Collect Google Chrome logs

Supported in:

This document describes how you can collect Chrome logs by setting up a Google Security Operations feed and how log fields map to Chrome Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google SecOps.

Overview

A typical deployment consists of ChromeOS and Chrome browser configured to send logs to Google SecOps. Each customer deployment might differ and might be more complex. The deployment consists of the following components:

  • Chrome: The ChromeOS device log that you want to collect.

  • Google Workspace: The Google Workspace platform from which you collect logs.

  • Google SecOps feed: The Google SecOps feed that fetches logs from Google Workspace and writes logs to Google SecOps.

  • Google SecOps: Retains and analyzes Chrome logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CHROME_MANAGEMENT ingestion label.

Before you begin

  • Ensure that you use Google Workspace Business Standard edition.

  • Ensure that you have a Google Workspace Administrator account.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

  • If you create users that impersonate the service account, grant the following privileges to the users by using the Admin console:

    • Privileges > Reports
    • Privileges > Services > Alert Center > Full Access > View access
    • Privileges > Services > Mobile Device Management > Manage Devices and Settings
    • Privileges > Services > Chrome Management > Settings
    • Admin API > Privileges > Users > Read
    • Admin API > Privileges > Groups > Read

Set up Chrome Browser Cloud Management

The following are the high-level steps to setup Chrome browser Cloud Management:

Perform the following steps to setup Chrome browser Cloud Management.

  1. In the Admin console, Click Menu > Devices > Chrome > Managed browsers.

  2. Optional: Select the top-level organization or select the organizational unit where you want to generate a token that enrolls browsers directly to that specific organizational unit. For more information, see Add an organization unit.

  3. Click Enroll. If this is your first browser enrollment, you are prompted to accept the Chrome Browser Cloud Management (CBCM) Terms of Service.

  4. Click Copy enrollment token to clipboard.

  5. To enroll cloud-managed Chrome browsers, click Done.

  6. In the Admin console, go to Menu > Devices > Chrome > Settings > Users & browsers. Select your top-level organizational unit, so that all child organizations inherit the policy. Scroll down to Browser reporting.

  7. Set Managed browser reporting to Enable managed browser cloud reporting.

  8. To turn on Chrome browser reporting, click Save.

  9. In the Admin console, go to Menu > Devices > Chrome > Connectors.

  10. Optional: If you are configuring Chrome Enterprise connectors settings for the first time, follow the prompts to turn on Chrome Enterprise Connectors.

  11. At the top, click + New provider configuration.

  12. In the panel that appears on the right, find the Google SecOps setup and click Set up.

  13. Enter Configuration ID and API key.

    • Configuration ID: The ID that is shown on the User & browsers settings page and the Connectors page.

    • API key: The API key to specify when calling the Google SecOps injection API to identify the customer.

  14. To add new provider configuration, click Add configuration.

Supported log types and data models

The following are the supported log types and events for Chrome Management. All the supported log types and events are in JSON format.

Log type Event type
Malicious Activity

badNavigationEvent

dangerousDownloadEvent

Malware transfer

Extension install

Password changed

Password reuse

Unsafe site visit

Login events

Password breach

urlFilteringInterstitialEvent

browserCrashEvent

Audit Activity

CHROME_OS_ADD_USER

CHROME_OS_REMOVE_USER

DEVICE_BOOT_STATE_CHANGE

CHROME_OS_LOGIN_FAILURE_EVENT

CHROME_OS_LOGIN_LOGOUT_EVENT

CHROME_OS_LOGIN_EVENT

CHROME_OS_LOGOUT_EVENT

CHROME_OS_REPORTING_DATA_LOST

PASSWORD_CHANGED

PASSWORD_REUSE

DLP_EVENT

CONTENT_TRANSFER

CONTENT_UNSCANNED

EXTENSION_REQUEST

LOGIN_EVENT

MALWARE_TRANSFER

PASSWORD_BREACH

SENSITIVE_DATA_TRANSFER

UNSAFE_SITE_VISIT

extensionTelemetryEvent

Data Protection

Content transfer

Content unscanned

Sensitive data transfer

Chrome OS

ChromeOS login failure

ChromeOS login success

ChromeOS logout

ChromeOS user added

ChromeOS user removed

ChromeOS lock success

ChromeOS unlock success

ChromeOS unlock failure

ChromeOS device boot state change

ChromeOS USB device added

ChromeOS USB device removed

ChromeOS USB status change

ChromeOS CRD host started

ChromeOS CRD client connected

ChromeOS CRD client disconnected

ChromeOS CRD host stopped

Field mapping reference

This section explains how the Google SecOps parser maps Chrome log fields to Google SecOps Unified Data Model (UDM) fields for the data sets.

Field mapping reference: Event Identifier to Event Type

The following table lists the CHROME_MANAGEMENT log types and their corresponding UDM event types.

Event Identifier Event Type Security Category
badNavigationEvent - SOCIAL_ENGINEERING USER_RESOURCE_ACCESS SOCIAL_ENGINEERING
badNavigationEvent - SSL_ERROR USER_RESOURCE_ACCESS NETWORK_SUSPICIOUS
badNavigationEvent - MALWARE USER_RESOURCE_ACCESS SOFTWARE_MALICIOUS
badNavigationEvent - UNWANTED_SOFTWARE USER_RESOURCE_ACCESS SOFTWARE_PUA
badNavigationEvent - THREAT_TYPE_UNSPECIFIED USER_RESOURCE_ACCESS SOFTWARE_MALICIOUS
browserCrashEvent STATUS_UPDATE
browserExtensionInstallEvent USER_RESOURCE_UPDATE_CONTENT
Extension install - BROWSER_EXTENSION_INSTALL USER_RESOURCE_UPDATE_CONTENT
EXTENSION_REQUEST USER_UNCATEGORIZED
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED USER_CREATION
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED USER_CREATION
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED USER_CREATION
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED USER_DELETION
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED USER_DELETION
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED USER_DELETION
Login events USER_LOGIN
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN USER_LOGIN
loginEvent USER_LOGIN
ChromeOS login success USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN USER_LOGIN
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN USER_LOGIN
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN USER_LOGIN
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN USER_LOGIN
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN USER_LOGIN
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT USER_LOGOUT
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT USER_LOGOUT
CHROME_OS_REPORTING_DATA_LOST STATUS_UPDATE
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED USER_LOGIN
ChromeOS CRD client disconnected USER_LOGOUT
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED STATUS_STARTUP
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED STATUS_STARTUP
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED STATUS_STARTUP
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE SETTING_MODIFICATION
ChromeOS device boot state change - CHROME_OS_DEV_MODE SETTING_MODIFICATION
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE SETTING_MODIFICATION
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS USER_LOGOUT
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS USER_LOGIN
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN USER_LOGIN
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED USER_RESOURCE_ACCESS
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED USER_RESOURCE_DELETION
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED USER_RESOURCE_UPDATE_CONTENT
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED USER_RESOURCE_UPDATE_CONTENT
Client Side Detection USER_UNCATEGORIZED
Content transfer SCAN_FILE
CONTENT_TRANSFER SCAN_FILE
contentTransferEvent SCAN_FILE
Content unscanned SCAN_UNCATEGORIZED
CONTENT_UNSCANNED SCAN_UNCATEGORIZED
dataAccessControlEvent USER_RESOURCE_ACCESS
dangerousDownloadEvent - Dangerous SCAN_FILE SOFTWARE_PUA
dangerousDownloadEvent - DANGEROUS_HOST SCAN_HOST
dangerousDownloadEvent - UNCOMMON SCAN_UNCATEGORIZED
dangerousDownloadEvent - POTENTIALLY_UNWANTED SCAN_UNCATEGORIZED SOFTWARE_PUA
dangerousDownloadEvent - UNKNOWN SCAN_UNCATEGORIZED
dangerousDownloadEvent - DANGEROUS_URL SCAN_UNCATEGORIZED
dangerousDownloadEvent - UNWANTED_SOFTWARE SCAN_FILE SOFTWARE_PUA
dangerousDownloadEvent - DANGEROUS_FILE_TYPE SCAN_FILE SOFTWARE_MALICIOUS
Desktop DLP Warnings USER_UNCATEGORIZED
DLP_EVENT USER_UNCATEGORIZED
interstitialEvent - Malware NETWORK_HTTP NETWORK_SUSPICIOUS
IOS/OSX Warnings SCAN_UNCATEGORIZED
Malware transfer - MALWARE_TRANSFER_DANGEROUS SCAN_FILE SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON SCAN_FILE SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS SCAN_FILE SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE SCAN_FILE SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN SCAN_FILE SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST SCAN_FILE SOFTWARE_MALICIOUS
malwareTransferEvent - DANGEROUS SCAN_FILE SOFTWARE_MALICIOUS
malwareTransferEvent - UNSPECIFIED SCAN_FILE SOFTWARE_MALICIOUS
Password breach USER_RESOURCE_ACCESS
PASSWORD_BREACH USER_RESOURCE_ACCESS
passwordBreachEvent - PASSWORD_ENTRY USER_RESOURCE_ACCESS
Password changed USER_CHANGE_PASSWORD
PASSWORD_CHANGED USER_CHANGE_PASSWORD
passwordChangedEvent USER_CHANGE_PASSWORD
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE USER_RESOURCE_ACCESS POLICY_VIOLATION, AUTH_VIOLATION
Password reuse - PASSWORD_REUSED_PHISHING_URL USER_UNCATEGORIZED PHISHING
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE USER_RESOURCE_ACCESS POLICY_VIOLATION, AUTH_VIOLATION
passwordReuseEvent - Unauthorized site USER_RESOURCE_ACCESS POLICY_VIOLATION, AUTH_VIOLATION
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL USER_UNCATEGORIZED PHISHING
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE USER_RESOURCE_ACCESS POLICY_VIOLATION, AUTH_VIOLATION
Permissions Blacklisting RESOURCE_PERMISSIONS_CHANGE
Sensitive data transfer SCAN_FILE DATA_EXFILTRATION
SENSITIVE_DATA_TRANSFER SCAN_FILE DATA_EXFILTRATION
sensitiveDataEvent - [test_user_5] warn SCAN_FILE DATA_EXFILTRATION
sensitiveDataTransferEvent SCAN_FILE DATA_EXFILTRATION
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR USER_RESOURCE_ACCESS NETWORK_SUSPICIOUS
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE USER_RESOURCE_ACCESS SOFTWARE_MALICIOUS
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE USER_RESOURCE_ACCESS SOFTWARE_SUSPICIOUS
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED USER_RESOURCE_ACCESS
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING USER_RESOURCE_ACCESS SOCIAL_ENGINEERING
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR USER_RESOURCE_ACCESS NETWORK_SUSPICIOUS
unscannedFileEvent - FILE_PASSWORD_PROTECTED SCAN_FILE
unscannedFileEvent - FILE_TOO_LARGE SCAN_FILE
urlFilteringInterstitialEvent USER_RESOURCE_ACCESS POLICY_VIOLATION
extensionTelemetryEvent If the telemetry_event_signals.signal_name log field value is equal to the COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO, then the event_type set to USER_RESOURCE_ACCESS.

Else, if the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then if the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the event_type is set to NETWORK_HTTP.

Else, the event_type UDM field is set to NETWORK_UNCATEGORIZED.
If the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then the security category is set to NETWORK_SUSPICIOUS.

Else, if the telemetry_event_signals.signal_name log field value contain one of the following values, then the security category UDM field is set to SOFTWARE_SUSPICIOUS.
  • COOKIES_GET_INFO
  • COOKIES_GET_ALL_INFO

Field mapping reference: CHROME_MANAGEMENT

The following table lists the log fields of the CHROME_MANAGEMENT log type and their corresponding UDM fields.

Log field UDM mapping Logic
id.customerId about.resource.product_object_id
event_detail metadata.description
time metadata.event_timestamp
events.parameters.name [TIMESTAMP] metadata.event_timestamp
event metadata.product_event_type
events.name metadata.product_event_type
id.uniqueQualifier metadata.product_log_id
metadata.product_name The metadata.product_name UDM field is set to Chrome Management.
id.applicationName
metadata.vendor_name The metadata.vendor_name UDM field is set to GOOGLE.
user_agent network.http.user_agent
userAgent network.http.user_agent
events.parameters.name [USER_AGENT] network.http.user_agent
events.parameters.name [SESSION_ID] network.session_id
client_type principal.application
clientType principal.application
events.parameters.name [CLIENT_TYPE] principal.application
device_id principal.asset.product_object_id
deviceId principal.asset.product_object_id
events.parameters.name [DEVICE_ID] principal.asset.product_object_id
device_name principal.hostname
deviceName principal.hostname
events.parameters.name [DEVICE_NAME] principal.hostname
os_plarform principal.platform The principal.platform UDM field is set to one of the following values:
  • LINUX if the os_plarform log field value is matched with regular expression pattern linux.
  • MAC if the os_plarform log field value is matched with regular expression pattern mac.
  • WINDOWS if the os_plarform log field value is matched with regular expression pattern windows.
  • CHROME_OS if the os_plarform log field value is matched with regular expression pattern chromeos.

Else, if the os_plarform log field value is not empty and osVersion log field value is not empty, then the os_plarform osVersion log field is mapped to the principal.platform_version UDM field.
os_plarform principal.asset.platform_software.platform The principal.asset.platform_software.platform UDM field is set to one of the following values:
  • LINUX if the os_plarform log field value is matched with regular expression pattern linux.
  • MAC if the os_plarform log field value is matched with regular expression pattern mac.
  • WINDOWS if the os_plarform log field value is matched with regular expression pattern windows.
  • CHROME_OS if the os_plarform log field value is matched with regular expression pattern chromeos.
os_platform principal.platform The principal.platform UDM field is set to one of the following values:
  • LINUX if the os_platform log field value is matched with regular expression pattern linux.
  • MAC if the os_platform log field value is matched with regular expression pattern mac.
  • WINDOWS if the os_platform log field value is matched with regular expression pattern windows.
  • CHROME_OS if the os_platform log field value is matched with regular expression pattern chromeos.

Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field.
os_platform principal.asset.platform_software.platform The principal.asset.platform_software.platform UDM field is set to one of the following values:
  • LINUX if the os_platform log field value is matched with regular expression pattern linux.
  • MAC if the os_platform log field value is matched with regular expression pattern mac.
  • WINDOWS if the os_platform log field value is matched with regular expression pattern windows.
  • CHROME_OS if the os_platform log field value is matched with regular expression pattern chromeos.
osPlatform principal.platform The principal.platform UDM field is set to one of the following values:
  • LINUX if the osPlatform log field value is matched with regular expression pattern linux.
  • MAC if the osPlatform log field value is matched with regular expression pattern mac.
  • WINDOWS if the osPlatform log field value is matched with regular expression pattern windows.
  • CHROME_OS if the osPlatform log field value is matched with regular expression pattern chromeos.

Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field.
osPlatform principal.asset.platform_software.platform The principal.asset.platform_software.platform UDM field is set to one of the following values:
  • LINUX if the osPlatform log field value is matched with regular expression pattern linux.
  • MAC if the osPlatform log field value is matched with regular expression pattern mac.
  • WINDOWS if the osPlatform log field value is matched with regular expression pattern windows.
  • CHROME_OS if the osPlatform log field value is matched with regular expression pattern chromeos.
events.parameters.name [DEVICE_PLATFORM] principal.platform The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.
The principal.platform UDM field is set to one of the following values:
  • LINUX if the os_platform log field value is matched with regular expression pattern linux.
  • MAC if the os_platform log field value is matched with regular expression pattern mac.
  • WINDOWS if the os_platform log field value is matched with regular expression pattern windows.
  • CHROME_OS if the os_platform log field value is matched with regular expression pattern chromeos.

Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field.
events.parameters.name [DEVICE_PLATFORM] principal.asset.platform_software.platform The os_platform is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.
The principal.asset.platform_software.platform UDM field is set to one of the following values:
  • LINUX if the os_platform log field value is matched with regular expression pattern linux.
  • MAC if the os_platform log field value is matched with regular expression pattern mac.
  • WINDOWS if the os_platform log field value is matched with regular expression pattern windows.
  • CHROME_OS if the os_platform log field value is matched with regular expression pattern chromeos.
os_version principal.platform_version
osVersion principal.platform_version
events.parameters.name [DEVICE_PLATFORM] principal.platform_version The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.
device_id principal.resource.id
deviceId principal.resource.id
events.parameters.name [DEVICE_ID] principal.resource.id
directory_device_id principal.resource.product_object_id
events.parameters.name [DIRECTORY_DEVICE_ID] principal.resource.product_object_id
principal.resource.resource_subtype If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB.

Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB.
principal.resource.resource_type If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE.
actor.email principal.user.email_addresses
actor.profileId principal.user.userid
result security_result.action_details
events.parameters.name [EVENT_RESULT] security_result.action_details
event_result security_result.action_details
security_result.action The security_result.action UDM field is set to one of the following values:
  • ALLOW if the result or events.parameters.name [EVENT_RESULT] log field value is matched with regular expression pattern ALLOWED.
  • BLOCK if the result or events.parameters.name [EVENT_RESULT] log field value is matched with regular expression pattern BLOCKED.
reason security_result.category_details
events.parameters.name [EVENT_REASON] security_result.category_details
events.parameters.name [EVENT_REASON] security_result.summary
events.parameters.name [LOGIN_FAILURE_REASON] security_result.description
events.parameters.name [REMOVE_USER_REASON] security_result.description If the events.name log field value is equal to CHROME_OS_REMOVE_USER, then the events.parameters.namethe REMOVE_USER_REASON log field value log field is mapped to the security_result.description UDM field.
triggered_rules security_result.rule_name
events.type security_result.category_details
events.parameters.name [PRODUCT_NAME] target.application If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:
  • ChromeOS USB device added
  • ChromeOS USB device removed
  • ChromeOS USB status change
  • CHROMEOS_PERIPHERAL_STATUS_UPDATED
content_name target.file.full_path
contentName target.file.full_path
events.parameters.name [CONTENT_NAME] target.file.full_path
content_type target.file.mime_type
contentType target.file.mime_type
events.parameters.name [CONTENT_TYPE] target.file.mime_type
content_hash target.file.sha256
events.parameters.name [CONTENT_HASH] target.file.sha256
content_size target.file.size
contentSize target.file.size
events.parameters.name [CONTENT_SIZE] target.file.size
target.file.file_type The fileType is extracted from the content_name log field usign Grok pattern, Then target.file.file_type UDM field is set to one of the following values:
  • FILE_TYPE_ZIP if the fileType value is equal to zip.
  • FILE_TYPE_DOS_EXE if the fileType value is equal to exe.
  • FILE_TYPE_PDF if the fileType value is equal to pdf.
  • FILE_TYPE_XLSX if the fileType value is equal to xlsx.
extension_id target.resource.product_object_id
events.parameters.name [APP_ID] target.resource.product_object_id
extension_name target.resource.name If the event log field value is equal to badNavigationEvent or the events.name log field value is equal to badNavigationEvent, then the extension_name log field is mapped to the target.resource.name UDM field.
telemetry_event_signals.signal_name target.resource.name If the event log field value is equal to extensionTelemetryEvent, then the telemetry_event_signals.signal_name log field is mapped to the target.resource.name UDM field.
events.parameters.name [APP_NAME] target.resource.name
url target.url
events.parameters.name [URL] target.url
telemetry_event_signals.url target.url If the telemetry_event_signals.url log field value matches the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.url UDM field.
device_user target.user.userid
deviceUser principal.user.userid If the event log field value is equal to passwordChangedEvent, then the deviceUser log field is mapped to the principal.user.userid UDM field.

Else, the deviceUser log field is mapped to the principal.user.user_display_name UDM field.
events.parameters.name [DEVICE_USER] If the event log field value is equal to passwordChangedEvent, then the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.userid UDM field.

Else, the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.user_display_name UDM field.
scan_id about.labels [scan_id]
events.parameters.name [CONNECTION_TYPE] about.labels [connection_type]
etag about.labels [etag]
kind about.labels [kind]
actor.key principal.user.attribute.labels [actor_key]
actor.callerType principal.user.attribute.labels [actor_callerType]
events.parameters.name [EVIDENCE_LOCKER_FILEPATH] security_result.about.labels [evidence_locker_filepath]
federated_origin security_result.about.labels [federated_origin]
is_federated security_result.about.labels [is_federated]
destination security_result.about.labels [trigger_destination]
events.parameters.name [TRIGGER_DESTINATION] security_result.about.labels [trigger_destination]
source security_result.about.labels [trigger_source]
events.parameters.name [TRIGGER_SOURCE] security_result.about.labels [trigger_source]
trigger_type security_result.about.labels [trigger_type]
trigger_type additional.fields [trigger_type]
triggerType security_result.about.labels [trigger_type]
triggerType additional.fields [trigger_type]
events.parameters.name [TRIGGER_TYPE] security_result.about.labels [trigger_type]
trigger_user security_result.about.labels [trigger_user]
events.parameters.name [TRIGGER_USER] security_result.about.labels [trigger_user]
events.parameters.name [MALWARE_CATEGORY] security_result.threat_name
events.parameters.name [MALWARE_FAMILY] security_result.detection_fields [malware_family]
events.parameters.name [VENDOR_ID] src.labels [vendor_id]
events.parameters.name [VENDOR_NAME] src.labels [vendor_name]
events.parameters.name [VIRTUAL_DEVICE_ID] src.labels [virtual_device_id]
events.parameters.name [VIRTUAL_DEVICE_ID] additional.fields [virtual_device_id]
events.parameters.name [NEW_BOOT_MODE] target.asset.attribute.labels [new_boot_mode]
events.parameters.name [PREVIOUS_BOOT_MODE] target.asset.attribute.labels [previous_boot_mode]
id.time target.asset.attribute.labels [timestamp]
events.parameters.name [PRODUCT_ID] target.labels [product_id] If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:
  • CHROMEOS_PERIPHERAL_ADDED
  • CHROMEOS_PERIPHERAL_REMOVED
  • CHROMEOS_PERIPHERAL_STATUS_UPDATED


Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field.
extensions.auth.mechanism If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD:
  • CHROME_OS_LOGIN_EVENT
  • loginEvent
  • CHROME_OS_LOGIN_FAILURE_EVENT
  • CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
  • CHROME_OS_CRD_CLIENT_CONNECTED
  • CHROME_OS_LOGOUT_EVENT
  • CHROMEOS_AFFILIATED_LOCK_SUCCESS
events.parameters.name [UNLOCK_TYPE] target.labels [unlock_type]
extension_description target.resource.attribute.labels [extension_description]
extension_action target.resource.attribute.labels [extension_action]
extension_version target.resource.attribute.labels [extension_version] If the event log field value is not equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource.attribute.labels[extension_version] UDM field.
extension_source target.resource.attribute.labels[extension_source] If the event log field value is not equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource.attribute.labels[extension_source] UDM field.
browser_version target.resource.attributes.labels [browser_version]
browserVersion target.resource.attributes.labels [browser_version]
events.parameters.name [BROWSER_VERSION] target.resource.attributes.labels [browser_version]
profile_user target.user.email_addresses If the event log field value contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.email_addresses UDM field.
  • CHROME_OS_LOGIN_EVENT
  • loginEvent
  • CHROME_OS_LOGIN_FAILURE_EVENT
  • CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
  • CHROME_OS_CRD_CLIENT_CONNECTED
  • CHROME_OS_LOGOUT_EVENT
  • CHROMEOS_AFFILIATED_LOCK_SUCCESS
.
profile_user principal.user.email_addresses If the event log field value does not contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the profile_user, then the profile_user log field is mapped to the principal.user.email_addresses UDM field.
  • CHROME_OS_LOGIN_EVENT
  • loginEvent
  • CHROME_OS_LOGIN_FAILURE_EVENT
  • CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
  • CHROME_OS_CRD_CLIENT_CONNECTED
  • CHROME_OS_LOGOUT_EVENT
  • CHROMEOS_AFFILIATED_LOCK_SUCCESS
.
profile_user target.user.attribute.labels[profile_user_name] If the event log field value contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
  • CHROME_OS_LOGIN_EVENT
  • loginEvent
  • CHROME_OS_LOGIN_FAILURE_EVENT
  • CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
  • CHROME_OS_CRD_CLIENT_CONNECTED
  • CHROME_OS_LOGOUT_EVENT
  • CHROMEOS_AFFILIATED_LOCK_SUCCESS
.
profile_user principal.user.attribute.labels[profile_user_name] If the event log field value does not contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the profile_user, then the profile_user log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
  • CHROME_OS_LOGIN_EVENT
  • loginEvent
  • CHROME_OS_LOGIN_FAILURE_EVENT
  • CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
  • CHROME_OS_CRD_CLIENT_CONNECTED
  • CHROME_OS_LOGOUT_EVENT
  • CHROMEOS_AFFILIATED_LOCK_SUCCESS
.
events.parameters.name [PROFILE_USER_NAME] target.user.email_addresses If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.email_addresses UDM field.
  • CHROME_OS_LOGIN_EVENT
  • loginEvent
  • CHROME_OS_LOGIN_FAILURE_EVENT
  • CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
  • CHROME_OS_CRD_CLIENT_CONNECTED
  • CHROME_OS_LOGOUT_EVENT
  • CHROMEOS_AFFILIATED_LOCK_SUCCESS
.
events.parameters.name [PROFILE_USER_NAME] principal.user.email_addresses If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.email_addresses UDM field.
  • CHROME_OS_LOGIN_EVENT
  • loginEvent
  • CHROME_OS_LOGIN_FAILURE_EVENT
  • CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
  • CHROME_OS_CRD_CLIENT_CONNECTED
  • CHROME_OS_LOGOUT_EVENT
  • CHROMEOS_AFFILIATED_LOCK_SUCCESS
.
events.parameters.name [PROFILE_USER_NAME] target.user.attribute.labels[profile_user_name] If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
  • CHROME_OS_LOGIN_EVENT
  • loginEvent
  • CHROME_OS_LOGIN_FAILURE_EVENT
  • CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
  • CHROME_OS_CRD_CLIENT_CONNECTED
  • CHROME_OS_LOGOUT_EVENT
  • CHROMEOS_AFFILIATED_LOCK_SUCCESS
.
events.parameters.name [PROFILE_USER_NAME] principal.user.attribute.labels[profile_user_name] If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
  • CHROME_OS_LOGIN_EVENT
  • loginEvent
  • CHROME_OS_LOGIN_FAILURE_EVENT
  • CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
  • CHROME_OS_CRD_CLIENT_CONNECTED
  • CHROME_OS_LOGOUT_EVENT
  • CHROMEOS_AFFILIATED_LOCK_SUCCESS
.
target.resource.resource_type If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE, then the target.resource.resource_type UDM field is set to SETTING.
url_category target.labels [url_category]
browser_channel target.resource.attribute.labels [browser_channel]
report_id target.labels [report_id]
clickedThrough target.labels [clickedThrough]
threat_type security_result.detection_fields [threatType]
triggered_rule_info.action security_result.action If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:
  • ALLOW
  • ALLOW_WITH_MODIFICATION
  • BLOCK
  • CHALLENGE
  • FAIL
  • QUARANTINE
  • UNKNOWN_ACTION

Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field.
triggered_rule_info.rule_id security_result.rule_id
triggered_rule_info.rule_name security_result.rule_name
triggered_rule_info.url_category security_result.category_details
transfer_method additional.fields [transfer_method]
extension_name target.resource_ancestors.name If the event log field value is equal to extensionTelemetryEvent, then the extension_name log field is mapped to the target.resource_ancestors.name UDM field.
extension_id target.resource_ancestors.product_object_id If the event log field value is equal to extensionTelemetryEvent, then the extension_id log field is mapped to the target.resource_ancestors.product_object_id UDM field.
extension_version target.resource_ancestors.attribute.labels[extension_version] If the event log field value is equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource_ancestors.attribute.labels[extension_version] UDM field.
extension_source target.resource_ancestors.attribute.labels[extension_source] If the event log field value is equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource_ancestors.attribute.labels[extension_source] UDM field.
profile_identifier additional.fields[profile_identifier]
extension_files_info.file_name target.resource_ancestors.file.names
extension_files_info.file_hash.hash target.resource_ancestors.attribute.labels[file_hash]
telemetry_event_signals.count target.resource.attribute.labels[count]
telemetry_event_signals.tabs_api_method target.resource.attribute.labels[tabs_api_method]
target.hostname If the telemetry_event_signals.url log field value does not match the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.hostname UDM field.
telemetry_event_signals.destination target.resource.attribute.labels[destination]
telemetry_event_signals.source target.resource.attribute.labels[source]
telemetry_event_signals.domain target.domain.name
telemetry_event_signals.cookie_name target.resource.attribute.labels[cookie_name]
telemetry_event_signals.cookie_path target.resource.attribute.labels[cookie_path]
telemetry_event_signals.cookie_is_secure target.resource.attribute.labels[cookie_is_secure]
telemetry_event_signals.cookie_store_id target.resource.attribute.labels[cookie_store_id]
telemetry_event_signals.cookie_is_session target.resource.attribute.labels[cookie_is_session]
telemetry_event_signals.connection_protocol network.application_protocol If the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the network.application_protocol UDM field is set to HTTP

Else, If the telemetry_event_signals.connection_protocol log field value is equal to UNSPECIFIED, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL

Else, the telemetry_event_signals.connection_protocol log field is mapped to the target.resource.attribute.labels UDM field.
telemetry_event_signals.contacted_by target.resource.attribute.labels[contacted_by]

What's next

For Community blogs on Chrome logs, see: