Google Chrome-Protokolle erfassen
Unterstützt in:
Google SecOps
SIEM
In diesem Dokument wird beschrieben, wie Sie Chrome-Protokolle erfassen, indem Sie einen Google Security Operations-Feed einrichten. Außerdem erfahren Sie, wie Protokollfelder den Feldern des Chrome Unified Data Model (UDM) zugeordnet werden.
Weitere Informationen finden Sie unter Datenaufnahme in Google SecOps.
Übersicht
Eine typische Bereitstellung besteht aus ChromeOS und dem Chrome-Browser, die so konfiguriert sind, dass Protokolle an Google SecOps gesendet werden. Jede Kundenimplementierung kann sich unterscheiden und komplexer sein. Die Bereitstellung besteht aus den folgenden Komponenten:
Chrome: Das ChromeOS-Geräteprotokoll, das Sie erfassen möchten.
Google Workspace: Die Google Workspace-Plattform, von der Sie Protokolle erfassen.
Google SecOps-Feed: Der Google SecOps-Feed, über den Protokolle aus Google Workspace abgerufen und in Google SecOps geschrieben werden.
Google SecOps: Hier werden Chrome-Protokolle aufbewahrt und analysiert.
Ein Datenaufnahmelabel identifiziert den Parser, der Roh-Logdaten in das strukturierte UDM-Format normalisiert.
Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Datenaufnahmelabel CHROME_MANAGEMENT.
Hinweise
Sie müssen die Google Workspace Business Standard-Version verwenden.
Sie benötigen ein Google Workspace-Administratorkonto.
Alle Systeme in der Bereitstellungsarchitektur müssen in der Zeitzone UTC konfiguriert sein.
Sie benötigen einen API-Schlüssel. Wenn Sie keinen haben, wenden Sie sich an den Google SecOps-Support oder Ihren Google SecOps-Kundenbetreuer, um einen Google Security Operations API-Schlüssel anzufordern.
Wenn Sie Nutzer erstellen, die die Identität des Dienstkontos übernehmen, gewähren Sie ihnen über die Admin-Konsole die folgenden Berechtigungen:
- Berechtigungen > Berichte
- Berechtigungen > Dienste > Benachrichtigungszentrale > Vollzugriff > Lesezugriff
- Berechtigungen > Dienste > Mobilgeräteverwaltung > Geräte und Einstellungen verwalten
- „Berechtigungen“ > „Dienste“ > „Chrome Management“ > „Einstellungen“
- Admin API > Berechtigungen > Nutzer > Lesezugriff
- Admin API > Berechtigungen > Gruppen > Lesezugriff
Chrome-Verwaltung über die Cloud einrichten
Im Folgenden finden Sie eine allgemeine Anleitung zum Einrichten der Chrome-Verwaltung über die Cloud:
Führen Sie die folgenden Schritte aus, um die Chrome-Verwaltung über die Cloud einzurichten.
Klicken Sie in der Admin-Konsole auf das Dreistrich-Menü > Geräte > Chrome > Verwaltete Browser.
Optional: Wählen Sie die oberste Organisationseinheit oder die Organisationseinheit aus, für die Sie ein Token generieren möchten, mit dem Browser direkt für diese bestimmte Organisationseinheit registriert werden. Weitere Informationen finden Sie im Hilfeartikel Eine Organisationseinheit hinzufügen.
Klicken Sie auf Registrieren. Wenn das Ihre erste Browserregistrierung ist, werden Sie aufgefordert, die Nutzungsbedingungen der Chrome-Verwaltung über die Cloud (Chrome Browser Cloud Management, CBCM) zu akzeptieren.
Klicken Sie auf Registrierungstoken in Zwischenablage kopieren.
Klicken Sie auf Fertig, um cloud-verwaltete Chrome-Browser zu registrieren.
Klicken Sie in der Admin-Konsole auf das Dreistrich-Menü > Geräte > Chrome > Einstellungen > Nutzer und Browser. Wählen Sie die oberste Organisationseinheit aus, damit alle untergeordneten Organisationen die Richtlinie übernehmen. Scrollen Sie nach unten zu Browserberichte.
Setzen Sie Berichte zu verwalteten Browsern auf Cloud-Berichterstellung für verwaltete Browser aktivieren.
Klicken Sie auf Speichern, um die Berichterstellung für Chrome-Browser zu aktivieren.
Klicken Sie in der Admin-Konsole auf das Dreistrich-Menü > Geräte > Chrome > Anschlüsse.
Optional: Wenn Sie die Einstellungen für Chrome Enterprise Connectors zum ersten Mal konfigurieren, folgen Sie der Anleitung zum Aktivieren von Chrome Enterprise Connectors.
Klicken Sie oben auf Neue Anbieterkonfiguration.
Suchen Sie im Bereich rechts nach der Google SecOps-Einrichtung und klicken Sie auf Einrichten.
Geben Sie die Konfigurations-ID und den API-Schlüssel ein.
Konfigurations-ID: Die ID, die auf der Seite Nutzer- und Browsereinstellungen und auf der Seite Connectors angezeigt wird.
API-Schlüssel: Der API-Schlüssel, der beim Aufrufen der Google SecOps Injection API zum Identifizieren des Kunden angegeben werden soll.
Klicken Sie auf Konfiguration hinzufügen, um eine neue Anbieterkonfiguration hinzuzufügen.
Unterstützte Protokolltypen und Datenmodelle
Im Folgenden finden Sie die unterstützten Protokolltypen und ‑ereignisse für Chrome Enterprise. Alle unterstützten Protokolltypen und ‑ereignisse sind im JSON-Format.
| Logtyp | Ereignistyp |
|---|---|
| Böswillige Aktivitäten |
|
| Aktivität prüfen |
|
| Datenschutz |
|
| Chrome OS |
|
Referenz für die Feldzuordnung
In diesem Abschnitt wird beschrieben, wie der Google SecOps-Parser Chrome-Protokollfelder den Feldern des einheitlichen Datenmodells (Unified Data Model, UDM) von Google SecOps für die Datensätze zuordnet.
Feldzuordnung: Ereignis-ID zu Ereignistyp
In der folgenden Tabelle sind die CHROME_MANAGEMENT-Protokolltypen und die zugehörigen UDM-Ereignistypen aufgeführt.
| Event Identifier | Event Type | Security Category |
|---|---|---|
badNavigationEvent - SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
badNavigationEvent - SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
badNavigationEvent - MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
badNavigationEvent - UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_PUA |
badNavigationEvent - THREAT_TYPE_UNSPECIFIED |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
browserCrashEvent |
STATUS_UPDATE |
|
browserExtensionInstallEvent |
USER_RESOURCE_UPDATE_CONTENT |
|
Extension install - BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
|
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
|
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED |
USER_CREATION |
|
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
Login events |
USER_LOGIN |
|
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
loginEvent |
USER_LOGIN |
|
ChromeOS login success |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
|
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
|
ChromeOS CRD client disconnected |
USER_LOGOUT |
|
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED |
STATUS_STARTUP |
|
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS device boot state change - CHROME_OS_DEV_MODE |
SETTING_MODIFICATION |
|
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
|
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
|
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
|
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
|
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
Client Side Detection |
USER_UNCATEGORIZED |
|
Content transfer |
SCAN_FILE |
|
CONTENT_TRANSFER |
SCAN_FILE |
|
contentTransferEvent |
SCAN_FILE |
|
Content unscanned |
SCAN_UNCATEGORIZED |
|
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
|
dataAccessControlEvent |
USER_RESOURCE_ACCESS |
|
dangerousDownloadEvent - Dangerous |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_HOST |
SCAN_HOST |
|
dangerousDownloadEvent - UNCOMMON |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - POTENTIALLY_UNWANTED |
SCAN_UNCATEGORIZED |
SOFTWARE_PUA |
dangerousDownloadEvent - UNKNOWN |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - DANGEROUS_URL |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_FILE_TYPE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Desktop DLP Warnings |
USER_UNCATEGORIZED |
|
DLP_EVENT |
USER_UNCATEGORIZED |
|
interstitialEvent - Malware |
NETWORK_HTTP |
NETWORK_SUSPICIOUS |
IOS/OSX Warnings |
SCAN_UNCATEGORIZED |
|
Malware transfer - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - UNSPECIFIED |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Password breach |
USER_RESOURCE_ACCESS |
|
PASSWORD_BREACH |
USER_RESOURCE_ACCESS |
|
passwordBreachEvent - PASSWORD_ENTRY |
USER_RESOURCE_ACCESS |
|
Password changed |
USER_CHANGE_PASSWORD |
|
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
|
passwordChangedEvent |
USER_CHANGE_PASSWORD |
|
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Password reuse - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - Unauthorized site |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Permissions Blacklisting |
RESOURCE_PERMISSIONS_CHANGE |
|
Sensitive data transfer |
SCAN_FILE |
DATA_EXFILTRATION |
SENSITIVE_DATA_TRANSFER |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataEvent - [test_user_5] warn |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataTransferEvent |
SCAN_FILE |
DATA_EXFILTRATION |
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_SUSPICIOUS |
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED |
USER_RESOURCE_ACCESS |
|
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
unscannedFileEvent - FILE_PASSWORD_PROTECTED |
SCAN_FILE |
|
unscannedFileEvent - FILE_TOO_LARGE |
SCAN_FILE |
|
urlFilteringInterstitialEvent |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION |
extensionTelemetryEvent |
If the telemetry_event_signals.signal_name log field value is equal to the COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO, then the event_type set to USER_RESOURCE_ACCESS.Else, if the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then if the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the event_type is set to NETWORK_HTTP.Else, the event_type UDM field is set to NETWORK_UNCATEGORIZED. |
If the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then the security category is set to NETWORK_SUSPICIOUS.Else, if the telemetry_event_signals.signal_name log field value contain one of the following values, then the security category UDM field is set to SOFTWARE_SUSPICIOUS.
|
Referenz für die Feldzuordnung: CHROME_MANAGEMENT
In der folgenden Tabelle sind die Protokollfelder des CHROME_MANAGEMENT-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.
| Log field | UDM mapping | Logic |
|---|---|---|
id.customerId |
about.resource.product_object_id |
|
event_detail |
metadata.description |
|
time |
metadata.event_timestamp |
|
events.parameters.name [TIMESTAMP] |
metadata.event_timestamp |
|
event |
metadata.product_event_type |
|
events.name |
metadata.product_event_type |
|
id.uniqueQualifier |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Chrome Management. |
id.applicationName |
|
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. |
user_agent |
network.http.user_agent |
|
userAgent |
network.http.user_agent |
|
events.parameters.name [USER_AGENT] |
network.http.user_agent |
|
events.parameters.name [SESSION_ID] |
network.session_id |
|
client_type |
principal.application |
|
clientType |
principal.application |
|
events.parameters.name [CLIENT_TYPE] |
principal.application |
|
device_id |
principal.asset.product_object_id |
|
deviceId |
principal.asset.product_object_id |
|
events.parameters.name [DEVICE_ID] |
principal.asset.product_object_id |
|
device_name |
principal.hostname |
|
deviceName |
principal.hostname |
|
events.parameters.name [DEVICE_NAME] |
principal.hostname |
|
os_plarform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_plarform log field value is not empty and osVersion log field value is not empty, then the os_plarform osVersion log field is mapped to the principal.platform_version UDM field. |
os_plarform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_platform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
os_platform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
osPlatform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field. |
osPlatform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform |
The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
events.parameters.name [DEVICE_PLATFORM] |
principal.asset.platform_software.platform |
The os_platform is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_version |
principal.platform_version |
|
osVersion |
principal.platform_version |
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform_version |
The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern. |
device_id |
principal.resource.id |
|
deviceId |
principal.resource.id |
|
events.parameters.name [DEVICE_ID] |
principal.resource.id |
|
directory_device_id |
principal.resource.product_object_id |
|
events.parameters.name [DIRECTORY_DEVICE_ID] |
principal.resource.product_object_id |
|
|
principal.resource.resource_subtype |
If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB.Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB. |
|
principal.resource.resource_type |
If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE. |
actor.email |
principal.user.email_addresses |
|
actor.profileId |
principal.user.userid |
|
result |
security_result.action_details |
|
events.parameters.name [EVENT_RESULT] |
security_result.action_details |
|
event_result |
security_result.action_details |
|
|
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
reason |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.summary |
|
events.parameters.name [LOGIN_FAILURE_REASON] |
security_result.description |
|
events.parameters.name [REMOVE_USER_REASON] |
security_result.description |
If the events.name log field value is equal to CHROME_OS_REMOVE_USER, then the events.parameters.namethe log field is mapped to the security_result.description UDM field. |
triggered_rules |
security_result.rule_name |
|
events.type |
security_result.category_details |
|
events.parameters.name [PRODUCT_NAME] |
target.application |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:
|
content_name |
target.file.full_path |
|
contentName |
target.file.full_path |
|
events.parameters.name [CONTENT_NAME] |
target.file.full_path |
|
content_type |
target.file.mime_type |
|
contentType |
target.file.mime_type |
|
events.parameters.name [CONTENT_TYPE] |
target.file.mime_type |
|
content_hash |
target.file.sha256 |
|
events.parameters.name [CONTENT_HASH] |
target.file.sha256 |
|
content_size |
target.file.size |
|
contentSize |
target.file.size |
|
events.parameters.name [CONTENT_SIZE] |
target.file.size |
|
|
target.file.file_type |
The fileType is extracted from the content_name log field usign Grok pattern, Then target.file.file_type UDM field is set to one of the following values:
|
extension_id |
target.resource.product_object_id |
|
events.parameters.name [APP_ID] |
target.resource.product_object_id |
|
extension_name |
target.resource.name |
If the event log field value is equal to badNavigationEvent or the events.name log field value is equal to badNavigationEvent, then the extension_name log field is mapped to the target.resource.name UDM field. |
telemetry_event_signals.signal_name |
target.resource.name |
If the event log field value is equal to extensionTelemetryEvent, then the telemetry_event_signals.signal_name log field is mapped to the target.resource.name UDM field. |
events.parameters.name [APP_NAME] |
target.resource.name |
|
url |
target.url |
|
events.parameters.name [URL] |
target.url |
|
telemetry_event_signals.url |
target.url |
If the telemetry_event_signals.url log field value matches the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.url UDM field. |
device_user |
target.user.userid |
|
deviceUser |
principal.user.userid |
If the event log field value is equal to passwordChangedEvent, then the deviceUser log field is mapped to the principal.user.userid UDM field.Else, the deviceUser log field is mapped to the principal.user.user_display_name UDM field. |
events.parameters.name [DEVICE_USER] |
If the event log field value is equal to passwordChangedEvent, then the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.userid UDM field.Else, the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.user_display_name UDM field. |
|
scan_id |
about.labels [scan_id] |
|
events.parameters.name [CONNECTION_TYPE] |
about.labels [connection_type] |
|
etag |
about.labels [etag] |
|
kind |
about.labels [kind] |
|
actor.key |
principal.user.attribute.labels [actor_key] |
|
actor.callerType |
principal.user.attribute.labels [actor_callerType] |
|
events.parameters.name [EVIDENCE_LOCKER_FILEPATH] |
security_result.about.labels [evidence_locker_filepath] |
|
federated_origin |
security_result.about.labels [federated_origin] |
|
is_federated |
security_result.about.labels [is_federated] |
|
destination |
security_result.about.labels [trigger_destination] |
|
events.parameters.name [TRIGGER_DESTINATION] |
security_result.about.labels [trigger_destination] |
|
source |
security_result.about.labels [trigger_source] |
|
events.parameters.name [TRIGGER_SOURCE] |
security_result.about.labels [trigger_source] |
|
trigger_type |
security_result.about.labels [trigger_type] |
|
trigger_type |
additional.fields [trigger_type] |
|
triggerType |
security_result.about.labels [trigger_type] |
|
triggerType |
additional.fields [trigger_type] |
|
events.parameters.name [TRIGGER_TYPE] |
security_result.about.labels [trigger_type] |
|
trigger_user |
security_result.about.labels [trigger_user] |
|
events.parameters.name [TRIGGER_USER] |
security_result.about.labels [trigger_user] |
|
events.parameters.name [MALWARE_CATEGORY] |
security_result.threat_name |
|
events.parameters.name [MALWARE_FAMILY] |
security_result.detection_fields [malware_family] |
|
events.parameters.name [VENDOR_ID] |
src.labels [vendor_id] |
|
events.parameters.name [VENDOR_NAME] |
src.labels [vendor_name] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
src.labels [virtual_device_id] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
additional.fields [virtual_device_id] |
|
events.parameters.name [NEW_BOOT_MODE] |
target.asset.attribute.labels [new_boot_mode] |
|
events.parameters.name [PREVIOUS_BOOT_MODE] |
target.asset.attribute.labels [previous_boot_mode] |
|
id.time |
target.asset.attribute.labels [timestamp] |
|
events.parameters.name [PRODUCT_ID] |
target.labels [product_id] |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:
Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field. |
|
extensions.auth.mechanism |
If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD:
|
events.parameters.name [UNLOCK_TYPE] |
target.labels [unlock_type] |
|
extension_description |
target.resource.attribute.labels [extension_description] |
|
extension_action |
target.resource.attribute.labels [extension_action] |
|
extension_version |
target.resource.attribute.labels [extension_version] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource.attribute.labels[extension_source] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource.attribute.labels[extension_source] UDM field. |
browser_version |
target.resource.attributes.labels [browser_version] |
|
browserVersion |
target.resource.attributes.labels [browser_version] |
|
events.parameters.name [BROWSER_VERSION] |
target.resource.attributes.labels [browser_version] |
|
profile_user |
target.user.email_addresses |
If the event log field value contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.email_addresses UDM field.
|
profile_user |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the profile_user, then the profile_user log field is mapped to the principal.user.email_addresses UDM field.
|
profile_user |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
profile_user |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the profile_user, then the profile_user log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.email_addresses |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
|
target.resource.resource_type |
If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE, then the target.resource.resource_type UDM field is set to SETTING. |
url_category |
target.labels [url_category] |
|
browser_channel |
target.resource.attribute.labels [browser_channel] |
|
report_id |
target.labels [report_id] |
|
clickedThrough |
target.labels [clickedThrough] |
|
threat_type |
security_result.detection_fields [threatType] |
|
triggered_rule_info.action |
security_result.action |
If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:
Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field. |
triggered_rule_info.rule_id |
security_result.rule_id |
|
triggered_rule_info.rule_name |
security_result.rule_name |
|
triggered_rule_info.url_category |
security_result.category_details |
|
transfer_method |
additional.fields [transfer_method] |
|
extension_name |
target.resource_ancestors.name |
If the event log field value is equal to extensionTelemetryEvent, then the extension_name log field is mapped to the target.resource_ancestors.name UDM field. |
extension_id |
target.resource_ancestors.product_object_id |
If the event log field value is equal to extensionTelemetryEvent, then the extension_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
extension_version |
target.resource_ancestors.attribute.labels[extension_version] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource_ancestors.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource_ancestors.attribute.labels[extension_source] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource_ancestors.attribute.labels[extension_source] UDM field. |
profile_identifier |
additional.fields[profile_identifier] |
|
extension_files_info.file_name |
target.resource_ancestors.file.names |
|
extension_files_info.file_hash.hash |
target.resource_ancestors.attribute.labels[file_hash] |
|
telemetry_event_signals.count |
target.resource.attribute.labels[count] |
|
telemetry_event_signals.tabs_api_method |
target.resource.attribute.labels[tabs_api_method] |
|
|
target.hostname |
If the telemetry_event_signals.url log field value does not match the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.hostname UDM field. |
telemetry_event_signals.destination |
target.resource.attribute.labels[destination] |
|
telemetry_event_signals.source |
target.resource.attribute.labels[source] |
|
telemetry_event_signals.domain |
target.domain.name |
|
telemetry_event_signals.cookie_name |
target.resource.attribute.labels[cookie_name] |
|
telemetry_event_signals.cookie_path |
target.resource.attribute.labels[cookie_path] |
|
telemetry_event_signals.cookie_is_secure |
target.resource.attribute.labels[cookie_is_secure] |
|
telemetry_event_signals.cookie_store_id |
target.resource.attribute.labels[cookie_store_id] |
|
telemetry_event_signals.cookie_is_session |
target.resource.attribute.labels[cookie_is_session] |
|
telemetry_event_signals.connection_protocol |
network.application_protocol |
If the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the network.application_protocol UDM field is set to HTTP Else, If the telemetry_event_signals.connection_protocol log field value is equal to UNSPECIFIED, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOLElse, the telemetry_event_signals.connection_protocol log field is mapped to the target.resource.attribute.labels UDM field. |
telemetry_event_signals.contacted_by |
target.resource.attribute.labels[contacted_by] |
Nächste Schritte
Community-Blogs zu Chrome-Protokollen:
Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten