNCTIONgce_(network_endpoint_group or node_group)gce_(node_template or resource_policy)gce_diskDISKk8s_(scale or service)k8s_(control_plane_component or container)CONTAINERCONTAINERk8s_nodeVIRTUAL_MACHINEVIRTUAL_MACHINEk8s_podPODk8s_cluster or cloud_dataproc_cluster or gke_cluster or gke_nodepoolCLUSTERgke_containergkebackup\.googleapis\.com/(BackupPlan or RestorePlan)gce_(instance or snapshot)gce_imageIMAGEUNSPECIFIED
Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck project übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf CLOUD_PROJECT festgelegt.Andernfalls, wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck gke_ übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf CLUSTER festgelegt.Andernfalls wird das target.resource.resource_type-UDM-Feld auf UNSPECIFIED festgelegt und das resource.type-Logfeld wird dem target.resource.resource_subtype-UDM-Feld zugeordnet. |
|
protoPayload.response.targetLink |
target.url |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ADDRESS] |
target.url |
|
protoPayload.request.httpRequest.url |
target.url |
|
resource.discoveryDocumentUri |
target.url |
|
httpRequest.requestUrl |
target.url |
|
protoPayload.request.role.included_permissions[] |
target.user.attribute.permissions.name |
|
protoPayload.metadata.event.eventName.parameter.name[ROLE_ID] |
target.user.attribute.roles.description |
Wenn der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds ROLE_ID entspricht, wird das Role_ID - protoPayload.metadata.event.eventName.parameter.value-Logfeld dem target.user.attribute.roles.description-UDM-Feld zugeordnet. |
protoPayload.response.bindings[].role |
target.user.attribute.roles.name |
|
protoPayload.metadata.event.eventName.parameter.name[ROLE_NAME] |
target.user.attribute.roles.name |
|
protoPayload.request.serviceAccounts[].email |
target.user.email_addresses |
|
protoPayload.metadata.event.eventName.parameter.value |
target.user.email_addresses |
Wenn der Wert des protoPayload.metadata.event.eventName.parameter.value-Log-Felds nicht leer ist und der Wert des protoPayload.metadata.event.eventName-Log-Felds USER_EMAIL, EMAIL_MONITOR_DEST_EMAIL oder DESTINATION_USER_EMAIL entspricht, wird das protoPayload.metadata.event.eventName.parameter.value-Log-Feld dem target.user.email_addresses-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.first_name |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds mit „VORNAME“ übereinstimmt und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds mit NEW_VALUE übereinstimmt, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem target.user.first_name-UDM-Feld zugeordnet. |
protoPayload.request.personIdentifier.canonicalPersonId |
target.user.group_identifiers |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.last_name |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds mit „LAST_NAME“ übereinstimmt und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds mit NEW_VALUE übereinstimmt, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem target.user.last_name-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.user_display_name |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds RENAME_USER und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds NEW_VALUE ist, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem target.user.user_display_name-UDM-Feld zugeordnet. |
protoPayload.response.user |
target.user.userid |
|
protoPayload.metadata.event.eventName.parameter.name[USER_EMAIL] |
target.user.userid |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds CREATE_EMAIL_MONITOR oder CREATE_DATA_TRANSFER_REQUEST ist und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds USER_EMAIL ist, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem principal.user.userid-UDM-Feld zugeordnet.Andernfalls, wenn der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds USER_EMAIL ist, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem target.user.userid-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_DEST_EMAIL] |
target.user.userid |
|
protoPayload.metadata.event.eventName.parameter.name[DESTINATION_USER_EMAIL] |
target.user.userid |
|
protoPayload.request.user |
target.user.userid |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].member |
target.user.userid |
|
protoPayload.request.objects.db |
about.labels [database_name] (verworfen) |
|
jsonPayload.accesses[].methodName |
about.labels [methodName] (verworfen) |
|
protoPayload.request.objects.name |
about.labels [objects_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] |
about.labels[api_client_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] |
about.labels[api_scopes] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] |
about.labels[begin_date_time] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] |
about.labels[bulk_upload_fail_users_number] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] |
about.labels[bulk_upload_total_users_number] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] |
about.labels[caa_assignments_new] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] |
about.labels[caa_assignments_old] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] |
about.labels[caa_enforcement_endpoints_new] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] |
about.labels[caa_enforcement_endpoints_old] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.size |
about.labels[caller_network_request_size] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.time |
about.labels[caller_network_request_time] (verworfen) |
|
protoPayload.requestMetadata.callerNetwork |
about.labels[caller_network] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.size |
principal.labels[caller_network_request_size] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.time |
principal.labels[request_attributes_time] (verworfen) |
|
protoPayload.requestMetadata.callerNetwork |
principal.labels[caller_network] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] |
about.labels[chrome_licenses_enabled] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] |
about.labels[end_date_time] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE] |
about.labels[end_date] (verworfen) |
|
protoType.metadata.event[].eventName |
about.labels[event_name] (verworfen) |
|
protoPayload.metadata.event.parameter[].label |
about.labels[event_param_label] (verworfen) |
|
protoPayload.metadata.event.parameter[].type |
about.labels[event_param_type] (verworfen) |
|
protoType.metadata.event[].eventType |
about.labels[event_type] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] |
about.labels[field_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] |
about.labels[full_org_unit_path] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] |
about.labels[grp_member_bulk_upload_failed] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] |
about.labels[grp_member_bulk_upload_total] (verworfen) |
|
httpRequest.cacheFillBytes |
about.labels[httpreq_cache_fill_bytes] (verworfen) |
|
httpRequest.cacheHit |
about.labels[httpreq_cache_hit] (verworfen) |
|
httpRequest.cacheLookup |
about.labels[httpreq_cache_lookup] (verworfen) |
|
httpRequest.cacheValidatedWithOriginServer |
about.labels[httpreq_cache_validated_with_origin_server] (verworfen) |
|
httpRequest.latency |
about.labels[httprequest_latency] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] |
about.labels[info_type] (verworfen) |
|
protoPayload.metadata.activityId.timeUsec |
about.labels[metadata_activityId_time_usec] (verworfen) |
|
protoPayload.metadata.activityId.uniqQualifier |
about.labels[metadata_activityId_uniq_qualifier] (verworfen) |
|
protoPayload.metadata.@type |
about.labels[metadata_type] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] |
about.labels[new_permission_grant_state] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] |
about.labels[num_of_company_owned_device] (verworfen) |
|
protoPayload.numResponseItems |
about.labels[num_response_items] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] |
about.labels[old_permission_grant_state] (verworfen) |
|
operation.first |
about.labels[operation_first] (verworfen) |
|
operation.id |
about.labels[operation_id] (verworfen) |
|
operation.last |
about.labels[operation_last] (verworfen) |
|
operation.producer |
about.labels[operation_producer] (verworfen) |
|
protoPayload.resourceOriginalState.selfLinkWithId |
about.labels[rc_old_selflinkWithId] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] |
about.labels[reauth_setting_new] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] |
about.labels[reauth_setting_old] (verworfen) |
|
protoPayload.request.alloweds[].ports |
about.labels[req_alloweds_ports] (verworfen) |
|
protoPayload.request.body.name |
about.labels[req_body_name] (verworfen) |
|
protoPayload.request.body.settings.activityPolicy |
about.labels[req_body_settings_activity_policy] (verworfen) |
|
protoPayload.request.deletionProtection |
about.labels[req_deletion_protection] (verworfen) |
|
protoPayload.request.disabled |
about.labels[req_disabled] (verworfen) |
|
protoPayload.request.displayDevice.enableDisplay |
about.labels[req_display_device_enable_display] (verworfen) |
|
protoPayload.request.enableFlowLogs |
about.labels[req_enable_flow_logs] (verworfen) |
|
protoPayload.request.fingerprint |
about.labels[req_fingerprint] (verworfen) |
|
protoPayload.request.shieldedInstanceConfig.enableSecureBoot |
about.labels[req_instance_config_enable_secure_boot] (verworfen) |
|
protoPayload.request.shieldedInstanceConfig.enableVtpm |
about.labels[req_instance_config_enable_vtpm] (verworfen) |
|
protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring |
about.labels[req_instance_enable_integrity_monitoring] (verworfen) |
|
protoPayload.request.key_types[] |
about.labels[req_key_types] (verworfen) |
|
protoPayload.request.logconfig.enable |
about.labels[req_logconfig_enable] (verworfen) |
|
protoPayload.request.networkTier |
about.labels[req_network_tier] (verworfen) |
|
protoPayload.request.network |
about.labels[req_network] (verworfen) |
|
protoPayload.request.page_size |
about.labels[req_page_size] (verworfen) |
|
request.pagesize |
about.labels[req_page_size] (verworfen) |
|
protoPayload.request.policy.etag |
about.labels[req_policy_etag] (verworfen) |
|
protoPayload.request.portRange |
about.labels[req_port_range] (verworfen) |
|
protoPayload.request.privateIpGoogleAccess |
about.labels[req_private_ip_google_access] (verworfen) |
|
protoPayload.request.private_key_type |
about.labels[req_private_key_type] (verworfen) |
|
protoPayload.request.remove_deleted_service_accounts |
about.labels[req_remove_deleted_serviceAcc] (verworfen) |
|
protoPayload.request.showDeleted |
about.labels[req_show_deleted] (verworfen) |
|
protoPayload.request.skip_visibility_check |
about.labels[req_skip_visibility_check] (verworfen) |
|
protoPayload.request.stackType |
about.labels[req_stack_type] (verworfen) |
|
protoPayload.request.type |
about.labels[req_type] (verworfen) |
|
protoPayload.request.updateMask |
about.labels[req_update_mask] (verworfen) |
|
protoPayload.request.version |
about.labels[req_version] (verworfen) |
|
protoPayload.response.clientOperationId |
about.labels[res_client_operation_id] (verworfen) |
|
protoPayload.response.endTime |
about.labels[res_end_time] (verworfen) |
|
protoPayload.response.id |
about.labels[res_id] (verworfen) |
|
protoPayload.response.key_algorithm |
about.labels[res_key_algorithm] (verworfen) |
|
protoPayload.response.key_origin |
about.labels[res_key_origin] (verworfen) |
|
protoPayload.response.key_type |
about.labels[res_key_type] (verworfen) |
|
protoPayload.response.kind |
about.labels[res_kind] (verworfen) |
|
protoPayload.response.private_key_type |
about.labels[res_private_key_type] (verworfen) |
|
protoPayload.response.progress |
about.labels[res_progress] (verworfen) |
|
protoPayload.response.startTime |
about.labels[res_start_time] (verworfen) |
|
protoPayload.response.status |
about.labels[res_status] (verworfen) |
Wenn der Wert des protoPayload.methodName-Logfelds cloudsql.instances.create entspricht, wird das protoPayload.response.status-Logfeld dem security_result.description-UDM-Feld zugeordnet. |
protoPayload.response.type |
about.labels[res_type] (verworfen) |
|
protoPayload.response.unique_id |
about.labels[res_unique_id] (verworfen) |
Wenn der Wert des protoPayload.methodName-Logfelds mit dem regulären Ausdruck (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider) übereinstimmt, wird das protoPayload.response.unique_id-Logfeld dem UDM-Feld target.resource.product_object_id zugeordnet. |
protoPayload.response.valid_after_time.seconds |
about.labels[res_valid_after_time] (verworfen) |
|
protoPayload.response.valid_before_time.seconds |
about.labels[res_valid_before_time] (verworfen) |
|
protoPayload.response.version |
about.labels[res_version] (verworfen) |
|
protoPayload.response.zone |
about.labels[res_zone] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] |
about.labels[search_query_for_dump] (verworfen) |
|
spanId |
about.labels[span_id] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[START_DATE] |
about.labels[start_date] (verworfen) |
|
traceSampled |
about.labels[trace_sampled] (verworfen) |
|
Trace |
about.labels[trace] (verworfen) |
|
protoPayload.@type |
about.labels[type] (verworfen) |
|
protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_added] |
|
protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_deletion] |
|
protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_modification] |
|
protoPayload.metadata.projectMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels [AddedMetadataKeys] |
|
protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels [DeletedMetadataKeys] |
|
protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels [ModifiedMetadataKeys] |
|
protoPayload.redactions.reason |
principal.labels [protoPayload.redactions.field] (verworfen) |
|
protoPayload.redactions.type |
principal.labels [protoPayload.redactions.field] (verworfen) |
|
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata |
principal.labels [service_metadata] (verworfen) |
|
jsonPayload.sourceNetwork |
principal.labels [source_network] (verworfen) |
|
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims |
principal.labels [third_party_claims] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.time |
principal.labels[caller_network_request_time] (verworfen) |
|
protoPayload.request.description |
principal.labels[req_description] (verworfen) |
|
protoPayload.request.ipCidrRange |
principal.labels[req_ip_cidr_range] (verworfen) |
|
protoPayload.request.sourceRanges[] |
principal.labels[req_source_ranges] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.reason |
principal.labels[request_attributes_reason] (verworfen) |
|
protoPayload.authenticationInfo.thirdPartyPrincipal |
principal.labels[third_party_principal] (verworfen) |
|
protoPayload.metadata.jobChange.after |
target.resource_ancestors.attribute.labels[jobchange_after] |
|
protoPayload.metadata.jobChange.before |
target.resource_ancestors.attribute.labels[jobchange_before] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_query] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.createDisposition |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_createdisposition] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.destinationTable |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_destinationtable] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.priority |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_priority] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.writeDisposition |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_writedisposition] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.createDisposition |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_createdisposition] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.destinationTable |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_destinationtable] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.operationType |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_operationtype] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.writeDisposition |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_writedisposition] |
|
protoPayload.metadata.jobChange.job.jobConfig.type |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_type] |
|
protoPayload.metadata.jobChange.job.jobName |
target.resource_ancestors.name |
|
protoPayload.metadata.jobChange.job.jobStats.createTime |
target.resource_ancestors.attribute.creation_time |
|
protoPayload.metadata.jobChange.job.jobStats.endTime |
target.resource_ancestors.attribute.labels[jobchange_jobstats_endtime] |
|
protoPayload.metadata.jobChange.job.jobStats.queryStats |
target.resource_ancestors.attribute.labels[jobchange_jobstats_querystats] |
|
protoPayload.metadata.jobChange.job.jobStats.reservation |
target.resource_ancestors.attribute.labels[jobchange_jobstats_reservation] |
|
protoPayload.metadata.jobChange.job.jobStats.startTime |
target.resource_ancestors.attribute.labels[jobchange_jobstats_starttime] |
|
protoPayload.metadata.jobChange.job.jobStatus.errorResult.code |
security_result.detection_fields[jobchange_jobstatus_errorresult_code] |
|
protoPayload.metadata.jobChange.job.jobStatus.errorResult.message |
security_result.detection_fields[jobchange_jobstatus_errorresult_message] |
|
protoPayload.metadata.jobChange.job.jobStatus.jobState |
target.resource_ancestors.attribute.labels[jobstatus_jobstate] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.sourceTables |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_sourcetables] |
|
protoPayload.metadata.jobChange.job.jobStatus.errors.code |
security_result.detection_fields[jobchange_jobstatus_errors_code] |
|
protoPayload.metadata.jobChange.job.jobStatus.errors.message |
security_result.detection_fields[jobchange_jobstatus_errors_message] |
|
protoPayload.metadata.jobChange.job.jobConfig.extractConfig.sourceTable |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_sourcetable] |
|
protoPayload.metadata.jobChange.job.jobConfig.extractConfig.destinationUris |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_destinationuris] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_query] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.createDisposition |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_createdisposition] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.destinationTable |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_destinationtable] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.priority |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_priority] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.writeDisposition |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_writedisposition] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.createDisposition |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_createdisposition] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.destinationTable |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_destinationtable] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.operationType |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_operationtype] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.writeDisposition |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_writedisposition] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.type |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_type] |
|
protoPayload.metadata.jobInsertion.job.jobName |
target.resource_ancestors.name |
|
protoPayload.metadata.jobInsertion.job.jobStats.createTime |
target.resource_ancestors.attribute.creation_time |
|
protoPayload.metadata.jobInsertion.job.jobStats.reservation |
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_reservation] |
|
protoPayload.metadata.jobInsertion.job.jobStats.queryStats |
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_querystats] |
|
protoPayload.metadata.jobInsertion.job.jobStats.startTime |
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_starttime] |
|
protoPayload.metadata.jobInsertion.job.jobStats.endTime |
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_endtime] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.code |
security_result.detection_fields[jobinsertion_jobstatus_errorresult_code] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.message |
security_result.detection_fields[jobinsertion_jobstatus_errorresult_message] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.jobState |
target.resource_ancestors.attribute.labels[jobinsertion_jobstatus_jobstate] |
|
protoPayload.metadata.jobInsertion.reason |
target.resource_ancestors.attribute.labels[jobinsertion_reason] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.sourceTables |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_sourcetables] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.errors.code |
security_result.detection_fields[jobinsertion_jobstatus_errors_code] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.errors.message |
security_result.detection_fields[jobinsertion_jobstatus_errors_message] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.sourceTable |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_sourcetable] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_destinationuris] |
|
protoPayload.response.buildConfig.entryPoint |
target.resource.attribute.labels[buildconfig_entrypoint] |
|
protoPayload.request.member |
target.user.email_addresses |
|
protoPayload.request.email |
target.user.email_addresses |
|
protoPayload.metadata.jobInsertion.reason |
target.resource.attribute.labels[job_insertion_reason] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.statementType |
target.resource.attribute.labels[job_insertion_job_job_config_query_config_statement_type] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.jobState |
target.resource.attribute.labels[job_insertion_job_job_status_job_state] |
|
protoPayload.response.state |
target.resource.attribute.labels[response_state] |
|
protoPayload.request.metadata.state |
target.resource.attribute.labels[request_state] |
|
protoPayload.authenticationInfo.principalSubject |
principal.user.userid |
Wenn der Wert des protoPayload.authenticationInfo.principalSubject-Logfelds nicht leer ist, wird new_user_id mithilfe eines Grok-Musters aus dem protoPayload.authenticationInfo.principalSubject-Logfeld extrahiert und dem UDM-Feld principal.user.userid zugeordnet. |
protoPayload.authenticationInfo.principalSubject |
principal.user.email_addresses |
Wenn der Wert des protoPayload.authenticationInfo.principalSubject-Logfelds nicht leer ist, wird new_email_id mithilfe eines Grok-Musters aus dem protoPayload.authenticationInfo.principalSubject-Logfeld extrahiert und dem UDM-Feld principal.user.email_addresses zugeordnet. |
protoPayload.authenticationInfo.serviceAccountDelegationInfo.principalSubject |
principal.user.attribute.labels[access_serviceAcc_principalSubject] |
|
protoPayload.response.oauth2_client_id |
principal.user.attribute.labels[response_oauth2_client_id] |
|
protoPayload.authorizationInfo.resourceAttributes.service |
principal.resource.attribute.labels[authorization_info_rcService] |
|
protoPayload.authorizationInfo.granted |
principal.user.attributes.labels[authorization_granted] |
|
protoPayload.request.cryptoKey.versionTemplate.algorithm |
security_result.detection_fields [algorithm] |
|
protoPayload.response.details[].@type |
security_result.detection_fields [details_type] |
|
protoPayload.request.cryptoKey.nextRotationTime |
security_result.detection_fields [next_rotation_time] |
|
protoPayload.request.cryptoKey.versionTemplate.protectionLevel |
security_result.detection_fields [protection_level] |
|
protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value |
security_result.detection_fields [protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind] |
|
protoPayload.request.cryptoKey.purpose |
security_result.detection_fields [purpose] |
|
protoPayload.resourceName |
security_result.detection_fields [resource_name] |
|
protoPayload.authorizationInfo.resource |
security_result.detection_fields [resource] |
|
protoPayload.response.code |
security_result.detection_fields [response_code] |
|
protoPayload.request.cryptoKey.rotationPeriod |
security_result.detection_fields [rotation_period] |
|
protoPayload.metadata.securityPolicyInfo.organizationId |
security_result.detection_fields [securityPolicyInfo.organizationId] |
|
protoPayload.request.serviceAccounts[].scopes |
security_result.detection_fields [service_account_scope] |
|
protoPayload.response.details[].violations[].subject |
security_result.detection_fields [violation_subject] |
|
protoPayload.response.details[].violations[].type |
security_result.detection_fields [violation_type] |
|
protoPayload.metadata.event.eventName.parameter.name[ACTION_ID] |
security_result.detection_fields[action_id] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas[].action |
security_result.detection_fields[action] |
|
protoPayload.metadata.event.eventName.parameter.name[ALERT_NAME] |
security_result.detection_fields[alert_name] |
|
protoPayload.metadata.event.eventName.parameter.name[ALLOWED_TWO_STEP_VERIFICATION_METHOD] |
security_result.detection_fields[allowed_two_step_verification_method] |
|
protoPayload.requestMetadata.callerNetwork.requestAttributes.reason |
security_result.detection_fields[caller_network_request_reason] |
|
protoPayload.metadata.event.eventName.parameter.name[is_second_factor] |
security_result.detection_fields[is_second_factor] |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds login_verification und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds is_second_factor ist, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem security_result.detection_fields.value-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] |
security_result.detection_fields[is_suspicious] |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds login_success und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds is_suspicious ist, wird das protoPayload.metadata.event.eventName.parameter.boolValue-Logfeld dem security_result.detection_fields.value-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[login_failure_type] |
security_result.detection_fields[login_failure_type] |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds login_failure und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds login_failure_type ist, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem security_result.detection_fields.value-UDM-Feld zugeordnet. |
protoPayload.metadata.event.eventName.parameter.name[login_type] |
security_result.detection_fields[login_type] |
Wenn der Wert des protoPayload.metadata.event.eventName-Logfelds login_failure, login_challenge, login_verification, login_success oder logout ist und der Wert des protoPayload.metadata.event.eventName.parameter.name-Logfelds login_type ist, wird das protoPayload.metadata.event.eventName.parameter.value-Logfeld dem about.labels.value-UDM-Feld zugeordnet. |
protoPayload.request.bindings.members[] |
security_result.detection_fields[members] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.checkedValue |
security_result.detection_fields[policy_violation_checked_value] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.constraint |
security_result.detection_fields[policy_violation_constraint] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags |
security_result.detection_fields[policy_violation_resource_tags] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType |
security_result.detection_fields[policy_violation_resource_type] |
|
protoPayload.metadata.event.eventName.parameter.name[QUARANTINE_NAME] |
security_result.detection_fields[quarantine_name] |
|
protoPayload.resourceOriginalState.logconfig.enable |
security_result.detection_fields[rc_orgState_logconfig_enable] |
|
protoPayload.request.alloweds[].ports |
security_result.detection_fields[req_alloweds_ports] |
|
protoPayload.response.error.errors[].domain |
security_result.detection_fields[res_error_domain] |
|
protoPayload.resourceOriginalState.direction |
security_result.detection_fields[resource_original_state_direction] |
|
protoPayload.authenticationInfo.serviceAccountKeyName |
security_result.detection_fields[service_account_key_name] |
|
Referred this from Default parser. |
security_result.detection_fields[SERVICE] |
|
protoPayload.status.details.type |
security_result.detection_fields[status_details_type] |
|
protoPayload.status.details.violations.subject |
security_result.detection_fields[status_details_violation_subject] |
|
protoPayload.status.details.violations.type |
security_result.detection_fields[status_details_violation_type] |
|
sourceLocation.function |
src.labels[src_location_function] |
|
sourceLocation.line |
src.labels[src_location_line] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_STATE] |
target.asset.attribute.labels[dvc_new_state] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_STATE] |
target.asset.attribute.labels[dvc_previous_state] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_TYPE] |
target.asset.attribute.labels[dvc_type] |
|
protoPayload.metadata.event.eventName.parameter.name[MANAGED_CONFIGURATION_NAME] |
target.asset.attribute.labels[managed_config_name] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_APP_PACKAGE_ID] |
target.asset.attribute.labels[mobile_app_package_id] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_CERTIFICATE_COMMON_NAME] |
target.asset.attribute.labels[mobile_certificate_common_name] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_WIRELESS_NETWORK_NAME] |
target.asset.attribute.labels[mobile_wireless_network_name] |
|
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_MDM_VENDOR_NAME] |
target.asset.attribute.labels[play_for_work_mdm_vendor_name] |
|
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_TOKEN_ID] |
target.asset.attribute.labels[play_for_work_token_id] |
|
resource.labels.instance_id |
target.asset.attribute.labels[rc_instance_id] |
|
protoPayload.metadata.event.eventName.parameter.name[SKU_NAME] |
target.asset.attribute.labels[sku_name] |
|
protoPayload.response.targetId |
target.asset.attribute.labels[target_id] |
Wenn der Wert des protoPayload.methodName-Logfelds nicht mit cloudsql.instances.create übereinstimmt, wird das protoPayload.response.targetId-Logfeld dem target.asset.attribute.labels.value-UDM-Feld zugeordnet. |
resource.labels.backend_service_name |
target.labels [backend_service_name] (verworfen) |
|
protoPayload.requestMetadata.requestAttributes.auth.claims |
target.labels [request_auth_claims] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] |
target.labels[application_edition] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] |
target.labels[asp_id] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] |
target.labels[chrome_os_session_type] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] |
target.labels[device_new_org_unit] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] |
target.labels[device_previous_org_unit] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] |
target.labels[domain_alias] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] |
target.labels[email_export_include_deleted] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] |
target.labels[email_export_package_content] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] |
target.labels[email_log_search_end_date] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] |
target.labels[email_log_search_start_date] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] |
target.labels[email_monitor_level_chat] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] |
target.labels[email_monitor_level_draft_email] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] |
target.labels[email_monitor_level_in_email] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] |
target.labels[email_monitor_level_out_email] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] |
target.labels[email_reset_reason] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.labels[new_value] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] |
target.labels[oauth2_app_type] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] |
target.labels[old_value] (verworfen) |
|
protoPayload.requestMetadata.destinationAttributes.principal |
target.labels[peer_principal] (verworfen) |
|
protoPayload.requestMetadata.destinationAttributes.regionCode |
target.labels[peer_region_code] (verworfen) |
|
protoPayload.request.loadBalancingScheme |
target.labels[req_load_balancing_scheme] (verworfen) |
|
protoPayload.request.requestId |
target.labels[request_id] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] |
target.labels[request_id] (verworfen) |
|
protoPayload.resourceOriginalState.description |
target.labels[res_originalState_description] (verworfen) |
|
protoPayload.response.bindings[].members[] |
target.labels[response_bindings_members] (verworfen) |
|
protoPayload.response.description |
target.labels[response_description] (verworfen) |
|
protoPayload.response.display_name |
target.labels[response_display_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] |
target.labels[secondary_domain_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] |
target.labels[setting_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] |
target.labels[user_custom_field] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] |
target.labels[user_defined_setting_name] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] |
target.labels[web_origin] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] |
target.labels[whitelisted_groups] (verworfen) |
|
protoPayload.metadata.event.eventName.parameter.name[APP_LICENSES_ORDER_NUMBER] |
target.asset.labels[app_licenses_order_number] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_NUM_LICENSES_PURCHASED] |
target.asset.labels[chrome_num_licenses_purchased] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_COMMAND_DETAILS] |
target.asset.labels[device_command_details] |
|
protoPayload.metadata.event.eventName.parameter.name[DIRECTORY_API_ID] |
target.asset.labels[directory_api_id] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_PRIORITIES] |
target.group.attribute.labels[group_priorities] |
|
protoPayload.request.cluster.subnetwork |
target.resource_ancestor.attribute.labels[req_cls_subnetwork] |
|
protoPayload.request.cluster.nodePools[].autoscaling.enabled |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_enabled] |
|
protoPayload.request.cluster.nodePools[].autoscaling.maxNodeCount |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_max_node_cnt] |
|
protoPayload.request.cluster.nodePools[].autoscaling.minNodeCount |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_min_node_cnt] |
|
protoPayload.request.cluster.nodePools[].management.autoupgrade |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoupgrade] |
|
protoPayload.request.cluster.nodePools[].config.diskSizeGb |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_disksize] |
|
protoPayload.request.cluster.nodePools[].config.imageType |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_imagetype] |
|
protoPayload.request.cluster.nodePools[].config.machineType |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_machinetype] |
|
protoPayload.request.cluster.nodePools[].config.oauthScopes[] |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_oauth_scopes] |
|
protoPayload.request.cluster.nodePools[].name |
target.resource_ancestor.attribute.labels[req_clsNodePools_name] |
|
protoPayload.request.cluster.nodePools[].initialNodeCount |
target.resource_ancestor.attribute.labels[req_clsterNodePools_autoscaling_initial_node_cnt] |
|
resource.data.oauth2ClientId |
target.resource.attribute.labels [oauth_client_id] |
|
protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute |
target.resource.attribute.labels [ enable_confidential_compute] |
|
protoPayload.request.function.timeout |
target.resource.attribute.labels [ function_time_out] |
|
protoPayload.requestMetadata.requestAttributes.auth.accessLevels |
target.resource.attribute.labels [accessLevel] |
|
protoPayload.request.date |
target.resource.attribute.labels [audit_event_occurred] |
|
protoPayload.request.auditId |
target.resource.attribute.labels [audit_id] |
|
protoPayload.request.autoscalingPolicy.mode |
target.resource.attribute.labels [autoscaling_policy_mode] |
|
protoPayload.request.autoscalingPolicy.coolDownPeriodSec |
target.resource.attribute.labels [cool_down_period] |
|
protoPayload.request.denieds.0.IPProtocol |
target.resource.attribute.labels [Denied Protocol] |
|
protoPayload.request.destinationRanges |
target.resource.attribute.labels [destination_ranges] |
|
protoPayload.request.function.entryPoint |
target.resource.attribute.labels [function_entry_point] |
|
protoPayload.request.function.httpsTrigger.securityLevel |
target.resource.attribute.labels [function_httptrigger_security_level] |
|
protoPayload.request.function.runtime |
target.resource.attribute.labels [function_runtime] |
|
protoPayload.request.function.serviceAccountEmail |
target.resource.attribute.labels [function_service_account_email] |
|
protoPayload.request.function.sourceUploadUrl |
target.resource.attribute.labels [function_source_upload_url] |
|
protoPayload.metadata.iapEnabled |
target.resource.attribute.labels [iapEnabled] |
|
protoPayload.request.listManagedInstancesResults |
target.resource.attribute.labels [managed_instances_result] |
|
protoPayload.request.autoscalingPolicy.maxNumReplicas |
target.resource.attribute.labels [max_replicas] |
|
protoPayload.request.autoscalingPolicy.minNumReplicas |
target.resource.attribute.labels [min_replicas] |
|
protoPayload.request.msgType |
target.resource.attribute.labels [msg_type] |
|
protoPayload.metadata.oauth_client_id |
target.resource.attribute.labels [oauth_client_id] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod |
target.resource.attribute.labels [predictive_method] |
|
protoPayload.request.labels.0.value |
target.resource.attribute.labels [protoPayload.request.labels.0.key] |
|
protoPayload.request.queryId |
target.resource.attribute.labels [query_id] |
|
protoPayload.request.constraint |
target.resource.attribute.labels [request_constraint] |
|
protoPayload.request.dataAccessed |
target.resource.attribute.labels [request_data_accessed] |
|
protoPayload.request.function.labels.deployment-tool |
target.resource.attribute.labels [request_deployment_tool] |
|
protoPayload.request.properties.description |
target.resource.attribute.labels [request_description] |
|
protoPayload.request.function.name |
target.resource.attribute.labels [request_function_name] |
|
protoPayload.request.location |
target.resource.attribute.labels [request_location] |
|
protoPayload.request.policy.constraint |
target.resource.attribute.labels [request_policy_constraint] |
|
protoPayload.request.@type |
target.resource.attribute.labels [request_type] |
|
protoPayload.request.cmd |
target.resource.attribute.labels [sql_operation_type ] |
|
protoPayload.request.threadId |
target.resource.attribute.labels [thread_id] |
|
protoPayload.metadata.unsatisfied_access_levels |
target.resource.attribute.labels [unsatisfied_access_levels] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget |
target.resource.attribute.labels [utilization_target] |
|
protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled |
target.resource.attribute.labels[backup_config_binarylog_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.enabled |
target.resource.attribute.labels[backup_config_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays |
target.resource.attribute.labels[backup_config_logRetention_days] |
|
protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled |
target.resource.attribute.labels[backup_config_point_in_time_recovery_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups |
target.resource.attribute.labels[backup_config_retention_settings_retained_backups] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit |
target.resource.attribute.labels[backup_config_retention_settings_unit] |
|
protoPayload.request.body.settings.backupConfiguration.startTime |
target.resource.attribute.labels[backup_config_start_time] |
|
protoPayload.request.canIpForward |
target.resource.attribute.labels[can_ip_forward] |
|
resource.labels.cluster_name |
target.resource.attribute.labels[cls_name] |
|
request.cluster.name |
target.resource.attribute.labels[cls_name] |
|
protoPayload.request.body.settings.dataDiskSizeGb |
target.resource.attribute.labels[data_disk_size_gb] |
|
protoPayload.request.body.settings.dataDiskType |
target.resource.attribute.labels[data_disk_type] |
|
protoPayload.metadata.tableDataRead.fields |
target.resource.attribute.labels[data_read_fields] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris[] |
target.resource.attribute.labels[destination_uris] |
|
protoPayload.request.direction |
target.resource.attribute.labels[direction] |
|
resource.labels.email_id |
target.resource.attribute.labels[email_id] |
|
resource.email_id |
target.resource.attribute.labels[email_id] |
|
resource.labels.forwarding_rule_name |
target.resource.attribute.labels[forwarding_rule_name] |
|
protoPayload.request.body.settings.ipConfiguration.ipv4Enabled |
target.resource.attribute.labels[ip_config_ipv4_enabled] |
|
protoPayload.request.body.settings.ipconfiguration.privatNetwork |
target.resource.attribute.labels[ip_config_private_network] |
|
protoPayload.request.body.settings.ipconfiguration.requireSsl |
target.resource.attribute.labels[ip_config_require_ssl] |
|
protoPayload.metadata.jobChange.job.jobConfig.type |
target.resource.attribute.labels[job_type] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id |
target.resource.attribute.labels[job_change_looker_studio_report_id] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.requestor |
target.resource.attribute.labels[job_change_requestor] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id |
target.resource.attribute.labels[job_change_looker_studio_datasource_id] |
|
protoPayload.metadata.tableChange.table.tableName |
target.resource.attribute.labels[metadata_changedTable_name] |
|
protoPayload.metadata.tableCreation.table.expireTime |
target.resource.attribute.labels[metadata_creationTable_expire_time] |
|
protoPayload.request.body.settings.pricingPlan |
target.resource.attribute.labels[pricing_plan] |
|
resource.data.projectId |
target.resource.attribute.labels[projectId] |
|
resource.labels.instance_group_name |
target.resource.attribute.labels[rc_instance_groupName] |
|
resource.labels.method |
target.resource.attribute.labels[rc_method] |
|
protoPayload.resourceOriginalState.disabled |
target.resource.attribute.labels[rc_orgState_disabled] |
|
protoPayload.resourceOriginalState.enableLogging |
target.resource.attribute.labels[rc_orgState_enable_logging] |
|
protoPayload.resourceOriginalState.logconfig.enable |
target.resource.attribute.labels[rc_orgState_logconfig_enable] |
|
protoPayload.resourceOriginalState.selfLink |
target.resource.attribute.labels[rc_orgState_selflink] |
|
protoPayload.resourceOriginalState.sourceRanges |
target.resource.attribute.labels[rc_orgState_srcranges] |
|
protoPayload.resourceOriginalState.targetTags |
target.resource.attribute.labels[rc_orgState_target_tags] |
|
protoPayload.resourceOriginalState.@type |
target.resource.attribute.labels[rc_orgState_type] |
|
resource.labels.service |
target.resource.attribute.labels[rc_service] |
|
resource.labels.subnetwork_name |
target.resource.attribute.labels[rc_subnetwork_name] |
|
resource.labels.version |
target.resource.attribute.labels[rc_version] |
|
protoPayload.request.body.databaseVersion |
target.resource.attribute.labels[req_body_dbVersion] |
|
protoPayload.request.cluster.releaseChannel.channel |
target.resource.attribute.labels[req_cls_channel] |
|
protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled |
target.resource.attribute.labels[req_cls_policy_config_disabled] |
|
protoPayload.request.reservationAffinity.consumeReservationType |
target.resource.attribute.labels[req_consumeReservation_type] |
|
protoPayload.request.disabled |
target.resource.attribute.labels[req_disabled] |
|
protoPayload.request.disks[].boot |
target.resource.attribute.labels[req_disk_boot] |
|
protoPayload.request.disks[].initializeParams.diskSizeGb |
target.resource.attribute.labels[req_disk_initialize_disk_size] |
|
protoPayload.request.disks[].initializeParams.diskType |
target.resource.attribute.labels[req_disk_initialize_disk_type] |
|
protoPayload.request.disks[].initializeParams.sourceImage |
target.resource.attribute.labels[req_disk_initialize_source_image] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeCondition |
target.resource.attribute.labels[req_identityPool_attribute_condition] |
|
protoPayload.request.workloadIdentityPoolProvider.aws.accountId |
target.resource.attribute.labels[req_identityPool_aws_accountId] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.attribute.aws_role |
target.resource.attribute.labels[req_identityPool_aws_role] |
|
protoPayload.request.workloadIdentityPool.description |
target.resource.attribute.labels[req_identityPool_description] |
|
protoPayload.request.workloadIdentityPool.disabled |
target.resource.attribute.labels[req_identityPool_disabled] |
|
protoPayload.request.workloadIdentityPoolProvider.displayName |
target.resource.attribute.labels[req_identityPool_displayName] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.google.subject |
target.resource.attribute.labels[req_identityPool_googleSubject] |
|
protoPayload.request.workloadIdentityPoolProvider.disabled |
target.resource.attribute.labels[req_identityPool_provider_disabled] |
|
protoPayload.request.workloadIdentityPoolProviderId |
target.resource.attribute.labels[req_identityPool_providerId] |
|
protoPayload.request.instances[].instance |
target.resource.attribute.labels[req_instance] |
|
protoPayload.request.logconfig.enable |
target.resource.attribute.labels[req_logconfig_enable] |
|
protoPayload.serviceData.tabelDataListRequest.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.serviceData.jobGetQueryResultsRequest.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.request.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.request.name |
target.resource.attribute.labels[req_name] |
|
protoPayload.request.networkInterfaces[].accessConfig.name |
target.resource.attribute.labels[req_network_access_config_name] |
|
protoPayload.request.networkInterfaces[].accessConfig.networkTier |
target.resource.attribute.labels[req_network_access_config_network_tier] |
|
protoPayload.request.networkInterfaces[].accessConfig.type |
target.resource.attribute.labels[req_network_access_config_type] |
|
protoPayload.request.network |
target.resource.attribute.labels[req_network] |
|
protoPayload.request.network |
target.resource.attribute.labels[req_network] |
|
protoPayload.request.priority |
target.resource.attribute.labels[Request Priority] |
|
protoPayload.request.project |
target.resource.attribute.labels[req_project] |
|
protoPayload.request.role.stage |
target.resource.attribute.labels[req_role_stage] |
|
protoPayload.request.scheduling.automaticRestart |
target.resource.attribute.labels[req_scheduling_automatic_restart] |
|
protoPayload.request.scheduling.onHostMaintenance |
target.resource.attribute.labels[req_scheduling_on_host_mainten] |
|
protoPayload.request.scheduling.preemptible |
target.resource.attribute.labels[req_scheduling_preemptible] |
|
protoPayload.request.service_account.description |
target.resource.attribute.labels[req_serviceAcc_description] |
|
protoPayload.request.serviceAccounts[].email |
target.resource.attribute.labels[req_serviceAcc_email] |
|
protoPayload.request.policy.booleanPolicy.enforced |
target.resource.attribute.labels[request_constraint] |
|
protoPayload.response.email |
target.resource.attribute.labels[res_email] |
|
protoPayload.response.etag |
target.resource.attribute.labels[res_etag] |
|
protoPayload.response.name |
target.resource.attribute.labels[res_name] |
|
protoPayload.response.operationType |
target.resource.attribute.labels[response_operation_type] |
|
protoPayload.response.zone |
target.resource.attribute.labels[res_zone] |
|
resource.data.name |
target.resource.attribute.labels[resource_data_name] |
|
protoPayload.response.booleanPolicy.enforced |
target.resource.attribute.labels[response_enforce_policy] |
|
protoPayload.response.status |
target.resource.attribute.labels[response_status] |
|
protoPayload.response.status.conditions.message |
target.resource.attribute.labels[response_status] |
|
protoPayload.serviceData.permissionDelta.addedPermissions[] |
target.resource.attribute.labels[ser_added_perm] |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].action |
target.resource.attribute.labels[ser_binding_deltas_action] |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].member |
target.resource.attribute.labels[ser_binding_deltas_member] |
|
Referred this from default parser. |
target.resource.attribute.labels[ser_binding_deltas_member] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.datasetId |
target.resource.attribute.labels[ser_destTable_datasetId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.projectId |
target.resource.attribute.labels[ser_destTable_projectId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.tableId |
target.resource.attribute.labels[ser_destTable_tableId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime |
target.resource.attribute.labels[ser_jobCreate_time] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.jobId |
target.resource.attribute.labels[ser_req_jobId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.query |
target.resource.attribute.labels[ser_req_query] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.createDisposotion |
target.resource.attribute.labels[ser_reqCreate_disposotion] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.location |
target.resource.attribute.labels[ser_reqJob_location] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.projectId |
target.resource.attribute.labels[ser_reqJob_projectid] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.startTime |
target.resource.attribute.labels[ser_reqJob_start_time] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatus.state |
target.resource.attribute.labels[ser_reqJob_state] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.totalSlotMs |
target.resource.attribute.labels[ser_reqJob_total_slot_ms] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.statementType |
target.resource.attribute.labels[ser_reqStatement_type] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.writeDisposition |
target.resource.attribute.labels[ser_reqWrite_disposition] |
|
protoPayload.serviceData.tableInsertRequest.resource.view.query |
target.resource.attribute.labels[ser_tableInsert_query] |
|
protoPayload.serviceData.@type |
target.resource.attribute.labels[ser_type] |
|
protoPayload.request.sourceRanges[] |
target.resource.attribute.labels[source_ranges] |
|
protoPayload.request.body.settings.storageAutoResize |
target.resource.attribute.labels[storage_auto_resize] |
|
resource.labels.target_proxy_name |
target.resource.attribute.labels[target_proxy_name] |
|
protoPayload.request.body.settings.tier |
target.resource.attribute.labels[tier] |
|
resource.labels.url_map_name |
target.resource.attribute.labels[url_map_name] |
|
protoPayload.request.cluster.network |
target.resource_ancestors.attribute.labels[req_cls_network] |
|
protoPayload.request.cluster.nodePools[].management.autoRepair |
target.resource_ancestors.attribute.labels[req_clsNodePools_autorepair] |
|
protoPayload.request.body.settings.availabilityType |
target.resource.attributes.labels[resource_avaibilitytype] |
|
protoPayload.metadata.tableCreation.table.schemaJSON |
target.resource.attributes.labels[table_schemaJson] |
|
protoPayload.metadata.event.eventName.parameter.name[BIRTHDATE] |
target.user.attribute.labels[birthdate] |
|
protoPayload.metadata.event.eventName.parameter.name[PRIVILEGE_NAME] |
target.user.attribute.labels[privilege_name] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_NICKNAME] |
target.user.attribute.labels[user_nickname] |
|
resource.type |
target.resource_ancestors.resource_type |
Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck gce_(firewall or forwarding_rule) übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf FIREWALL_RULE festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck gce_(subnetwork or network) übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf VPC_NETWORK festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck dataproc übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf CLUSTER festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck k8s or gke_ übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf CLUSTER festgelegt.Wenn der Wert des resource.type-Logfelds mit gce_backend_service übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf BACKEND_SERVICE festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck (gce_ or dns_query) übereinstimmt, wird das target.resource.resource_type-UDM-Feld auf VIRTUAL_MACHINE festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck gcs_bucket übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf STORAGE_BUCKET festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck bigquery übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf DATABASE festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck cloudsql übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf DATABASE festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck service_account übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf SERVICE_ACCOUNT festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck project übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf CLOUD_PROJECT festgelegt.Wenn der Wert des resource.type-Logfelds mit dem regulären Ausdruck organization übereinstimmt, wird das target.resource_ancestors.resource_type-UDM-Feld auf CLOUD_ORGANIZATION festgelegt.Andernfalls wird das target.resource_ancestors.resource_type-UDM-Feld auf UNSPECIFIED festgelegt.Wenn der Wert des resource.labels.project_id-Logfelds nicht leer ist, wird das target.resource_ancestors.resource_type-UDM-Feld auf CLOUD_PROJECT festgelegt. |
jsonPayload.end_time |
about.labels[jsonPayload_end_time] (verworfen) |
|
jsonPayload.packets_sent |
network.sent_packets |
|
jsonPayload.reporter |
about.labels[jsonPayload_reporter] (verworfen) |
|
jsonPayload.src_vpc.vpc_name |
principal.resource.name |
|
jsonPayload.src_vpc.project_id |
principal.resource.product_object_id |
|
jsonPayload.src_vpc.subnetwork_name |
principal.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name] |
|
jsonPayload.start_time |
about.labels[jsonPayload_start_time] (verworfen) |
|
jsonPayload.src_instance.region |
principal.location.name |
|
jsonPayload.src_instance.project_id |
principal.labels[jsonPayload_src_instance_project_id] (verworfen) |
|
jsonPayload.src_instance.zone |
principal.cloud.availability_zone |
|
resource.labels.subnetwork_id |
target.resource.attribute.labels[resource_labels_subnetwork_id] |
|
jsonPayload.dest_vpc.project_id |
target.resource.product_object_id |
|
jsonPayload.dest_vpc.subnetwork_name |
target.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name] |
|
jsonPayload.dest_vpc.vpc_name |
target.resource.name |
|
jsonPayload.dest_instance.region |
target.location.name |
|
jsonPayload.dest_instance.project_id |
target.labels[jsonPayload_dest_instance_project_id] (verworfen) |
|
jsonPayload.dest_instance.zone |
target.cloud.availability_zone |
|
jsonPayload.src_location.asn |
principal.labels[jsonPayload_src_location_asn] (verworfen) |
|
jsonPayload.src_location.city |
principal.location.city |
|
jsonPayload.src_location.continent |
principal.labels[jsonPayload_src_location_continent] (verworfen) |
|
jsonPayload.src_location.country |
principal.location.country_or_region |
|
jsonPayload.src_location.region |
principal.labesl[jsonPayload_src_location_region] |
|
jsonPayload.dest_location.asn |
target.labels[jsonPayload_dest_location_asn] (verworfen) |
|
jsonPayload.dest_location.city |
target.location.city |
|
jsonPayload.dest_location.continent |
target.labels[jsonPayload_dest_location_continent] (verworfen) |
|
jsonPayload.dest_location.region |
target.labesl[jsonPayload_dest_location_region] |
|
protoPayload.metadata.ingressViolations.servicePerimeter |
security_result.detection_fields[protoPayload_metadata_ingressViolations_serviceParameter] |
|
protoPayload.metadata.ingressViolations.source |
security_result.detection_fields[protoPayload_metadata_ingressViolations_source] |
|
protoPayload.metadata.ingressViolations.sourceType |
security_result.detection_fields[protoPayload_metadata_ingressViolations_sourceType] |
|
protoPayload.metadata.ingressViolations.targetResource |
security_result.detection_fields[protoPayload_metadata_ingressViolations_targetResource] |
|
protoPayload.request.subjects.name |
target.user.attribute.labels[subject_name] |
|
protoPayload.request.spec.containers.0.image |
target.process.command_line |
|
protoPayload.request.spec.containers.0.name |
target.resource.attribute.labels[name] |
|
protoPayload.request.spec.containers.0.terminationMessagePolicy |
traget.resource.attribute.labels[terminationMessagePolicy] |
|
protoPayload.request.spec.containers.0.terminationMessagePath |
traget.resource.attribute.labels[terminationMessagePath] |
|
protoPayload.request.spec.containers.0.imagePullPolicy |
traget.resource.attribute.labels[imagePullPolicy] |
|
protoPayload.request.spec.dnsPolicy |
target.resource.attribute.labels[imagePullPolicy] |
|
protoPayload.request.spec.enableServiceLinks |
traget.resource.attribute.labels[enableServiceLinks] |
|
protoPayload.request.spec.restartPolicy |
target.resource.attribute.labels[restartPolicy] |
|
protoPayload.request.spec.schedulerName |
target.resource.attribute.labels[schedulerName] |
|
protoPayload.request.spec.terminationGracePeriodSeconds |
traget.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds] |
|
protoPayload.request.metadata.namespace |
principal.namespace |
|
protoPayload.request.apiVersion |
target.resource.attribute.labels [request apiVersion] |
|
protoPayload.request.kind |
target.resource.attribute.labels[request.kind] |
|
protoPayload.request.metadata.name |
target.resource.attribute.labels[request.metadata.name] |
|
labels.mutation.webhook.admission.k8s.io/round_0_index_0 |
security_result.about.resource.attribute.labels[labels_round_0_index_0] |
|
protoPayload.request.spec.containers.0.args |
about.file.capabilities_tags |
|
protoPayload.request.properties.disks.0.initializeParams.diskSizeGb |
principal.resource.attribute.labels[diskSizeGb] |
|
protoPayload.request.properties.disks.0.initializeParams.diskType |
principal.resource.attribute.labels[diskType] |
|
protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type |
principal.resource.attribute.labels[guestOsFeatures type] |
|
protoPayload.request.properties.disks.0.initializeParams.labels.0.key |
principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key] |
|
protoPayload.request.properties.disks.0.initializeParams.sourceImage |
principal.resource.attribute.labels[sourceImage] |
|
protoPayload.request.properties.disks.0.type |
principal.resource.attribute.labels[disks Type] |
|
key_id |
security_result.detection_field[key_id] |
Der Wert des Felds key_id wird mithilfe eines Grok-Musters aus dem message-Logfeld extrahiert. |
protoPayload.request.securityHealthAnalyticsSettings.modules.PUBLIC_BUCKET_ACL.moduleEnablementState |
target.resource.attribute.labels[PUBLIC_BUCKET_ACL_module_enablement_state] |
|
protoPayload.response.serviceEnablementState |
target.resource.attribute.labels[service_enablement_state] |
|
protoPayload.request.metadata.creationTimestamp |
target.resource.attribute.creation_time |
|
protoPayload.request.metadata.labels.trivy.automatic.created |
target.resource.attribute.labels[req_metadata_trivy_automatic_created] |
|
protoPayload.request.metadata.labels.trivy.collector.name |
target.resource.attribute.labels[req_metadata_trivy_collector_name] |
|
protoPayload.request.metadata.labels.trivy.resource.kind |
target.resource.attribute.labels[req_metadata_trivy_resource_kind] |
|
protoPayload.request.metadata.labels.trivy.resource.name |
target.resource.attribute.labels[req_metadata_trivy_resource_name] |
|
protoPayload.request.spec.backoffLimit |
target.resource.attribute.labels[req_spec_backoff_limit] |
|
protoPayload.request.spec.completionMode |
target.resource.attribute.labels[req_spec_completion_mode] |
|
protoPayload.request.spec.completions |
target.resource.attribute.labels[req_spec_completions] |
|
protoPayload.request.spec.parallelism |
target.resource.attribute.labels[req_spec_parallelism] |
|
protoPayload.request.spec.suspend |
target.resource.attribute.labels[req_spec_suspend] |
|
protoPayload.request.spec.template.metadata.creationTimestamp |
target.resource.attribute.labels[req_spec_template_metadata_creation_time] |
|
protoPayload.request.spec.template.metadata.labels.app |
target.resource.attribute.labels[req_spec_template_metadata_app] |
|
protoPayload.request.spec.template.spec.automountServiceAccountToken |
target.resource.attribute.labels[req_spec_template_spec_automount_service_account_token] |
|
protoPayload.request.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_command] |
|
protoPayload.request.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image] |
|
protoPayload.request.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image_pull_policy] |
|
protoPayload.request.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.request.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.request.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.request.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.request.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_memory] |
|
protoPayload.request.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_capabilities_drop] |
|
protoPayload.request.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_privileged] |
|
protoPayload.request.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_path] |
|
protoPayload.request.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_policy] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_mount_path] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_name] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_readonly] |
|
protoPayload.request.spec.template.spec.dnsPolicy |
target.resource.attribute.labels[req_spec_template_spec_dns_policy] |
|
protoPayload.request.spec.template.spec.hostPID |
target.resource.attribute.labels[req_spec_template_spec_host_pid] |
|
protoPayload.request.spec.template.spec.restartPolicy |
target.resource.attribute.labels[req_spec_template_spec_restart_policy] |
|
protoPayload.request.spec.template.spec.schedulerName |
target.resource.attribute.labels[req_spec_template_spec_scheduler_name] |
|
protoPayload.request.spec.template.spec.securityContext.runAsGroup |
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_group] |
|
protoPayload.request.spec.template.spec.securityContext.runAsUser |
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_user] |
|
protoPayload.request.spec.template.spec.securityContext.seccompProfile.type |
target.resource.attribute.labels[req_spec_template_spec_security_context_seccomp_profile_type] |
|
protoPayload.request.spec.template.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[req_spec_template_spec_termination_grace_period_seconds] |
|
protoPayload.request.spec.template.spec.volumes.hostPath.path |
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path] |
|
protoPayload.request.spec.template.spec.volumes.hostPath.type |
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path_type] |
|
protoPayload.request.spec.template.spec.volumes.name |
target.resource.attribute.labels[req_spec_template_spec_volumes_name] |
|
protoPayload.request.spec.automountServiceAccountToken |
target.resource.attribute.labels[req_spec_automount_service_account_token] |
|
protoPayload.request.spec.containers.command |
target.resource.attribute.labels[req_spec_container_command] |
|
protoPayload.request.spec.containers.securityContext.privileged |
target.resource.attribute.labels[req_spec_container_security_context_privileged] |
|
protoPayload.request.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource.attribute.labels[req_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource.attribute.labels[req_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.containers.securityContext.capabilities.drop |
target.resource.attribute.labels[req_spec_container_security_context_capabilities_drop] |
|
protoPayload.request.spec.containers.volumeMounts.mountPath |
target.resource.attribute.labels[req_spec_container_volume_mount_path] |
|
protoPayload.request.spec.containers.volumeMounts.name |
target.resource.attribute.labels[req_spec_container_volume_mount_name] |
|
protoPayload.request.spec.containers.volumeMounts.readOnly |
target.resource.attribute.labels[req_spec_container_volume_mount_read_only] |
|
protoPayload.request.metadata.annotations.deprecated.daemonset.template.generation |
target.resource.attribute.labels[req_metadata_annotations_deprecated_daemonset_template_generation] |
|
protoPayload.request.metadata.labels.app |
target.resource.attribute.labels[req_metadata_app] |
|
protoPayload.request.metadata.labels.type |
target.resource.attribute.labels[req_metadata_labels_type] |
|
protoPayload.request.spec.serviceAccount |
target.resource.attribute.labels[req_spec_service_account] |
|
protoPayload.request.spec.serviceAccountName |
target.resource.attribute.labels[req_spec_serivce_account_name] |
|
protoPayload.request.spec.hostIPC |
target.resource.attribute.labels[req_spec_host_ipc] |
|
protoPayload.request.spec.hostNetwork |
target.resource.attribute.labels[req_spec_host_network] |
|
protoPayload.request.spec.hostPID |
target.resource.attribute.labels[req_spec_host_pid] |
|
protoPayload.request.spec.nodeName |
target.resource.attribute.labels[req_spec_node_name] |
|
protoPayload.request.spec.securityContext.privileged |
target.resource.attribute.labels[req_spec_security_context_privileged] |
|
protoPayload.request.spec.securityContext.allowPrivilegeEscalation |
target.resource.attribute.labels[req_spec_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.securityContext.readOnlyRootFilesystem |
target.resource.attribute.labels[req_spec_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.securityContext.capabilities.drop |
target.resource.attribute.labels[req_spec_security_context_capabilities_drop] |
|
protoPayload.request.spec.volumes.hostPath.path |
target.resource.attribute.labels[req_spec_volume_host_path] |
|
protoPayload.request.spec.volumes.hostPath.type |
target.resource.attribute.labels[req_spec_volume_host_path_type] |
|
protoPayload.request.spec.volumes.name |
target.resource.attribute.labels[req_spec_volume_name] |
|
protoPayload.request.spec.revisionHistoryLimit |
target.resource.attribute.labels[req_spec_revision_history_limit] |
|
protoPayload.request.spec.selector.matchLabels.app |
target.resource.attribute.labels[req_spec_selector_match_label_app] |
|
protoPayload.request.spec.selector.matchLabels.type |
target.resource.attribute.labels[req_spec_selector_match_label_type] |
|
protoPayload.request.spec.template.metadata.labels.type |
target.resource.attribute.labels[req_spec_template_metadata_labels_type] |
|
protoPayload.request.spec.template.spec.containers.args |
target.resource.attribute.labels[req_spec_template_spec_container_arg] |
|
protoPayload.request.spec.template.spec.hostIPC |
target.resource.attribute.labels[req_spec_template_spec_host_ipc] |
|
protoPayload.request.spec.template.spec.hostNetwork |
target.resource.attribute.labels[req_spec_template_spec_host_network] |
|
protoPayload.request.spec.updateStrategy.rollingUpdate.maxSurge |
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_surge] |
|
protoPayload.request.spec.updateStrategy.rollingUpdate.maxUnavailable |
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_unavailable] |
|
protoPayload.request.spec.updateStrategy.type |
target.resource.attribute.labels[req_spec_update_strategy_type] |
|
protoPayload.request.status.currentNumberScheduled |
target.resource.attribute.labels[req_status_current_number_scheduled] |
|
protoPayload.request.status.desiredNumberScheduled |
target.resource.attribute.labels[req_status_desired_number_scheduled] |
|
protoPayload.request.status.numberMisscheduled |
target.resource.attribute.labels[req_status_number_miss_scheduled] |
|
protoPayload.request.status.numberReady |
target.resource.attribute.labels[req_status_number_ready] |
|
protoPayload.response.@type |
target.resource.attribute.labels[res_type] |
|
protoPayload.response.apiVersion |
target.resource.attribute.labels[res_api_version] |
|
protoPayload.response.metadata.annotations.deprecated.daemonset.template.generation |
target.resource.attribute.labels[res_metadata_annotations_deprecated_daemonset_template_generation] |
|
protoPayload.response.metadata.generation |
target.resource.attribute.labels[res_metadata_generation] |
|
protoPayload.response.metadata.labels.type |
target.resource.attribute.labels[res_metadata_labels_type] |
|
protoPayload.response.metadata.labels.app |
target.resource.attribute.labels[res_metadata_label_app] |
|
protoPayload.response.metadata.creationTimestamp |
target.resource.attribute.labels[res_metadata_creation_time] |
|
protoPayload.response.metadata.name |
target.resource.attribute.labels[res_metadata_name] |
|
protoPayload.response.metadata.namespace |
target.resource.attribute.labels[res_metadata_namespace] |
|
protoPayload.response.metadata.resourceVersion |
target.resource.attribute.labels[res_metadata_resource_version] |
|
protoPayload.response.metadata.uid |
target.resource.attribute.labels[res_metadata_uid] |
|
protoPayload.response.spec.revisionHistoryLimit |
target.resource.attribute.labels[res_spec_revision_history_limit] |
|
protoPayload.response.spec.selector.matchLabels.app |
target.resource.attribute.labels[res_spec_selector_match_label_app] |
|
protoPayload.response.spec.selector.matchLabels.type |
target.resource.attribute.labels[res_spec_selector_match_label_type] |
|
protoPayload.response.spec.template.metadata.creationTimestamp |
target.resource.attribute.labels[res_spec_template_metadata_creation_time] |
|
protoPayload.response.spec.template.metadata.labels.app |
target.resource.attribute.labels[res_spec_template_metadata_app] |
|
protoPayload.response.spec.template.metadata.labels.type |
target.resource.attribute.labels[res_spec_template_metadata_type] |
|
protoPayload.response.spec.template.spec.containers.args |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_arg] |
|
protoPayload.response.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_command] |
|
protoPayload.response.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image] |
|
protoPayload.response.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image_pull_policy] |
|
protoPayload.response.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.response.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.response.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.response.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.response.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_memory] |
|
protoPayload.response.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_privileged] |
|
protoPayload.response.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.response.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.response.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_capabilities_drop] |
|
protoPayload.response.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_path] |
|
protoPayload.response.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_policy] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_mount_path] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_name] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_read_only] |
|
protoPayload.response.spec.template.spec.dnsPolicy |
target.resource.attribute.labels[res_spec_template_spec_dns_policy] |
|
protoPayload.response.spec.template.spec.hostIPC |
target.resource.attribute.labels[res_spec_template_spec_host_pid] |
|
protoPayload.response.spec.template.spec.hostNetwork |
target.resource.attribute.labels[res_spec_template_spec_host_network] |
|
protoPayload.response.spec.template.spec.hostPID |
target.resource.attribute.labels[res_spec_template_spec_host_ipc] |
|
protoPayload.response.spec.template.spec.nodeName |
target.resource.attribute.labels[res_spec_template_spec_node_name] |
|
protoPayload.response.spec.template.spec.restartPolicy |
target.resource.attribute.labels[res_spec_template_spec_restart_policy] |
|
protoPayload.response.spec.template.spec.schedulerName |
target.resource.attribute.labels[res_spec_template_spec_scheduler_name] |
|
protoPayload.response.spec.template.spec.securityContext.runAsGroup |
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_group] |
|
protoPayload.response.spec.template.spec.securityContext.runAsUser |
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_user] |
|
protoPayload.response.spec.template.spec.securityContext.seccompProfile.type |
target.resource.attribute.labels[res_spec_template_spec_security_context_seccomp_profile_type] |
|
protoPayload.response.spec.template.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[res_spec_template_spec_termination_grace_period_seconds] |
|
protoPayload.response.spec.template.spec.volumes.hostPath.path |
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path] |
|
protoPayload.response.spec.template.spec.volumes.hostPath.type |
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path_type] |
|
protoPayload.response.spec.template.spec.volumes.name |
target.resource.attribute.labels[res_spec_template_spec_volumes_name] |
|
protoPayload.response.spec.updateStrategy.rollingUpdate.maxSurge |
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_surge] |
|
protoPayload.response.spec.updateStrategy.rollingUpdate.maxUnavailable |
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_unavailable] |
|
protoPayload.response.spec.updateStrategy.type |
target.resource.attribute.labels[res_spec_update_strategy_type] |
|
protoPayload.response.spec.containers.args |
target.resource_ancestors.attribute.labels[res_spec_container_arg] |
|
protoPayload.response.spec.containers.command |
target.resource_ancestors.attribute.labels[res_spec_container_command] |
|
protoPayload.response.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_container_image] |
|
protoPayload.response.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[res_spec_container_image_pull_policy] |
|
protoPayload.response.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.response.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_privileged] |
|
protoPayload.response.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.response.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.response.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_drop] |
|
protoPayload.response.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_path] |
|
protoPayload.response.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_policy] |
|
protoPayload.response.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_path] |
|
protoPayload.response.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_name] |
|
protoPayload.response.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_read_only] |
|
protoPayload.response.spec.dnsPolicy |
target.resource.attribute.labels[res_spec_dns_policy] |
|
protoPayload.response.spec.enableServiceLinks |
target.resource.attribute.labels[res_spec_enable_service_links] |
|
protoPayload.response.spec.hostIPC |
target.resource.attribute.labels[res_spec_host_ipc] |
|
protoPayload.response.spec.hostNetwork |
target.resource.attribute.labels[res_spec_host_network] |
|
protoPayload.response.spec.hostPID |
target.resource.attribute.labels[res_spec_host_pid] |
|
protoPayload.response.spec.nodeName |
target.resource.attribute.labels[res_spec_node_name] |
|
protoPayload.response.spec.preemptionPolicy |
target.resource.attribute.labels[res_spec_preemption_policy] |
|
protoPayload.response.spec.priority |
target.resource.attribute.labels[res_spec_priority] |
|
protoPayload.response.spec.restartPolicy |
target.resource.attribute.labels[res_spec_restart_policy] |
|
protoPayload.response.spec.schedulerName |
target.resource.attribute.labels[res_spec_scheduler_name] |
|
protoPayload.response.spec.serviceAccount |
target.resource.attribute.labels[res_spec_service_account] |
|
protoPayload.response.spec.serviceAccountName |
target.resource.attribute.labels[res_spec_serivce_account_name] |
|
protoPayload.response.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[res_spec_termination_grace_period_seconds] |
|
protoPayload.response.spec.tolerations.effect |
target.resource.attribute.labels[res_spec_toleration_effect] |
|
protoPayload.response.spec.tolerations.key |
target.resource.attribute.labels[res_spec_toleration_key] |
|
protoPayload.response.spec.tolerations.operator |
target.resource.attribute.labels[res_spec_toleration_operator] |
|
protoPayload.response.spec.tolerations.tolerationSeconds |
target.resource.attribute.labels[res_spec_toleration_second] |
|
protoPayload.response.spec.volumes.hostPath.path |
target.resource.attribute.labels[res_spec_volume_host_path] |
|
protoPayload.response.spec.volumes.hostPath.type |
target.resource.attribute.labels[res_spec_volume_host_path_type] |
|
protoPayload.response.spec.volumes.name |
target.resource.attribute.labels[res_spec_volume_name] |
|
protoPayload.response.spec.volumes.projected.defaultMode |
target.resource.attribute.labels[res_spec_volume_projected_default_mode] |
|
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.expirationSeconds |
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_ecpiration_sec] |
|
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.path |
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_path] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.items.key |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_key] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.items.path |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_path] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.name |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_name] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.apiVersion |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_api_version] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.fieldPath |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_field_path] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.path |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_path] |
|
protoPayload.response.status.phase |
target.resource.attribute.labels[res_status_phase] |
|
protoPayload.response.status.qosClass |
target.resource.attribute.labels[res_status_qos_class] |
|
protoPayload.response.status.currentNumberScheduled |
target.resource.attribute.labels[res_status_current_number_scheduled] |
|
protoPayload.response.status.desiredNumberScheduled |
target.resource.attribute.labels[res_status_desired_number_scheduled] |
|
protoPayload.response.status.numberMisscheduled |
target.resource.attribute.labels[res_status_number_miss_scheduled] |
|
protoPayload.response.status.numberReady |
target.resource.attribute.labels[res_status_number_ready] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor |
target.resource.attribute.labels[ser_jobconf_requestor] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id |
target.resource.attribute.labels[ser_jobconf_looker_studio_datasource_id] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id |
target.resource.attribute.labels[ser_jobconf_looker_studio_report_id] |
|
labels.authorization.k8s.io/decision |
security_result.action |
Wenn der Wert des labels.authorization.k8s.io/decision-Logfelds allow entspricht, wird das security_result.action-UDM-Feld auf ALLOW gesetzt.Andernfalls, wenn der Wert des labels.authorization.k8s.io/decision-Logfelds block entspricht, wird das security_result.action-UDM-Feld auf BLOCK gesetzt. |
labels.pod-security.kubernetes.io/enforce-policy |
security_result.detection_fields[pod_security_kubernetes_io_enforce_policy] |
|
labels.authorization.k8s.io/reason |
security_result.action_details |
|
protoPayload.request.roleRef.apiGroup |
target.user.attribute.labels[req_role_ref_api_group] |
|
protoPayload.request.roleRef.kind |
target.user.attribute.labels[req_role_ref_kind] |
|
protoPayload.request.roleRef.name |
target.user.attribute.roles.name |
|
protoPayload.request.subjects.apiGroup |
target.user.attribute.labels[req_subject_api_group] |
|
protoPayload.request.subjects.kind |
target.user.attribute.labels[req_subject_kind] |
|
protoPayload.request.rules.apiGroups |
security_result.rule_labels[req_rule_api_group] |
|
protoPayload.request.rules.resources |
security_result.rule_labels[req_rule_resource] |
|
protoPayload.request.rules.verbs |
security_result.rule_labels[req_rule_verb] |
|
protoPayload.request.rules.resourceNames |
security_result.rule_labels[req_rule_resource_name] |
|
protoPayload.response.metadata.managedFields.apiVersion |
target.resource.attribute.labels[res_managed_field_api_version] |
|
protoPayload.response.metadata.managedFields.fieldsType |
target.resource.attribute.labels[res_managed_field_type] |
|
protoPayload.response.metadata.managedFields.manager |
target.resource.attribute.labels[res_managed_field_manager] |
|
protoPayload.response.metadata.managedFields.operation |
target.resource.attribute.labels[res_managed_field_operation] |
|
protoPayload.response.metadata.managedFields.time |
target.resource.attribute.labels[res_managed_field_time] |
|
protoPayload.request.spec.containers.securityContext.capabilities.add |
target.resource_ancestors.attribute.labels[req_spec_container_security_context_capabilities_add] |
|
protoPayload.request.spec.containers.securityContext.seccompProfile.type |
target.resource_ancestors.attribute.labels[req_spec_container_security_context_seccomp_profile_type] |
|
protoPayload.request.spec.shareProcessNamespace |
target.resource.attribute.labels[req_spec_share_process_namespace] |
|
protoPayload.response.spec.containers.securityContext.capabilities.add |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_add] |
|
protoPayload.response.spec.containers.securityContext.seccompProfile.type |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_seccomp_profile_type] |
|
protoPayload.response.spec.shareProcessNamespace |
target.resource.attribute.labels[res_spec_share_process_namespace] |
|
protoPayload.metadata.membershipDelta.member |
target.resource.attribute.labels[membership_delta_member] |
|
protoPayload.metadata.membershipDelta.roleDeltas.action |
target.resource.attribute.labels[membership_role_deltas_action] |
|
protoPayload.metadata.membershipDelta.roleDeltas.role |
target.resource.attribute.labels[membership_role_deltas_role] |
|
protoPayload.request.spec.resourceAttributes.namespace |
target.resource.attribute.labels[req_spec_resource_attribute_namespace] |
|
protoPayload.request.spec.resourceAttributes.resource |
target.resource.attribute.labels[req_spec_resource_attribute_resource] |
|
protoPayload.request.spec.resourceAttributes.verb |
target.resource.attribute.labels[req_spec_resource_attribute_verb] |
|
protoPayload.request.status.allowed |
target.resource.attribute.labels[req_status_allowed] |
|
protoPayload.response.spec.resourceAttributes.namespace |
target.resource.attribute.labels[res_spec_resource_attribute_namespace] |
|
protoPayload.response.spec.resourceAttributes.resource |
target.resource.attribute.labels[res_spec_resource_attribute_resource] |
|
protoPayload.response.spec.resourceAttributes.verb |
target.resource.attribute.labels[res_spec_resource_attribute_verb] |
|
protoPayload.response.status.allowed |
target.resource.attribute.labels[res_status_allowed] |
|
protoPayload.request.objects.db |
additional.fields[database_name] |
|
jsonPayload.accesses.methodName |
additional.fields[methodName] |
|
protoPayload.request.objects.name |
additional.fields[objects_name] |
|
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] |
additional.fields[api_client_name] |
|
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] |
additional.fields[api_scopes] |
|
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] |
additional.fields[begin_date_time] |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] |
additional.fields[bulk_upload_fail_users_number] |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] |
additional.fields[bulk_upload_total_users_number] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] |
additional.fields[caa_assignments_new] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] |
additional.fields[caa_assignments_old] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] |
additional.fields[caa_enforcement_endpoints_new] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] |
additional.fields[caa_enforcement_endpoints_old] |
|
protoPayload.requestMetadata.requestAttributes.size |
additional.fields[caller_network_request_size] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[caller_network_request_time] |
|
protoPayload.requestMetadata.callerNetwork |
additional.fields[caller_network] |
|
protoPayload.requestMetadata.requestAttributes.size |
additional.fields[caller_network_request_size] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[request_attributes_time] |
|
protoPayload.requestMetadata.callerNetwork |
additional.fields[caller_network] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] |
additional.fields[chrome_licenses_enabled] |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] |
additional.fields[end_date_time] |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE] |
additional.fields[end_date] |
|
protoType.metadata.event.eventName |
additional.fields[event_name] |
|
protoPayload.metadata.event.parameter.label |
additional.fields[event_param_label] |
|
protoPayload.metadata.event.parameter.type |
additional.fields[event_param_type] |
|
protoType.metadata.event.eventType |
additional.fields[event_type] |
|
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] |
additional.fields[field_name] |
|
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] |
additional.fields[full_org_unit_path] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] |
additional.fields[grp_member_bulk_upload_failed] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] |
additional.fields[grp_member_bulk_upload_total] |
|
httpRequest.cacheFillBytes |
additional.fields[httpreq_cache_fill_bytes] |
|
httpRequest.cacheHit |
additional.fields[httpreq_cache_hit] |
|
httpRequest.cacheLookup |
additional.fields[httpreq_cache_lookup] |
|
httpRequest.cacheValidatedWithOriginServer |
additional.fields[httpreq_cache_validated_with_origin_server] |
|
httpRequest.latency |
additional.fields[httprequest_latency] |
|
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] |
additional.fields[info_type] |
|
protoPayload.metadata.activityId.timeUsec |
additional.fields[metadata_activityId_time_usec] |
|
protoPayload.metadata.activityId.uniqQualifier |
additional.fields[metadata_activityId_uniq_qualifier] |
|
protoPayload.metadata.@type |
additional.fields[metadata_type] |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] |
additional.fields[new_permission_grant_state] |
|
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] |
additional.fields[num_of_company_owned_device] |
|
protoPayload.numResponseItems |
additional.fields[num_response_items] |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] |
additional.fields[old_permission_grant_state] |
|
operation.first |
additional.fields[operation_first] |
|
operation.id |
additional.fields[operation_id] |
|
operation.last |
additional.fields[operation_last] |
|
operation.producer |
additional.fields[operation_producer] |
|
protoPayload.resourceOriginalState.selfLinkWithId |
additional.fields[rc_old_selflinkWithId] |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] |
additional.fields[reauth_setting_new] |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] |
additional.fields[reauth_setting_old] |
|
protoPayload.request.alloweds.ports |
additional.fields[req_alloweds_ports] |
|
protoPayload.request.body.name |
additional.fields[req_body_name] |
|
protoPayload.request.body.settings.activityPolicy |
additional.fields[req_body_settings_activity_policy] |
|
protoPayload.request.deletionProtection |
additional.fields[req_deletion_protection] |
|
protoPayload.request.disabled |
additional.fields[req_disabled] |
|
protoPayload.request.displayDevice.enableDisplay |
additional.fields[req_display_device_enable_display] |
|
protoPayload.request.enableFlowLogs |
additional.fields[req_enable_flow_logs] |
|
protoPayload.request.fingerprint |
additional.fields[req_fingerprint] |
|
protoPayload.request.shieldedInstanceConfig.enableSecureBoot |
additional.fields[req_instance_config_enable_secure_boot] |
|
protoPayload.request.shieldedInstanceConfig.enableVtpm |
additional.fields[req_instance_config_enable_vtpm] |
|
protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring |
additional.fields[req_instance_enable_integrity_monitoring] |
|
protoPayload.request.key_types |
additional.fields[req_key_types] |
|
protoPayload.request.logconfig.enable |
additional.fields[req_logconfig_enable] |
|
protoPayload.request.networkTier |
additional.fields[req_network_tier] |
|
protoPayload.request.network |
additional.fields[req_network] |
|
protoPayload.request.page_size |
additional.fields[req_page_size] |
|
request.pagesize |
additional.fields[req_page_size] |
|
protoPayload.request.policy.etag |
additional.fields[req_policy_etag] |
|
protoPayload.request.portRange |
additional.fields[req_port_range] |
|
protoPayload.request.privateIpGoogleAccess |
additional.fields[req_private_ip_google_access] |
|
protoPayload.request.private_key_type |
additional.fields[req_private_key_type] |
|
protoPayload.request.remove_deleted_service_accounts |
additional.fields[req_remove_deleted_serviceAcc] |
|
protoPayload.request.showDeleted |
additional.fields[req_show_deleted] |
|
protoPayload.request.skip_visibility_check |
additional.fields[req_skip_visibility_check] |
|
protoPayload.request.stackType |
additional.fields[req_stack_type] |
|
protoPayload.request.type |
additional.fields[req_type] |
|
protoPayload.request.updateMask |
additional.fields[req_update_mask] |
|
protoPayload.request.version |
additional.fields[req_version] |
|
protoPayload.response.clientOperationId |
additional.fields[res_client_operation_id] |
|
protoPayload.response.endTime |
additional.fields[res_end_time] |
|
protoPayload.response.id |
additional.fields[res_id] |
|
protoPayload.response.key_algorithm |
additional.fields[res_key_algorithm] |
|
protoPayload.response.key_origin |
additional.fields[res_key_origin] |
|
protoPayload.response.key_type |
additional.fields[res_key_type] |
|
protoPayload.response.kind |
additional.fields[res_kind] |
|
protoPayload.response.private_key_type |
additional.fields[res_private_key_type] |
|
protoPayload.response.progress |
additional.fields[res_progress] |
|
protoPayload.response.startTime |
additional.fields[res_start_time] |
|
protoPayload.response.status |
security_result.action |
security_result.action wird auf FAIL gesetzt, wenn die folgenden Bedingungen erfüllt sind:
|
protoPayload.response.status |
additional.fields[res_status] |
|
protoPayload.response.type |
additional.fields[res_type] |
|
protoPayload.response.unique_id |
additional.fields[res_unique_id] |
|
protoPayload.response.valid_after_time.seconds |
additional.fields[res_valid_after_time] |
|
protoPayload.response.valid_before_time.seconds |
additional.fields[res_valid_before_time] |
|
protoPayload.response.version |
additional.fields[res_version] |
|
protoPayload.response.zone |
additional.fields[res_zone] |
|
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] |
additional.fields[search_query_for_dump] |
|
spanId |
additional.fields[span_id] |
|
protoPayload.metadata.event.eventName.parameter.name[START_DATE] |
additional.fields[start_date] |
|
traceSampled |
additional.fields[trace_sampled] |
|
Trace |
additional.fields[trace] |
|
protoPayload.@type |
additional.fields[type] |
|
protoPayload.redactions.reason |
additional.fields[protoPayload.redactions.field] |
|
protoPayload.redactions.type |
additional.fields[protoPayload.redactions.field] |
|
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata |
additional.fields[service_metadata] |
|
jsonPayload.sourceNetwork |
additional.fields[source_network] |
|
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims |
additional.fields[third_party_claims] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[caller_network_request_time] |
|
protoPayload.request.ipCidrRange |
additional.fields[req_ip_cidr_range] |
|
protoPayload.request.description |
additional.labels[req_description] |
|
protoPayload.request.sourceRanges |
additional.fields[req_source_ranges] |
|
protoPayload.requestMetadata.requestAttributes.reason |
additional.fields[request_attributes_reason] |
|
protoPayload.authenticationInfo.thirdPartyPrincipal |
additional.fields[third_party_principal] |
|
sourceLocation.function |
additional.fields[src_location_function] |
|
sourceLocation.line |
additional.fields[src_location_line] |
|
resource.labels.backend_service_name |
additional.fields[backend_service_name] |
|
protoPayload.requestMetadata.requestAttributes.auth.claims |
additional.fields[request_auth_claims] |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] |
additional.fields[application_edition] |
|
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] |
additional.fields[asp_id] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] |
additional.fields[chrome_os_session_type] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] |
additional.fields[device_new_org_unit] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] |
additional.fields[device_previous_org_unit] |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] |
additional.fields[domain_alias] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] |
additional.fields[email_export_include_deleted] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] |
additional.fields[email_export_package_content] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] |
additional.fields[email_log_search_end_date] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] |
additional.fields[email_log_search_start_date] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] |
additional.fields[email_monitor_level_chat] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] |
additional.fields[email_monitor_level_draft_email] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] |
additional.fields[email_monitor_level_in_email] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] |
additional.fields[email_monitor_level_out_email] |
|
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] |
additional.fields[email_reset_reason] |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
additional.fields[new_value] |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] |
additional.fields[oauth2_app_type] |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] |
additional.fields[old_value] |
|
protoPayload.requestMetadata.destinationAttributes.principal |
additional.fields[peer_principal] |
|
protoPayload.requestMetadata.destinationAttributes.regionCode |
additional.fields[peer_region_code] |
|
protoPayload.request.loadBalancingScheme |
additional.fields[req_load_balancing_scheme] |
|
protoPayload.request.requestId |
additional.fields[request_id] |
|
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] |
additional.fields[request_id] |
|
protoPayload.resourceOriginalState.description |
additional.fields[res_originalState_description] |
|
protoPayload.response.bindings.members |
additional.fields[response_bindings_members] |
|
protoPayload.response.description |
additional.fields[response_description] |
|
protoPayload.response.display_name |
additional.fields[response_display_name] |
|
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] |
additional.fields[secondary_domain_name] |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] |
additional.fields[setting_name] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] |
additional.fields[user_custom_field] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] |
additional.fields[user_defined_setting_name] |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] |
additional.fields[web_origin] |
|
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] |
additional.fields[whitelisted_groups] |
|
jsonPayload.end_time |
additional.fields[jsonPayload_end_time] |
|
jsonPayload.reporter |
additional.fields[jsonPayload_reporter] |
|
jsonPayload.start_time |
additional.fields[jsonPayload_start_time] |
|
jsonPayload.src_instance.project_id |
additional.fields[jsonPayload_src_instance_project_id] |
|
jsonPayload.dest_instance.project_id |
additional.fields[jsonPayload_dest_instance_project_id] |
|
jsonPayload.src_location.asn |
additional.fields[jsonPayload_src_location_asn] |
|
jsonPayload.src_location.continent |
additional.fields[jsonPayload_src_location_continent] |
|
jsonPayload.dest_location.asn |
additional.fields[jsonPayload_dest_location_asn] |
|
jsonPayload.dest_location.continent |
additional.fields[jsonPayload_dest_location_continent] |
|
protoPayload.request.spec.expirationSeconds |
target.resource.attribute.labels[req_spec_expiration_seconds] |
|
protoPayload.request.spec.request |
target.resource.attribute.labels[req_spec_request] |
|
protoPayload.request.spec.signerName |
target.resource.attribute.labels[req_spec_signer_name] |
|
protoPayload.request.spec.usages |
target.resource.attribute.labels[req_spec_usage] |
|
protoPayload.response.spec.expirationSeconds |
target.resource.attribute.labels[res_spec_expiration_seconds] |
|
protoPayload.response.spec.extra.iam.gke.io/user-assertion |
target.resource.attribute.labels[res_spec_extra_iam_gke_io/user_assertion] |
|
protoPayload.response.spec.extra.user-assertion.cloud.google.com |
target.resource.attribute.labels[res_spec_extra_user_assertion_cloud_google_com] |
|
protoPayload.response.spec.groups |
target.resource.attribute.labels[res_spec_group] |
|
protoPayload.response.spec.request |
target.resource.attribute.labels[res_spec_request] |
|
protoPayload.response.spec.signerName |
target.resource.attribute.labels[res_spec_signer_name] |
|
protoPayload.response.spec.usages |
target.resource.attribute.labels[res_spec_usage] |
|
protoPayload.response.spec.username |
target.resource.attribute.labels[res_spec_username] |
|
protoPayload.request.cryptoKeyVersion.state |
target.resource.attribute.labels[req_cryptokey_version_state] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.action |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_action] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.service |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_service] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.exemptedMember |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_exempted_member] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.logType |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_log_type] |
|
protoPayload.request.policy.bindings.role |
target.resource.attribute.labels[req_policy_bindings_role] |
|
protoPayload.request.policy.bindings.members |
target.resource.attribute.labels[req_bindings_members] |
|
protoPayload.metadata.tableChange.bindingDeltas.action |
target.resource.attribute.labels[table_change_binding_deltas_action] |
|
protoPayload.metadata.tableChange.bindingDeltas.member |
target.resource.attribute.labels[table_change_binding_deltas_member] |
|
protoPayload.metadata.tableChange.bindingDeltas.role |
target.resource.attribute.labels[table_change_binding_deltas_role] |
|
protoPayload.metadata.datasetChange.bindingDeltas.action |
target.resource.attribute.labels[dataset_change_binding_deltas_action] |
|
protoPayload.metadata.datasetChange.bindingDeltas.member |
target.resource.attribute.labels[dataset_change_binding_deltas_member] |
|
protoPayload.metadata.datasetChange.bindingDeltas.role |
target.resource.attribute.labels[dataset_change_binding_deltas_role] |
|
protoPayload.metadata.tableChange.table.policy.etag |
target.resource.attribute.labels[table_change_table_policy_etag] |
|
protoPayload.metadata.tableChange.table.policy.bindings.role |
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_role] |
|
protoPayload.metadata.tableChange.table.policy.bindings.members |
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_members_{index1}] |
|
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.role |
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_role] |
|
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members |
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_members_{index1}] |
|
protoPayload.request.bindings.role |
target.resource.attribute.labels[request_bindings_{index}_role] |
|
protoPayload.request.bindings.members |
target.resource.attribute.labels[request_bindings_{index}_members_{index1}] |
|
protoPayload.metadata.groupDelta.newGroup.description |
target.group.attribute.labels[metadata_group_delta_new_group_description] |
|
protoPayload.metadata.groupDelta.newGroup.email |
target.group.email_addresses |
|
protoPayload.metadata.groupDelta.newGroup.name |
target.group.group_display_name |
|
protoPayload.metadata.groupDelta.action |
target.group.attribute.labels[metadata_group_delta_action] |
|
protoPayload.response.spec.template.metadata.labels.client.knative.dev/nonce |
target.resource.attribute.labels[res_spec_template_metadata_nonce] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-name |
target.resource.attribute.labels[res_spec_template_metadata_client_name] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-version |
target.resource.attribute.labels[res_spec_template_metadata_client_version] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/execution-environment |
target.resource.attribute.labels[res_spec_template_metadata_exection_environment] |
|
protoPayload.response.spec.template.spec.taskCount |
target.resource.attribute.labels[res_spec_template_spec_taskcount] |
|
protoPayload.response.spec.template.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_image] |
|
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.response.spec.template.spec.template.spec.maxRetries |
target.resource.attribute.labels[res_spec_template_spec_template_spec_max_retries] |
|
protoPayload.response.spec.template.spec.template.spec.timeoutSeconds |
target.resource.attribute.labels[res_spec_template_spec_template_spec_timeout_seconds] |
|
protoPayload.response.spec.template.spec.template.spec.serviceAccountName |
principal.user.email_addresses |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-name |
target.resource_ancestors.attribute.labels[req_service_metadata_client_name] |
|
protoPayload.request.service.metadata.annotations.serving.knative.dev/creator |
target.resource_ancestors.attribute.labels[req_service_metadata_creator] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-version |
target.resource_ancestors.attribute.labels[req_service_metadata_client_version] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/operation-id |
target.resource_ancestors.attribute.labels[req_service_metadata_client_operation_id] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/binary-authorization |
target.resource_ancestors.attribute.labels[req_service_metadata_binary_authorization] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress-status |
target.resource_ancestors.attribute.labels[req_service_metadata_client_ingress_status] |
|
protoPayload.request.service.metadata.annotations.serving.knative.dev/lastModifier |
target.resource_ancestors.attribute.labels[req_service_metadata_last_modifier] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress |
target.resource_ancestors.attribute.labels[req_service_metadata_ingress] |
|
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-name |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_name] |
|
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-version |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_version] |
|
protoPayload.request.service.spec.template.metadata.annotations.autoscaling.knative.dev/maxScale |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_max_scale] |
|
protoPayload.request.New Data |
target.resource_ancestors.attribute.labels[req_new_data] |
|
protoPayload.response.Original Data |
target.resource_ancestors.attribute.labels[req_original_data] |
|
protoPayload.request.timestampRange.startTime |
target.resource.attribute.labels[timestamp_range_start_time] |
|
protoPayload.request.timestampRange.endTime |
target.resource.attribute.labels[timestamp_range_end_time] |
|
protoPayload.request.regexSearch |
target.resource.attribute.labels[request_regex_search] |
|
protoPayload.request.productSources |
target.resource.attribute.labels[request_product_sources] |
|
protoPayload.request.query |
target.resource.attribute.labels[request_query] |
|
protoPayload.request.caseSensitive |
target.resource.attribute.labels[request_case_sensitive] |
|
protoPayload.request.baselineQuery |
target.resource.attribute.labels[baseline_query] |
|
protoPayload.request.baselineTimeRange.startTime |
target.resource.attribute.labels[baseline_time_range_start_time] |
|
protoPayload.request.baselineTimeRange.endTime |
target.resource.attribute.labels[baseline_time_range_end_time] |
|
protoPayload.response.serviceConfig.timeoutSeconds |
target.resource.attribute.labels[response_service_config_timeout_seconds] |
|
labels.execution_id |
additional.fields[execution_id] |
|
labels.instance_id |
additional.fields[instance_id] |
|
labels.runtime_version |
additional.fields[runtime_version] |
|
protoPayload.metadata.updatedGrant.requester |
principal.user.userid |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.updatedGrant.requester-Logfeld dem principal.user.userid-UDM-Feld zugeordnet. |
protoPayload.metadata.updatedGrant.requestedDuration |
target.resource.attribute.labels[requestedDuration] |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.updatedGrant.requestedDuration-Logfeld dem target.resource.attribute.labels-UDM-Feld zugeordnet. |
protoPayload.metadata.updatedGrant.justification.unstructuredJustification |
target.resource.attribute.labels[justification] |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.updatedGrant.justification.unstructuredJustification-Logfeld dem target.resource.attribute.labels-UDM-Feld zugeordnet. |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role |
target.resource.attribute.roles.name |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role-Logfeld dem target.resource.attribute.roles.name-UDM-Feld zugeordnet. |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType |
target.resource.attribute.labels[resourceType] |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType-Logfeld dem target.resource.attribute.labels-UDM-Feld zugeordnet. |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource |
target.resource.attribute.labels[resource] |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource-Logfeld dem target.resource.attribute.labels-UDM-Feld zugeordnet. |
protoPayload.metadata.updatedGrant.state |
target.resource.attribute.labels[state] |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.updatedGrant.state-Logfeld dem target.resource.attribute.labels-UDM-Feld zugeordnet. |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id |
target.resource.attribute.labels[job_insertion_looker_studio_report_id] |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id-Logfeld dem target.resource.attribute.labels-UDM-Feld zugeordnet. |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor |
target.resource.attribute.labels[job_insertion_requestor] |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor-Logfeld dem target.resource.attribute.labels-UDM-Feld zugeordnet. |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id |
target.resource.attribute.labels[job_insertion_looker_studio_datasource_id] |
Wenn der Wert des protoPayload.serviceName-Logfelds privilegedaccessmanager.googleapis.com entspricht, wird das protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id-Logfeld dem target.resource.attribute.labels-UDM-Feld zugeordnet. |
protoPayload.response.displayName |
security_result.associations.name |
Wenn der Wert des protoPayload.response.displayName-Logfelds nicht leer ist, wird das protoPayload.response.displayName-Logfeld dem security_result.associations.name-UDM-Feld zugeordnet. |
protoPayload.request.referenceList.displayName |
security_result.associations.name |
Wenn der Wert des protoPayload.response.displayName-Logfelds leer ist, wird das protoPayload.request.referenceList.displayName-Logfeld dem security_result.associations.name-UDM-Feld zugeordnet. |
protoPayload.resourceName |
security_result.detection_fields[rule_id] |
Wenn der Wert des protoPayload.resourceName-Logfelds nicht leer ist und der Wert des protoPayload.response.@type-Logfelds type.googleapis.com/google.cloud.chronicle.v1alpha.Rule ist, wird new_rule_id mithilfe eines Grok-Musters aus dem protoPayload.resourceName-Logfeld extrahiert und dem UDM-Feld security_result.detection_fields[rule_id] zugeordnet. |
protoPayload.request.projection |
target.resource.attribute.labels[req_projection] |
|
protoPayload.response.items.metageneration |
target.resource.attribute.labels[res_items_metageneration] |
|
protoPayload.response.items.labels.created_date |
target.resource.attribute.labels[res_items_labels_created_date] |
|
protoPayload.response.items.labels.team_email |
target.resource.attribute.labels[res_items_labels_team_email] |
|
protoPayload.response.items.labels.team_name |
target.resource.attribute.labels[res_items_labels_team_name] |
|
protoPayload.response.items.labels.office_number |
target.resource.attribute.labels[res_items_labels_official_number] |
|
protoPayload.response.items.labels.department |
target.resource.attribute.labels[res_items_labels_department] |
|
protoPayload.response.items.labels.business_project_number |
target.resource.attribute.labels[res_items_labels_business_project_number] |
|
protoPayload.response.items.labels.owner_email |
target.resource.attribute.labels[res_items_labels_owner_email] |
|
protoPayload.response.items.labels.purchase_order_number |
target.resource.attribute.labels[res_items_labels_purchase_order_number] |
|
protoPayload.response.items.labels.office_name |
target.resource.attribute.labels[res_items_labels_office_name] |
|
protoPayload.response.items.labels.environment |
target.resource.attribute.labels[res_items_labels_environment] |
|
protoPayload.response.items.labels.created_by |
target.resource.attribute.labels[res_items_labels_created_by] |
|
protoPayload.response.items.labels.project_name |
target.resource.attribute.labels[res_items_labels_project_name] |
|
protoPayload.response.items.labels.finops_tag |
target.resource.attribute.labels[res_items_labels_finops_tag] |
|
protoPayload.response.items.labels.owner_role |
target.resource.attribute.labels[res_items_labels_owner_role] |
|
protoPayload.response.items.versioning.enabled |
target.resource.attribute.labels[res_items_versioning_enabled] |
|
protoPayload.response.items.iamConfiguration.publicAccessPrevention |
target.resource.attribute.labels[res_items_iam_conf_public_access_prevention] |
|
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime |
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_locked_time] |
|
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled |
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_enabled] |
|
protoPayload.response.items.id |
target.resource.attribute.labels[res_items_id] |
|
protoPayload.response.items.updated |
target.resource.attribute.labels[res_items_updated] |
|
protoPayload.response.items.storageClass |
target.resource.attribute.labels[res_items_storage_class] |
|
protoPayload.response.items.timeCreated |
target.resource.attribute.labels[res_items_time_created] |
|
protoPayload.response.items.location |
target.resource.attribute.labels[res_items_location] |
|
protoPayload.response.items.locationType |
target.resource.attribute.labels[res_items_location_type] |
|
protoPayload.response.items.projectNumber |
target.resource.attribute.labels[res_items_project_number] |
|
protoPayload.response.items.name |
target.resource.attribute.labels[res_items_name] |
|
protoPayload.response.items.softDeletePolicy.effectiveTime |
target.resource.attribute.labels[res_items_soft_delete_policy_effective_time] |
|
protoPayload.response.items.softDeletePolicy.retentionDurationSeconds |
target.resource.attribute.labels[res_items_soft_delete_policy_retention_duration_seconds] |
|
protoPayload.response.items.etag |
target.resource.attribute.labels[res_items_etag] |
|
protoPayload.response.code |
network.http.response_code |
|
protoPayload.response.reason |
additional.fields[res_reason] |
|
protoPayload.request.spec.template.spec.containers.securityContext.runAsUser |
target.resource.attribute.labels[req_spec_template_spec_containers_securitycontext_run_as_user] |
Nächste Schritte
Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten