Collect Apigee logs

Supported in:

This document describes how you can collect Apigee logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how log fields of Apigee logs map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations.

A typical deployment consists of Apigee logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.

The deployment contains the following components:

  • Google Cloud: The Google Cloud services and products from which you collect logs.

  • Apigee logs: The Apigee logs that are enabled for ingestion to Google Security Operations.

  • Google Security Operations: Google Security Operations retains and analyzes the logs from Apigee.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the GCP_APIGEE_X ingestion label.

Before you begin

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

  • Ensure that the Old Cloud Logging policy or New Cloud Logging policy is used. For more information, see Old Cloud Logging policy.

Configure Google Cloud to ingest Apigee logs

To ingest Apigee logs to Google Security Operations, follow the steps on the Ingest Google Cloud logs to Google Security Operations page.

If you encounter issues when you ingest Apigee logs, contact Google Security Operations support.

Field mapping reference

Field mapping reference: GCP_APIGEE_X Old Cloud Logging policy logs

The following table lists the log fields of the GCP_APIGEE_X Old Cloud Logging policy log type and their corresponding UDM fields.

Log field UDM mapping Logic
intermediary.resource.resource_type If the jsonPayload.apiproxy log field value is not empty or the jsonPayload.apiProxy log field value is not empty, then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE.
intermediary.resource.attribute.cloud.environment If the jsonPayload.apiproxy log field value is not empty or the jsonPayload.apiProxy log field value is not empty, then the intermediary.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
metadata.event_type The metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
metadata.product_name The metadata.product_name UDM field is set to GCP APIGEE X.
metadata.vendor_name The metadata.vendor_name UDM field is set to Google Cloud Platform.
principal.resource.resource_type If the resource.type log field value is equal to gce_instance, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE.
principal.resource_ancestors.resource_type If the resource.labels.project_id log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
principal.resource_ancestors.resource_type If the jsonPayload.organization log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.
target.resource.resource_type If the jsonPayload.requestUri log field value is not empty, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.
insertId metadata.product_log_id
jsonPayload.apiProduct intermediary.resource.attribute.labels[json_payload_api_product]
jsonPayload.apiProxy intermediary.resource.name
jsonPayload.apiproxy intermediary.resource.name
jsonPayload.apiProxyRevision intermediary.resource.attribute.labels[json_payload_api_proxy_revision]
jsonPayload.ax_resolved_client_ip principal.ip
jsonPayload.bot_reason additional.fields[json_payload_bot_reason]
jsonPayload.clientId principal.user.userid
jsonPayload.clientReceived principal.resource.attribute.labels[json_payload_client_received]
jsonPayload.clientSent principal.resource.attribute.labels[json_payload_client_sent]
jsonPayload.correlationId metadata.product_event_type
jsonPayload.count_distinct_bot additional.fields[json_payload_count_distinct_bot]
jsonPayload.developerApp additional.fields[json_payload_developer_app]
jsonPayload.developerId additional.fields[json_payload_developer_id]
jsonPayload.environment additional.fields[json_payload_environment]
jsonPayload.faultName security_result.description
jsonPayload.minute additional.fields[json_payload_minute]
jsonPayload.organization principal.resource_ancestors.name
jsonPayload.proxyRequestReceived intermediary.resource.attribute.labels[json_payload_proxy_request_received]
jsonPayload.proxyResponseCode intermediary.network.http.response_code
jsonPayload.proxyResponseSent intermediary.resource.attribute.labels[json_payload_proxy_response_sent]
jsonPayload.requestUri target.resource.name
jsonPayload.requestUrl target.url
jsonPayload.sum_bot_traffic additional.fields[json_payload_sum_bot_traffic]
jsonPayload.targetRequestSent target.resource.attribute.labels[json_payload_target_request_sent]
jsonPayload.targetResponseCode target.network.http.response_code
jsonPayload.targetResponseReceived target.resource.attribute.labels[json_payload_target_request_received]
jsonPayload.verb network.http.method
labels.application principal.application
logName principal.resource.attribute.labels[Log Name]
logName security_result.category_details
partialSuccess additional.fields[partial_success]
receiveTimestamp metadata.collected_timestamp
resource.labels.instance_id principal.resource.product_object_id
resource.labels.project_id principal.resource_ancestors.product_object_id
resource.labels.project_id principal.resource.attribute.labels[Project Id]
resource.labels.zone principal.resource.attribute.cloud.availability_zone
resource.type principal.resource.resource_subtype
severity security_result.severity If the severity log field value is equal to ERROR, then the severity log field is mapped to the security_result.severity UDM field.

Else, if the severity log field value is equal to INFO or NOTICE, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the severity log field value is equal to WARNING or NOTICE, then the security_result.severity UDM field is set to MEDIUM.
severity security_result.severity_details
timestamp metadata.event_timestamp

Field mapping reference: GCP_APIGEE_X New Cloud Logging policy logs

The following table lists the log fields of the GCP_APIGEE_X New Cloud Logging policy log type and their corresponding UDM fields.

Log field UDM mapping Logic
target.resource.resource_type If the jsonPayload.request.uri log field value is not empty, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.
target.resource_ancestors.resource_type If the jsonPayload.target.organization log field value is not empty or the jsonPayload.log.organization log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.
principal.resource.resource_type If the resource.type log field value is equal to gce_instance, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE.
principal.resource_ancestors.resource_type The if the resource.labels.project_id log field value is not empty, then principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
principal.resource_ancestors.resource_type If the jsonPayload.client.organization log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.
principal.resource_ancestors.resource_type If the jsonPayload.organization.name log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.
intermediary.resource_ancestors.resource_type If the jsonPayload.system.pod.name log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to POD.
insertId metadata.product_log_id
jsonPayload.apigee.metrics.policy..timeTaken security_result.rule_labels[apigee_metrics_policy_time_taken]
jsonPayload.apigee.metrics.policy.policy_name.timeTaken security_result.rule_labels[apigee_metrics_policy_policy_name_timeTaken]
jsonPayload.apiproduct.name intermediary.resource.attribute.labels[jsonPayload_api_product_name]
jsonPayload.apiproduct.operation intermediary.resource.attribute.labels[api_product_operation]
jsonPayload.apiproduct.operation.attributes.key_name intermediary.resource.attribute.labels[api_product_operation_attributes_key_name]
jsonPayload.apiproduct.operation.methods intermediary.resource.attribute.labels[api_product_operation_methods]
jsonPayload.apiproduct.operation.resource intermediary.resource.attribute.labels[api_product_operation_resource]
jsonPayload.apiproxy.basepath intermediary.resource.attribute.labels[json_payload_api_proxy_basepath]
jsonPayload.app.name target.application
jsonPayload.cachehit additional.fields[jsonPayload_cachehit]
jsonPayload.client.cn principal.resource.attribute.labels[json_payload_client_cn]
jsonPayload.client.country principal.location.country_or_region
jsonPayload.client.email.address principal.email
jsonPayload.client.host principal.ip
jsonPayload.client.ip principal.ip
jsonPayload.client.locality principal.location.city
jsonPayload.client.organization principal.resource_ancestors.name
jsonPayload.client.organization.unit principal.resource_ancestors.attribute.labels[client_organization_unit]
jsonPayload.client.port principal.port
jsonPayload.client.received.end.time principal.resource.attribute.labels[client_received_end_time]
jsonPayload.client.received.end.timestamp principal.resource.attribute.labels[client end timestamp]
jsonPayload.client.received.start.time principal.resource.attribute.labels[client_received_start_time]
jsonPayload.client.received.start.timestamp principal.resource.attribute.labels[client_received_start_timestamp]
jsonPayload.client.scheme principal.network.application_protocol
jsonPayload.client.sent.end.time principal.resource.attribute.labels[client_sent_end_time]
jsonPayload.client.sent.end.timestamp principal.resource.attribute.labels[client sent end timestamp]
jsonPayload.client.sent.start.time principal.resource.attribute.labels[client_sent_start_time]
jsonPayload.client.sent.start.timestamp principal.resource.attribute.labels[json_payload_client_sent_start_timestamp]
jsonPayload.client.ssl.enabled principal.resource.attribute.labels[client_ssl_enabled]
jsonPayload.client.state principal.resource.attribute.labels[client_state]
jsonPayload.current.flow.description additional.fields[current_flow_description]
jsonPayload.current.flow.name additional.fields[current_flow_name]
jsonPayload.developer.app.name target.application
jsonPayload.developer.email target.user.email_addresses
jsonPayload.environment.name additional.fields[environment_name]
jsonPayload.error security_result.about.resource.attribute.labels[jsonPayload_error]
jsonPayload.error.content security_result.about.resource.attribute.labels[error_content]
jsonPayload.error.header.header_name security_result.about.resource.attribute.labels[error_header_name]
jsonPayload.error.message security_result.about.resource.attribute.labels[message]
jsonPayload.error.reason.phrase security_result.about.resource.attribute.labels[jsonPayload_error_reason_phrase]
jsonPayload.error.state security_result.about.resource.attribute.labels[state]
jsonPayload.error.status.code security_result.about.resource.attribute.labels[jsonPayload_error_status_code]
jsonPayload.error.transport.message security_result.about.resource.attribute.labels[jsonPayload_error_transport_message]
jsonPayload.fault.category security_result.category_details
jsonPayload.fault.name security_result.about.resource.attribute.labels[fault_name]
jsonPayload.fault.reason security_result.about.resource.attribute.labels[fault_reason] If the jsonPayload.error.faultReason log field value is empty, then the jsonPayload.fault.reason log field is mapped to the security_result.description UDM field.

Else, the jsonPayload.fault.reason log field is mapped to the security_result.about.resource.attribute.labels.fault_reason UDM field.
jsonPayload.fault.subcategory security_result.category_details
jsonPayload.graphql additional.fields[graphql]
jsonPayload.graphql.fragment additional.fields[graphql_fragment]
jsonPayload.graphql.fragment.count additional.fields[graphql_fragment_count]
jsonPayload.graphql.fragment.INDEX.selectionSet.count additional.fields[graphql_fragment_INDEX_selectionSet_count]
jsonPayload.graphql.fragment.INDEX.selectionSet.INDEX additional.fields[graphql_fragment_INDEX_selectionSet_INDEX]
jsonPayload.graphql.fragment.INDEX.selectionSet.INDEX.name additional.fields[graphql_fragment_INDEX_selectionSet_INDEX_name]
jsonPayload.graphql.fragment.INDEX.selectionSet.name additional.fields[graphql_fragment_INDEX_selectionSet_name]
jsonPayload.graphql.operation additional.fields[graphql_operation]
jsonPayload.graphql.operation.name additional.fields[graphql_operation_name]
jsonPayload.graphql.operation.operationType additional.fields[graphql_operation_operationType]
jsonPayload.graphql.operation.selectionSet additional.fields[graphql_operation_selectionSet]
jsonPayload.graphql.operation.selectionSet.count additional.fields[graphql_operation_selectionSet_count]
jsonPayload.graphql.operation.selectionSet.INDEX additional.fields[graphql_operation_selectionSet_INDEX]
jsonPayload.graphql.operation.selectionSet.INDEX.[selectionSet] additional.fields[graphql_operation_selectionSet_INDEX_selectionSet]
jsonPayload.graphql.operation.selectionSet.INDEX.directive additional.fields[graphql_operation_selectionSet_INDEX_directive]
jsonPayload.graphql.operation.selectionSet.INDEX.directive.count additional.fields[graphql_operation_selectionSet_INDEX_directive_count]
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX]
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX.argument.INDEX additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX_argument_INDEX]
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX.argument.INDEX.name additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX_argument_INDEX_name]
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX.argument.INDEX.value additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX_argument_INDEX_value]
jsonPayload.graphql.operation.selectionSet.INDEX.directive.name additional.fields[graphql_operation_selectionSet_INDEX_directive_name]
jsonPayload.graphql.operation.selectionSet.INDEX.name additional.fields[graphql_operation_selectionSet_INDEX_name]
jsonPayload.graphql.operation.selectionSet.name additional.fields[graphql_operation_selectionSet_name]
jsonPayload.graphql.operation.variableDefinitions additional.fields[graphql_operation_variableDefinitions]
jsonPayload.graphql.operation.variableDefinitions.count additional.fields[graphql_operation_variableDefinitions_count]
jsonPayload.graphql.operation.variableDefinitions.INDEX additional.fields[graphql_operation_variableDefinitions_INDEX]
jsonPayload.graphql.operation.variableDefinitions.INDEX.name additional.fields[graphql_operation_variableDefinitions_INDEX_name]
jsonPayload.graphql.operation.variableDefinitions.INDEX.type additional.fields[graphql_operation_variableDefinitions_INDEX_type]
jsonPayload.is.error security_result.about.resource.attribute.labels[is_error]
jsonPayload.literal_value additional.fields[jsonPayload_literal_value]
jsonPayload.loadbalancing.failedservers intermediary.resource.attribute.labels[loadbalancing_failed_servers]
jsonPayload.loadbalancing.isfallback intermediary.resource.attribute.labels[loadbalancing_is_fallback]
jsonPayload.loadbalancing.targetserver intermediary.resource.attribute.labels[loadbalancing_target_server]
jsonPayload.log.organization target.resource_ancestors.name
jsonPayload.log.origin_address principal.ip
jsonPayload.log.proxy_basepath intermediary.resource.attribute.labels[pathsuffix]
jsonPayload.log.sni_host target.hostname
jsonPayload.log.sni_host target.asset.hostname
jsonPayload.log.status network.http.response_code
jsonPayload.message additional.fields[jsonPayload_message]
jsonPayload.message.content additional.fields[message_content]
jsonPayload.message.formparam.param_name additional.fields[message_formparam_param_name]
jsonPayload.message.formparam.param_name.values additional.fields[message_formparam_param_name_values]
jsonPayload.message.formparam.param_name.values.count additional.fields[message_formparam_param_name_values_count]
jsonPayload.message.formparams.count additional.fields[message_formparams_count]
jsonPayload.message.formparams.names additional.fields[message_formparams_names]
jsonPayload.message.formstring additional.fields[message_formstring]
jsonPayload.message.header.header_name additional.fields[message_header_header_name]
jsonPayload.message.header.header_name.N additional.fields[message_header_header_name_N]
jsonPayload.message.header.header_name.values additional.fields[message_header_header_name_values]
jsonPayload.message.header.header_name.values.count additional.fields[message_header_header_name_values_count]
jsonPayload.message.header.header_name.values.string additional.fields[message_header_header_name_values_string]
jsonPayload.message.headers.count additional.fields[message_headers_count]
jsonPayload.message.headers.names additional.fields[message_headers_names]
jsonPayload.message.path additional.fields[message_path]
jsonPayload.message.queryparam.param_name additional.fields[message_queryparam_param_name]
jsonPayload.message.queryparam.param_name.N additional.fields[message_queryparam_param_name_N]
jsonPayload.message.queryparam.param_name.values additional.fields[message_queryparam_param_name_values]
jsonPayload.message.queryparam.param_name.values.count additional.fields[message_queryparam_param_name_values_count]
jsonPayload.message.queryparams.count additional.fields[message_queryparams_count]
jsonPayload.message.queryparams.names additional.fields[message_queryparams_names]
jsonPayload.message.querystring additional.fields[message_querystring]
jsonPayload.message.status.code additional.fields[message_status_code]
jsonPayload.message.transport.message additional.fields[message_transport_message]
jsonPayload.message.uri additional.fields[message_uri]
jsonPayload.message.verb additional.fields[message_verb]
jsonPayload.message.version additional.fields[message_version]
jsonPayload.messageid metadata.product_event_type
jsonPayload.mint.limitscheck.is_request_blocked additional.fields[mint_limitscheck_is_request_blocked]
jsonPayload.mint.limitscheck.is_subscription_found additional.fields[mint_limitscheck_is_subscription_found]
jsonPayload.mint.limitscheck.prepaid_developer_balance additional.fields[mint_limitscheck_prepaid_developer_balance]
jsonPayload.mint.limitscheck.prepaid_developer_currency additional.fields[mint_limitscheck_prepaid_developer_currency]
jsonPayload.mint.limitscheck.purchased_product_name additional.fields[mint_limitscheck_purchased_product_name]
jsonPayload.mint.limitscheck.status_message additional.fields[mint_limitscheck_status_message]
jsonPayload.mint.mintng_consumption_pricing_rates additional.fields[mint_mintng_consumption_pricing_rates]
jsonPayload.mint.mintng_consumption_pricing_type additional.fields[mint_mintng_consumption_pricing_type]
jsonPayload.mint.mintng_currency additional.fields[mint_mintng_currency]
jsonPayload.mint.mintng_dev_share additional.fields[mint_mintng_dev_share]
jsonPayload.mint.mintng_is_apiproduct_monetized additional.fields[mint_mintng_is_apiproduct_monetized]
jsonPayload.mint.mintng_price additional.fields[mint_mintng_price]
jsonPayload.mint.mintng_price_multiplier additional.fields[mint_mintng_price_multiplier]
jsonPayload.mint.mintng_rate additional.fields[mint_mintng_rate]
jsonPayload.mint.mintng_rate_before_multipliers additional.fields[mint_mintng_rate_before_multipliers]
jsonPayload.mint.mintng_rate_plan_id additional.fields[mint_mintng_rate_plan_id]
jsonPayload.mint.mintng_revenue_share_rates additional.fields[mint_mintng_revenue_share_rates]
jsonPayload.mint.mintng_revenue_share_type additional.fields[mint_mintng_revenue_share_type]
jsonPayload.mint.mintng_tx_success additional.fields[mint_mintng_tx_success]
jsonPayload.mint.prepaid_updated_developer_usage additional.fields[mint_prepaid_updated_developer_usage]
jsonPayload.mint.rateplan_end_time_ms additional.fields[mint_rateplan_end_time_ms]
jsonPayload.mint.rateplan_start_time_ms additional.fields[mint_rateplan_start_time_ms]
jsonPayload.mint.status additional.fields[mint_status]
jsonPayload.mint.status_code additional.fields[mint_status_code]
jsonPayload.mint.subscription_end_time_ms additional.fields[mint_subscription_end_time_ms]
jsonPayload.mint.subscription_start_time_ms additional.fields[mint_subscription_start_time_ms]
jsonPayload.mint.tx_success_result additional.fields[mint_tx_success_result]
jsonPayload.organization.name principal.resource_ancestors.name
jsonPayload.proxy intermediary.resource.attribute.labels[proxy]
jsonPayload.proxy.basepath intermediary.resource.attribute.labels[proxy_basepath]
jsonPayload.proxy.client.ip src.ip
jsonPayload.proxy.name intermediary.resource.name
jsonPayload.proxy.pathsuffix intermediary.resource.attribute.labels[pathsuffix]
jsonPayload.proxy.proxyendpoint.name intermediary.resource.attribute.labels[proxy_endpoint_name]
jsonPayload.proxy.revision intermediary.resource.attribute.labels[json_payload_proxy_revision]
jsonPayload.proxy.url intermediary.url
jsonPayload.publishmessage.message.id additional.fields[publishmessage_message_id]
jsonPayload.ratelimit.policy_name.allowed.count security_result.rule_labels[ratelimit_policy_name_allowed_count]
jsonPayload.ratelimit.policy_name.available.count security_result.rule_labels[ratelimit_policy_name_available_count]
jsonPayload.ratelimit.policy_name.class security_result.rule_labels[ratelimit_policy_name_class]
jsonPayload.ratelimit.policy_name.class.allowed.count security_result.rule_labels[ratelimit_policy_name_class_allowed_count]
jsonPayload.ratelimit.policy_name.class.available.count security_result.rule_labels[ratelimit_policy_name_class_available_count]
jsonPayload.ratelimit.policy_name.class.exceed.count security_result.rule_labels[ratelimit_policy_name_class_exceed_count]
jsonPayload.ratelimit.policy_name.class.total.exceed.count security_result.rule_labels[ratelimit_policy_name_class_total_exceed_count]
jsonPayload.ratelimit.policy_name.class.used.count security_result.rule_labels[ratelimit_policy_name_class_used_count]
jsonPayload.ratelimit.policy_name.exceed.count security_result.rule_labels[ratelimit_policy_name_exceed_count]
jsonPayload.ratelimit.policy_name.expiry.time security_result.rule_labels[ratelimit_policy_name_expiry_time]
jsonPayload.ratelimit.policy_name.failed security_result.rule_labels[ratelimit_policy_name_failed]
jsonPayload.ratelimit.policy_name.identifier security_result.rule_id
jsonPayload.ratelimit.policy_name.total.exceed.count security_result.rule_labels[ratelimit_policy_name_total_exceed_count]
jsonPayload.ratelimit.policy_name.used.count security_result.rule_labels[ratelimit_policy_name_used_count]
jsonPayload.request target.resource.attribute.labels[request]
jsonPayload.request_msg.header.host target.resource.attribute.labels[json_payload_request_host]
jsonPayload.request.content target.resource.attribute.labels[json_payload_request_content]
jsonPayload.request.formparam.param_name target.resource.attribute.labels[json_payload_request_form_param_name]
jsonPayload.request.formparam.param_name.N target.resource.attribute.labels[request_formparam_name_N]
jsonPayload.request.formparam.param_name.values target.resource.attribute.labels[json_payload_request_form_param_name_values]
jsonPayload.request.formparam.param_name.values.count target.resource.attribute.labels[request_formparam_name_values_count]
jsonPayload.request.formparams.count target.resource.attribute.labels[json_payload_request_form_params_count]
jsonPayload.request.formparams.names target.resource.attribute.labels[json_payload_request_form_params_names]
jsonPayload.request.formstring target.resource.attribute.labels[json_payload_request_form_string]
jsonPayload.request.grpc.rpc.name target.resource.attribute.labels[request_grpc_rpc_name]
jsonPayload.request.grpc.service.name target.resource.attribute.labels[request_grpc_service_name]
jsonPayload.request.header.header_name target.resource.attribute.labels[json_payload_request_header_name]
jsonPayload.request.header.header_name.N target.resource.attribute.labels[request_header_name_N]
jsonPayload.request.header.header_name.values target.resource.attribute.labels[request_header_name_values]
jsonPayload.request.header.header_name.values.count target.resource.attribute.labels[request_header_name_values_count]
jsonPayload.request.header.header_name.values.string target.resource.attribute.labels[request_header_name_values_string]
jsonPayload.request.header.user-agent network.http.user_agent
jsonPayload.request.header.x-b3-traceid target.resource.attribute.labels[json_payload_request_x_b3_traceid]
jsonPayload.request.header.x-cloud-trace-context target.resource.attribute.labels[json_payload_request_x_cloud_trace_context]
jsonPayload.request.headers.count target.resource.attribute.labels[request_headers_count]
jsonPayload.request.headers.names target.resource.attribute.labels[request_headers_names]
jsonPayload.request.host target.resource.attribute.labels[json_payload_request_host]
jsonPayload.request.httpversion target.resource.attribute.labels[json_payload_request_version]
jsonPayload.request.path target.resource.attribute.labels[json_payload_request_path]
jsonPayload.request.queryparam.param_name target.resource.attribute.labels[json_payload_request_queryparams_param_name]
jsonPayload.request.queryparam.param_name.N target.resource.attribute.labels[request_queryparam_name_N]
jsonPayload.request.queryparam.param_name.values target.resource.attribute.labels[json_payload_request_queryparams_param_values]
jsonPayload.request.queryparam.param_name.values.count target.resource.attribute.labels[request_queryparam_name_values_count]
jsonPayload.request.queryparams.count target.resource.attribute.labels[json_payload_request_queryparams_count]
jsonPayload.request.queryparams.names target.resource.attribute.labels[json_payload_request_queryparams_names]
jsonPayload.request.querystring target.resource.attribute.labels[json_payload_request_querystring]
jsonPayload.request.transport.message target.resource.attribute.labels[request_transport_message]
jsonPayload.request.transportid target.resource.attribute.labels[json_payload_request_transport_id]
jsonPayload.request.uri target.resource.name
jsonPayload.request.url target.resource.attribute.labels[json_payload_request_url]
jsonPayload.request.user-agent network.http.user_agent
jsonPayload.request.verb network.http.method
jsonPayload.request.version target.resource.attribute.labels[json_payload_request_version]
jsonPayload.request.x-b3-traceid target.resource.attribute.labels[json_payload_request_x_b3_traceid]
jsonPayload.request.x-cloud-trace-context target.resource.attribute.labels[json_payload_request_x_cloud_trace_context]
jsonPayload.response target.resource.attribute.labels[response]
jsonPayload.response.code network.http.response_code
jsonPayload.response.content security_result.description
jsonPayload.response.header.header_name target.resource.attribute.labels[response_header_name]
jsonPayload.response.header.header_name.N target.resource.attribute.labels[response_header_name_N]
jsonPayload.response.header.header_name.values target.resource.attribute.labels[response_header_name_values]
jsonPayload.response.header.header_name.values.count target.resource.attribute.labels[response_header_name_values_count]
jsonPayload.response.header.header_name.values.string target.resource.attribute.labels[response_header_name_values_string]
jsonPayload.response.headers.count target.resource.attribute.labels[response_headers_count]
jsonPayload.response.headers.names target.resource.attribute.labels[response_headers_names]
jsonPayload.response.reason security_result.summary
jsonPayload.response.reason.phrase security_result.summary
jsonPayload.response.status.code network.http.response_code
jsonPayload.response.transport.message target.resource.attribute.labels[response_transport_message]
jsonPayload.system.interface.interface_name intermediary.ip
jsonPayload.system.pod.name intermediary.resource_ancestors.name
jsonPayload.system.region.name intermediary.location.country_or_region
jsonPayload.system.time intermediary.resource.attribute.labels[system_time]
jsonPayload.system.time.day intermediary.resource.attribute.labels[system_time_day]
jsonPayload.system.time.dayofweek intermediary.resource.attribute.labels[system_time_dayofweek]
jsonPayload.system.time.hour intermediary.resource.attribute.labels[system_time_hour]
jsonPayload.system.time.millisecond intermediary.resource.attribute.labels[system_time_millisecond]
jsonPayload.system.time.minute intermediary.resource.attribute.labels[system_time_minute]
jsonPayload.system.time.month intermediary.resource.attribute.labels[system_time_month]
jsonPayload.system.time.second intermediary.resource.attribute.labels[system_time_second]
jsonPayload.system.time.year intermediary.resource.attribute.labels[system_time_year]
jsonPayload.system.time.zone intermediary.resource.attribute.labels[system_time_zone]
jsonPayload.system.timestamp additional.fields[jsonPayload_system_timestamp]
jsonPayload.system.uuid intermediary.resource.attribute.labels[system_uuid]
jsonPayload.target.basepath target.resource.attribute.labels[basepath]
jsonPayload.target.cn target.resource.attribute.labels[json_payload_target_cn]
jsonPayload.target.copy.pathsuffix target.resource.attribute.labels[target_copy_pathsuffix]
jsonPayload.target.copy.queryparams target.resource.attribute.labels[target_copy_queryparams]
jsonPayload.target.country target.location.country_or_region
jsonPayload.target.email.address target.user.email_addresses
jsonPayload.target.expectedcn target.resource.attribute.labels[target_expectedcn]
jsonPayload.target.host target.hostname
jsonPayload.target.host target.asset.hostname
jsonPayload.target.ip target.ip
jsonPayload.target.locality target.location.city
jsonPayload.target.name target.resource.attribute.labels[target_name]
jsonPayload.target.organization target.resource_ancestors.name
jsonPayload.target.organization.unit target.resource_ancestors.attribute.labels[json_payload_target_organization_unit]
jsonPayload.target.port target.port
jsonPayload.target.received.end.time target.resource.attribute.labels[target_received_end_time]
jsonPayload.target.received.start.time target.resource.attribute.labels[target_received_start_time]
jsonPayload.target.received.start.timestamp target.resource.attribute.labels[target_received_start_timestamp]
jsonPayload.target.scheme target.network.application_protocol
jsonPayload.target.sent.end.time target.resource.attribute.labels[target_sent_end_time]
jsonPayload.target.sent.end.timestamp target.resource.attribute.labels[json_payload_target_sent_end_timestamp]
jsonPayload.target.sent.start.time target.resource.attribute.labels[target_sent_start_time]
jsonPayload.target.sent.start.timestamp target.resource.attribute.labels[json_payload_target_sent_start_timestamp]
jsonPayload.target.ssl.enabled target.resource.attribute.labels[target_ssl_enabled]
jsonPayload.target.state target.resource.attribute.labels[target_state]
jsonPayload.target.url target.url
jsonPayload.url target.url
jsonPayload.variable.expectedcn additional.fields[variable_expectedcn]
logName security_result.category_details
logName principal.resource.attribute.labels[Log Name]
receiveTimestamp metadata.collected_timestamp
resource.labels.instance_id principal.resource.product_object_id
resource.labels.project_id principal.resource_ancestors.product_object_id
resource.labels.zone principal.resource.attribute.cloud.availability_zone
resource.type principal.resource.resource_subtype
severity security_result.severity If the severity log field value is equal to ERROR, then the severity log field is mapped to the security_result.severity UDM field.
severity security_result.severity_details
timestamp metadata.event_timestamp

What's next

Need more help? Get answers from Community members and Google SecOps professionals.