收集 Google Chrome 日志
本文档介绍了如何通过设置 Google Security Operations Feed 来收集 Chrome 日志,以及日志字段如何映射到 Chrome 统一数据模型 (UDM) 字段。
如需了解详情,请参阅将数据注入到 Google SecOps。
概览
典型的部署包括配置为将日志发送到 Google SecOps 的 ChromeOS 和 Chrome 浏览器。每个客户部署可能有所不同,并且可能更复杂。 Deployment 包含以下组件:
Chrome:您要收集的 ChromeOS 设备日志。
Google Workspace:供您收集日志的 Google Workspace 平台。
Google SecOps Feed:从 Google Workspace 提取日志并将日志写入 Google SecOps 的 Google SecOps Feed。
Google SecOps:保留和分析 Chrome 日志。
提取标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。
本文档中的信息适用于具有 CHROME_MANAGEMENT
提取标签的解析器。
准备工作
确保您使用的是 Google Workspace 商务标准版。
确保您拥有 Google Workspace 管理员账号。
确保已配置部署架构中的所有系统 (采用 UTC 时区)。
如果您创建了冒充服务账号的用户,请使用管理控制台向这些用户授予以下权限:
- 权限 >报告
- 权限 >服务 >提醒中心 >完整访问权限 >查看权限
- 权限 > 服务 > 移动设备管理 > 管理设备和设置
- 权限 >服务 >Chrome 管理 >设置
- Admin API >权限 >用户 >已读
- Admin API >权限 >群组 >已读
设置 Chrome 浏览器云管理
以下是设置 Chrome 浏览器云管理的概要步骤:
请按照以下步骤设置 Chrome 浏览器云管理。
在管理控制台中,点击菜单 >设备 >Chrome >受管理的浏览器。
可选:选择顶级组织或选择组织 您希望生成相应令牌,用于将浏览器直接注册到该单元, 特定组织部门如需更多信息 请参阅添加组织部门。
点击注册。如果这是您第一次注册浏览器,系统会提示您接受《Chrome 浏览器云管理 (CBCM) 服务条款》。
点击将注册令牌复制到剪贴板。
如需注册通过云管理的 Chrome 浏览器,请点击完成。
在管理控制台中,依次选择菜单 > 设备 > Chrome > 设置 > 用户和浏览器。 选择您的顶级组织部门,以便所有下级组织都继承该政策。向下滚动到浏览器报告。
将受管理的浏览器报告设置为启用受管理的浏览器云报告功能。
如需启用 Chrome 浏览器报告功能,请点击保存。
在管理控制台中,依次点击菜单 > 设备 > Chrome > 连接器。
可选:如果您要配置 Chrome 企业版接口设置 ,请按照提示开启 Chrome 企业版接口。
点击顶部的 + 添加新提供商的配置。
在右侧显示的面板中,找到 Google SecOps 设置,然后点击设置。
输入配置 ID 和 API 密钥。
配置 ID:用户和浏览器设置页面和连接器页面上显示的 ID。
API 密钥:在调用 Google SecOps Injection API 时用于指定客户的 API 密钥。
如需添加新的提供商配置,请点击添加配置。
支持的日志类型和数据模型
以下是 Chrome 管理支持的日志类型和事件。 所有受支持的日志类型和事件均采用 JSON 格式。
日志类型 | 事件类型 |
---|---|
恶意活动 |
|
审核活动 |
|
数据保护 |
|
Chrome 操作系统 |
|
字段映射参考文档
本部分介绍 Google SecOps 解析器如何将 Chrome 日志字段映射到数据集的 Google SecOps 统一数据模型 (UDM) 字段。
字段映射参考文档:事件标识符到事件类型
下表列出了 CHROME_MANAGEMENT
日志类型及其对应的 UDM 事件类型。
Event Identifier | Event Type | Security Category |
---|---|---|
badNavigationEvent - SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
badNavigationEvent - SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
badNavigationEvent - MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
badNavigationEvent - UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_PUA |
badNavigationEvent - THREAT_TYPE_UNSPECIFIED |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
browserCrashEvent |
STATUS_UPDATE |
|
browserExtensionInstallEvent |
USER_RESOURCE_UPDATE_CONTENT |
|
Extension install - BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
|
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
|
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED |
USER_CREATION |
|
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
Login events |
USER_LOGIN |
|
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
loginEvent |
USER_LOGIN |
|
ChromeOS login success |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
|
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
|
ChromeOS CRD client disconnected |
USER_LOGOUT |
|
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED |
STATUS_STARTUP |
|
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS device boot state change - CHROME_OS_DEV_MODE |
SETTING_MODIFICATION |
|
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
|
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
|
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
|
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
|
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
Client Side Detection |
USER_UNCATEGORIZED |
|
Content transfer |
SCAN_FILE |
|
CONTENT_TRANSFER |
SCAN_FILE |
|
contentTransferEvent |
SCAN_FILE |
|
Content unscanned |
SCAN_UNCATEGORIZED |
|
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
|
dataAccessControlEvent |
USER_RESOURCE_ACCESS |
|
dangerousDownloadEvent - Dangerous |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_HOST |
SCAN_HOST |
|
dangerousDownloadEvent - UNCOMMON |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - POTENTIALLY_UNWANTED |
SCAN_UNCATEGORIZED |
SOFTWARE_PUA |
dangerousDownloadEvent - UNKNOWN |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - DANGEROUS_URL |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_FILE_TYPE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Desktop DLP Warnings |
USER_UNCATEGORIZED |
|
DLP_EVENT |
USER_UNCATEGORIZED |
|
interstitialEvent - Malware |
NETWORK_HTTP |
NETWORK_SUSPICIOUS |
IOS/OSX Warnings |
SCAN_UNCATEGORIZED |
|
Malware transfer - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - UNSPECIFIED |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Password breach |
USER_RESOURCE_ACCESS |
|
PASSWORD_BREACH |
USER_RESOURCE_ACCESS |
|
passwordBreachEvent - PASSWORD_ENTRY |
USER_RESOURCE_ACCESS |
|
Password changed |
USER_CHANGE_PASSWORD |
|
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
|
passwordChangedEvent |
USER_CHANGE_PASSWORD |
|
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Password reuse - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - Unauthorized site |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Permissions Blacklisting |
RESOURCE_PERMISSIONS_CHANGE |
|
Sensitive data transfer |
SCAN_FILE |
DATA_EXFILTRATION |
SENSITIVE_DATA_TRANSFER |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataEvent - [test_user_5] warn |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataTransferEvent |
SCAN_FILE |
DATA_EXFILTRATION |
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_SUSPICIOUS |
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED |
USER_RESOURCE_ACCESS |
|
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
unscannedFileEvent - FILE_PASSWORD_PROTECTED |
SCAN_FILE |
|
unscannedFileEvent - FILE_TOO_LARGE |
SCAN_FILE |
|
urlFilteringInterstitialEvent |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION |
字段映射参考文档:CHROME_MANAGEMENT
下表列出了 CHROME_MANAGEMENT
日志类型的日志字段及其对应的 UDM 字段。
Log field | UDM mapping | Logic |
---|---|---|
id.customerId |
about.resource.product_object_id |
|
event_detail |
metadata.description |
|
time |
metadata.event_timestamp |
|
events.parameters.name [TIMESTAMP] |
metadata.event_timestamp |
|
event |
metadata.product_event_type |
|
events.name |
metadata.product_event_type |
|
id.uniqueQualifier |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Chrome Management . |
id.applicationName |
|
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE . |
user_agent |
network.http.user_agent |
|
userAgent |
network.http.user_agent |
|
events.parameters.name [USER_AGENT] |
network.http.user_agent |
|
events.parameters.name [SESSION_ID] |
network.session_id |
|
client_type |
principal.application |
|
clientType |
principal.application |
|
events.parameters.name [CLIENT_TYPE] |
principal.application |
|
device_id |
principal.asset.product_object_id |
|
deviceId |
principal.asset.product_object_id |
|
events.parameters.name [DEVICE_ID] |
principal.asset.product_object_id |
|
device_name |
principal.hostname |
|
deviceName |
principal.hostname |
|
events.parameters.name [DEVICE_NAME] |
principal.hostname |
|
os_plarform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_plarform log field value is not empty and osVersion log field value is not empty, then the os_plarform osVersion log field is mapped to the principal.platform_version UDM field. |
os_platform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
osPlatform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field. |
events.parameters.name [DEVICE_PLATFORM] |
principal.platform |
The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
os_version |
principal.platform_version |
|
osVersion |
principal.platform_version |
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform_version |
The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern. |
device_id |
principal.resource.id |
|
deviceId |
principal.resource.id |
|
events.parameters.name [DEVICE_ID] |
principal.resource.id |
|
directory_device_id |
principal.resource.product_object_id |
|
events.parameters.name [DIRECTORY_DEVICE_ID] |
principal.resource.product_object_id |
|
|
principal.resource.resource_subtype |
If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED , then the principal.resource.resource_subtype UDM field is set to USB .Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED , then the principal.resource.resource_subtype UDM field is set to USB . |
|
principal.resource.resource_type |
If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE . |
actor.email |
principal.user.email_addresses |
|
actor.profileId |
principal.user.userid |
|
result |
security_result.action_details |
|
events.parameters.name [EVENT_RESULT] |
security_result.action_details |
|
event_result |
security_result.action_details |
|
|
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
reason |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.category_details |
|
events.parameters.name [LOGIN_FAILURE_REASON] |
security_result.description |
|
events.parameters.name [REMOVE_USER_REASON] |
security_result.description |
If the events.name log field value is equal to CHROME_OS_REMOVE_USER , then the events.parameters.namethe log field is mapped to the security_result.description UDM field. |
triggered_rules |
security_result.rule_name |
|
events.type |
security_result.summary |
|
events.parameters.name [PRODUCT_NAME] |
target.application |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:
|
content_name |
target.file.full_path |
|
contentName |
target.file.full_path |
|
events.parameters.name [CONTENT_NAME] |
target.file.full_path |
|
content_type |
target.file.mime_type |
|
contentType |
target.file.mime_type |
|
events.parameters.name [CONTENT_TYPE] |
target.file.mime_type |
|
content_hash |
target.file.sha256 |
|
events.parameters.name [CONTENT_HASH] |
target.file.sha256 |
|
content_size |
target.file.size |
|
contentSize |
target.file.size |
|
events.parameters.name [CONTENT_SIZE] |
target.file.size |
|
|
target.file.file_type |
The fileType is extracted from the content_name log field usign Grok pattern, Then target.file.file_type UDM field is set to one of the following values:
|
extension_id |
target.resource.product_object_id |
|
events.parameters.name [APP_ID] |
target.resource.product_object_id |
|
extension_name |
target.resource.name |
If the event log field value is equal to badNavigationEvent or the |
events.parameters.name [APP_NAME] |
target.resource.name |
|
url |
target.url |
|
events.parameters.name [URL] |
target.url |
|
device_user |
target.user.userid |
|
deviceUser |
target.user.userid |
|
events.parameters.name [DEVICE_USER] |
target.user.userid |
|
scan_id |
about.labels [scan_id] |
|
events.parameters.name [CONNECTION_TYPE] |
about.labels [connection_type] |
|
etag |
about.labels [etag] |
|
kind |
about.labels [kind] |
|
actor.key |
principal.user.attribute.labels [actor_key] |
|
actor.callerType |
principal.user.attribute.labels [actor_callerType] |
|
events.parameters.name [EVIDENCE_LOCKER_FILEPATH] |
security_result.about.labels [evidence_locker_filepath] |
|
federated_origin |
security_result.about.labels [federated_origin] |
|
is_federated |
security_result.about.labels [is_federated] |
|
destination |
security_result.about.labels [trigger_destination] |
|
events.parameters.name [TRIGGER_DESTINATION] |
security_result.about.labels [trigger_destination] |
|
source |
security_result.about.labels [trigger_source] |
|
events.parameters.name [TRIGGER_SOURCE] |
security_result.about.labels [trigger_source] |
|
trigger_type |
security_result.about.labels [trigger_type] |
|
triggerType |
security_result.about.labels [trigger_type] |
|
events.parameters.name [TRIGGER_TYPE] |
security_result.about.labels [trigger_type] |
|
trigger_user |
security_result.about.labels [trigger_user] |
|
events.parameters.name [TRIGGER_USER] |
security_result.about.labels [trigger_user] |
|
events.parameters.name [MALWARE_CATEGORY] |
security_result.threat_name |
|
events.parameters.name [MALWARE_FAMILY] |
security_result.detection_fields [malware_family] |
|
events.parameters.name [VENDOR_ID] |
src.labels [vendor_id] |
|
events.parameters.name [VENDOR_NAME] |
src.labels [vendor_name] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
src.labels [virtual_device_id] |
|
events.parameters.name [NEW_BOOT_MODE] |
target.asset.attribute.labels [new_boot_mode] |
|
events.parameters.name [PREVIOUS_BOOT_MODE] |
target.asset.attribute.labels [previous_boot_mode] |
|
id.time |
target.asset.attribute.labels [timestamp] |
|
events.parameters.name [PRODUCT_ID] |
target.labels [product_id] |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:
Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field. |
|
extensions.auth.mechanism |
If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD :
|
events.parameters.name [UNLOCK_TYPE] |
target.labels [unlock_type] |
|
extension_description |
target.resource.attribute.labels [extension_description] |
|
extension_action |
target.resource.attribute.labels [extension_action] |
|
extension_version |
target.resource.attribute.labels [extension_version] |
|
extension_source |
target.resource.attribute.labels [extension_source] |
|
browser_version |
target.resource.attributes.labels [browser_version] |
|
browserVersion |
target.resource.attributes.labels [browser_version] |
|
events.parameters.name [BROWSER_VERSION] |
target.resource.attributes.labels [browser_version] |
|
profile_user |
principal.user.email_addresses |
If the profile_user log field value is matched with regular expression pattern ^.+@.+$ , then the profile_user log field is mapped to the principal.user.email_addresses UDM field.Else, the profile_user log field is mapped to the principal.user.user_display_name UDM field. |
events.parameters.name [PROFILE_USER_NAME] |
target.user.user_display_name |
|
|
target.resource.resource_type |
If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE , then the target.resource.resource_type UDM field is set to SETTING . |
url_category |
target.labels [url_category] |
|
browser_channel |
target.resource.attribute.labels [browser_channel] |
|
report_id |
target.labels [report_id] |
|
clickedThrough |
target.labels [clickedThrough] |
|
threat_type |
security_result.detection_fields [threatType] |
|
triggered_rule_info.action |
security_result.action |
If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:
Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field. |
triggered_rule_info.rule_id |
security_result.rule_id |
|
triggered_rule_info.rule_name |
security_result.rule_name |
|
triggered_rule_info.url_category |
security_result.category_details |
|
transfer_method |
additional.fields [transfer_method] |