Google Cloud Load Balancing 로그 수집
이 문서에서는 Google Security Operations에 대해 Google Cloud 원격 분석 수집을 사용 설정하여 Google Cloud Load Balancing 로그를 수집하는 방법과 로그 필드가 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑되는 방식을 설명합니다. 이 문서에서는 지원되는 Google Cloud Load Balancing 버전도 보여줍니다.
자세한 내용은 Google Security Operations에 데이터 수집을 참조하세요.
일반적인 배포는 Google Security Operations에 대한 수집을 위해 사용 설정된 Google Cloud Load Balancing 로그로 구성됩니다. 각 고객 배포는 이 표현과 다를 수 있고 더 복잡할 수 있습니다.
배포에는 다음 구성요소가 포함됩니다.
Google Cloud: 로그를 수집하는 Google Cloud 서비스 및 제품입니다.
Google Cloud Load Balancing 로그: Google Security Operations에 수집을 위해 사용 설정된 Google Cloud Load Balancing 로그입니다.
Google Security Operations: Google Security Operations에서는 Google Cloud Load Balancing의 로그를 보관하고 분석합니다.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 GCP_LOADBALANCING 수집 라벨이 있는 파서에 적용됩니다.
시작하기 전에
Google Cloud Load Balancing 버전 1을 사용 중이어야 합니다.
배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
Google Cloud Load Balancing 로그를 수집하도록 Google Cloud 구성
Google Cloud Load Balancing 로그를 Google Security Operations에 수집하려면 Google Security Operations에 Google Cloud 로그 수집 페이지의 단계를 따르세요.
Google Cloud Load Balancing 로그를 수집할 때 문제가 발생하면 Google Security Operations 지원팀에 문의하세요.
필드 매핑 참조
이 섹션에서는 Google Security Operations 파서가 Cloud Load Balancing 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.
필드 매핑 참조: GCP_LOADBALANCING 로그 필드에서 UDM 필드로
다음 표에는 GCP_LOADBALANCING 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
| Log field | UDM mapping | Logic |
|---|---|---|
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
If the following values are not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.
Else, if the following values are not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED.
Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
logName |
metadata.product_event_type |
|
insertId |
metadata.product_log_id |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
httpRequest.protocol |
network.application_protocol |
If the httpRequest.requestUrl log field value matches the regular expression https or the httpRequest.protocol log field value matches the regular expression HTTPS, then the network.application_protocol UDM field is set to HTTPS.Else, if the httpRequest.requestUrl log field value matches the regular expression http or the httpRequest.protocol log field value matches the regular expression HTTP, then the network.application_protocol UDM field is set to HTTP. |
jsonPayload.clientLocation.asn |
network.asn |
|
httpRequest.requestMethod |
network.http.method |
|
httpRequest.referer |
network.http.referral_url |
|
httpRequest.status |
network.http.response_code |
|
httpRequest.userAgent |
network.http.user_agent |
|
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 0, then the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL.Else, if the jsonPayload.connection.protocol log field value is equal to 1, then the network.ip_protocol UDM field is set to ICMP.Else, if the jsonPayload.connection.protocol log field value is equal to 2, then the network.ip_protocol UDM field is set to IGMP.Else, if the jsonPayload.connection.protocol log field value is equal to 6, then the network.ip_protocol UDM field is set to TCP.Else, if the jsonPayload.connection.protocol log field value is equal to 17, then the network.ip_protocol UDM field is set to UDP.Else, if the jsonPayload.connection.protocol log field value is equal to 41, then the network.ip_protocol UDM field is set to IP6IN4.Else, if the jsonPayload.connection.protocol log field value is equal to 47, then the network.ip_protocol UDM field is set to GRE.Else, if the jsonPayload.connection.protocol log field value is equal to 50, then the network.ip_protocol UDM field is set to ESP.Else, if the jsonPayload.connection.protocol log field value is equal to 58, then the network.ip_protocol UDM field is set to ICMP6.Else, if the jsonPayload.connection.protocol log field value is equal to 88, then the network.ip_protocol UDM field is set to EIGRP.Else, if the jsonPayload.connection.protocol log field value is equal to 97, then the network.ip_protocol UDM field is set to ETHERIP.Else, if the jsonPayload.connection.protocol log field value is equal to 103, then the network.ip_protocol UDM field is set to PIM.Else, if the jsonPayload.connection.protocol log field value is equal to 112, then the network.ip_protocol UDM field is set to VRRP.Else, if the jsonPayload.connection.protocol log field value is equal to 132, then the network.ip_protocol UDM field is set to SCTP. |
httpRequest.responseSize |
network.received_bytes |
|
jsonPayload.bytesReceived |
network.received_bytes |
|
jsonPayload.packetsReceived |
network.received_packets |
|
httpRequest.requestSize |
network.sent_bytes |
|
jsonPayload.packetsSent |
network.sent_packets |
|
jsonPayload.bytesSent |
network.sent_packets |
|
jsonPayload.rtt |
network.session_duration.seconds |
Grok: Extracted sec from the log field jsonPayload.rtt and mapped it to the network.session_duration.seconds UDM field. |
jsonPayload.rtt |
network.session_duration.nanos |
Grok: Extracted nano from the log field jsonPayload.rtt and mapped it to the network.session_duration.nanos UDM field. |
jsonPayload.tls.cipher |
network.tls.cipher |
|
jsonPayload.securityPolicyRequestData.tlsJa3Fingerprint |
network.tls.client.ja3 |
|
jsonPayload.tls.protocol |
network.tls.next_protocol |
|
httpRequest.remoteIp |
principal.ip |
If the httpRequest.remoteIp log field value is not empty, then Grok: Extracted ip and port from the log field httpRequest.remoteIp and mapped it to the principal.ip and principal.port UDM field respectively.
|
jsonPayload.remoteIp |
principal.ip |
If the jsonPayload.remoteIp log field value is not empty, then Grok: Extracted ip and port from the log field jsonPayload.remoteIp and mapped it to the principal.ip and principal.port UDM field respectively.
|
jsonPayload.connection.clientIp |
principal.ip |
|
clientInstance.vmIp |
principal.ip |
|
jsonPayload.clientLocation.city |
principal.location.city |
|
jsonPayload.clientLocation.regionCode |
principal.location.country_or_region |
|
jsonPayload.securityPolicyRequestData.remoteIpInfo.regionCode |
principal.location.name |
|
jsonPayload.clientLocation.subRegion |
principal.location.state |
|
jsonPayload.connection.clientPort |
principal.port |
|
jsonPayload.clientGkeDetails.cluster.clusterLocation |
principal.resource_ancestors.attribute.cloud.availability_zone |
|
jsonPayload.clientVpc.projectId |
principal.resource_ancestors.name |
|
jsonPayload.clientVpc.vpc |
principal.resource_ancestors.name |
|
jsonPayload.clientVpc.subnetwork |
principal.resource_ancestors.name |
|
jsonPayload.clientGkeDetails.cluster.cluster |
principal.resource_ancestors.name |
|
jsonPayload.clientGkeDetails.pod.pod |
principal.resource_ancestors.name |
|
jsonPayload.clientGkeDetails.service.service |
principal.resource_ancestors.name |
|
jsonPayload.clientInstance.projectId |
principal.resource_ancestors.product_object_id |
|
|
principal.resource_ancestors.resource_subtype |
If the jsonPayload.clientVpc.projectId log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_projectId.If the jsonPayload.clientVpc.vpc log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_vpc.If the jsonPayload.clientVpc.subnetwork log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_subnetwork.If the jsonPayload.clientGkeDetails.cluster.cluster log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_cluster.If the jsonPayload.clientGkeDetails.pod.pod log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_pod.If the jsonPayload.clientGkeDetails.service.service log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_service. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.clientVpc.projectId log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.clientVpc.vpc log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.clientVpc.subnetwork log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.clientGkeDetails.cluster.cluster log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLUSTER.If the jsonPayload.clientGkeDetails.pod.pod log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.clientGkeDetails.service.service log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. |
jsonPayload.clientInstance.zone |
principal.resource.attribute.cloud.availability_zone |
|
jsonPayload.clientInstance.vm |
principal.resource.name |
|
|
principal.resource.resource_subtype |
If the jsonPayload.clientInstance.vm log field value is not empty, then the principal.resource.resource_subtype UDM field is set to client_instance_vm. |
|
principal.resource.resource_type |
If the jsonPayload.clientInstance.vm log field value is not empty, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
security_result.action |
If the jsonPayload.enforcedSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.enforcedSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW.If the jsonPayload.previewSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.previewSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW.If the jsonPayload.enforcedEdgeSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.enforcedEdgeSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW.If the jsonPayload.previewEdgeSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.previewEdgeSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW. |
jsonPayload.enforcedSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.previewSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.enforcedEdgeSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.previewEdgeSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.enforcedSecurityPolicy.outcome |
security_result.outcomes[jsonpayload_enforcedsecuritypolicy_outcome] |
|
jsonPayload.enforcedSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.previewSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.enforcedEdgeSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.previewEdgeSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.enforcedSecurityPolicy.name |
security_result.rule_name |
|
jsonPayload.securityPolicyRequestData.recaptchaActionToken.score |
security_result.risk_score |
If the jsonPayload.securityPolicyRequestData.recaptchaActionToken.score log field value is not empty, then the jsonPayload.securityPolicyRequestData.recaptchaActionToken.score log field is mapped to the security_result.risk_score UDM field. |
jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score |
security_result.risk_score |
If the jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score log field value is not empty, then the jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score log field is mapped to the security_result.risk_score UDM field. |
jsonPayload.previewSecurityPolicy.name |
security_result.rule_name |
|
jsonPayload.enforcedEdgeSecurityPolicy.name |
security_result.rule_name |
|
jsonPayload.previewEdgeSecurityPolicy.name |
security_result.rule_name |
|
|
security_result.severity |
If the severity log field value matches the regular expression DEFAULT or DEBUG or INFO or NOTICE, then the security_result.severity UDM field is set to LOW.Else, if the severity log field value matches the regular expression WARNING or ERROR, then the security_result.severity UDM field is set to MEDIUM.Else, if the severity log field value matches the regular expression CRITICAL or ALERT or EMERGENCY, then the security_result.severity UDM field is set to HIGH. |
severity |
security_result.severity_details |
|
jsonPayload.statusDetails |
security_result.summary |
|
jsonPayload.proxyStatus |
security_result.summary |
|
resource.labels.backend_service_name |
target.application |
|
resource.labels.backend_name |
target.group.group_display_name |
|
resource.labels.backend_group_name |
target.group.group_display_name |
|
httpRequest.serverIp |
target.ip |
|
jsonPayload.connection.serverIp |
target.ip |
|
serverInstance.vmIp |
target.ip |
|
jsonPayload.connection.serverPort |
target.port |
|
resource.labels.backend_scope |
target.resource_ancestors.attribute.cloud.availability_zone |
If the resource.labels.backend_target_name log field value is not empty, then the resource.labels.backend_scope log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.serverInstance.zone |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.serverInstance.vm log field value is not empty, then the jsonPayload.serverInstance.zone log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.serverGkeDetails.cluster.clusterLocation |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the jsonPayload.serverGkeDetails.cluster.clusterLocation log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
resource.labels.backend_zone |
target.resource_ancestors.attribute.cloud.availability_zone |
If the resource.labels.backend_zone log field value is not empty, then the resource.labels.backend_zone log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
resource.labels.backend_target_name |
target.resource_ancestors.name |
|
jsonPayload.serverInstance.vm |
target.resource_ancestors.name |
|
jsonPayload.serverGkeDetails.cluster.cluster |
target.resource_ancestors.name |
|
jsonPayload.serverGkeDetails.pod.pod |
target.resource_ancestors.name |
|
jsonPayload.serverGkeDetails.service.service |
target.resource_ancestors.name |
|
resource.labels.network_name |
target.resource_ancestors.name |
|
resource.labels.project_id |
target.resource_ancestors.product_object_id |
|
jsonPayload.serverInstance.projectId |
target.resource_ancestors.product_object_id |
If the jsonPayload.serverInstance.vm log field value is not empty, then the jsonPayload.serverInstance.projectId log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.project |
target.resource_ancestors.product_object_id |
|
resource.labels.backend_target_type |
target.resource_ancestors.resource_subtype |
If the resource.labels.backend_target_name log field value is not empty, then the resource.labels.backend_target_type log field is mapped to the target.resource_ancestors.resource_subtype UDM field.If the jsonPayload.serverInstance.vm log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverInstance_vm.If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_cluster.If the jsonPayload.serverGkeDetails.pod.pod log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_pod.If the jsonPayload.serverGkeDetails.service.service log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_service.If the resource.labels.network_name log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to network_name. |
|
target.resource_ancestors.resource_type |
If the resource.labels.backend_target_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.If the jsonPayload.serverInstance.vm log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the jsonPayload.serverGkeDetails.pod.pod log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.serverGkeDetails.service.service log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.If the resource.labels.network_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK. |
resource.labels.region |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.endpoint_zone |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.zone |
target.resource.attribute.cloud.availability_zone |
|
|
target.resource.attribute.cloud.environment |
The target.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
resource.labels.load_balancer_name |
target.resource.name |
|
resource.type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to DEVICE. |
httpRequest.requestUrl |
target.url |
|
jsonPayload.backendTargetProjectNumber |
about.labels[backend_target_project_number] |
|
jsonPayload.cacheDecision |
about.labels[cache_decision] |
|
jsonPayload.cacheId |
about.labels[cache_id] |
|
jsonPayload.endTime |
about.labels[end_time] |
|
jsonPayload.@type |
about.labels[metadata_type] |
|
spanId |
about.labels[span_id] |
|
jsonPayload.startTime |
about.labels[start_time] |
|
traceSampled |
about.labels[trace_sampled] |
|
trace |
about.labels[trace] |
|
jsonPayload.clientLocation.continent |
principal.labels[client_loacation_continent] |
|
jsonPayload.networkTier.networkTier |
principal.labels[network_tier] |
|
jsonPayload.clientGkeDetails.pod.podNamespace |
principal.resource_ancestors.attribute.labels[pod_namespace] |
|
jsonPayload.clientGkeDetails.service.serviceNamespace |
principal.resource_ancestors.attribute.labels[service_namespace] |
|
jsonPayload.clientInstance.region |
principal.resource.attribute.labels[client_instance_region] |
|
resource.labels.forwarding_rule_name |
security_result.rule_labels[forwarding_rule_name] |
|
jsonPayload.enforcedSecurityPolicy.matchedFieldName |
security_result.rule_labels[matched_field_name] |
|
jsonPayload.enforcedSecurityPolicy.matchedFieldType |
security_result.rule_labels[matched_field_type] |
|
jsonPayload.enforcedSecurityPolicy.matchedFieldValue |
security_result.rule_labels[matched_field_value] |
|
jsonPayload.enforcedSecurityPolicy.matchedLength |
security_result.rule_labels[matched_length] |
|
jsonPayload.enforcedSecurityPolicy.preconfiguredExprIds |
security_result.rule_labels[preconfigured_expr_ids] |
|
jsonPayload.enforcedSecurityPolicy.threatIntelligence.categories |
security_result.rule_labels[threat_intelligence_category] |
|
resource.labels.backend_group_scope |
target.group.attribute.labels[backend_group_scope] |
|
resource.labels.backend_group_type |
target.group.attribute.labels[backend_group_type] |
|
resource.labels.backend_type |
target.group.attribute.labels[backend_type] |
|
resource.labels.forwarding_rule_network_tier |
target.labels[forwarding_rule_network_tier] |
|
httpRequest.cacheFillBytes |
target.labels[http_request_cache_fill_bytes] |
|
httpRequest.cacheHit |
target.labels[http_request_cache_hit] |
|
httpRequest.cacheLookup |
target.labels[http_request_cache_lookup] |
|
httpRequest.cacheValidatedWithOriginServer |
target.labels[http_request_cache_validated_with_origin_server] |
|
httpRequest.latency |
target.labels[http_request_latency] |
|
resource.labels.primary_target_pool |
target.labels[primary_target_pool] |
|
resource.labels.target_pool |
target.labels[target_pool] |
|
resource.labels.target_proxy_name |
target.labels[target_proxy_name] |
|
resource.labels.url_map_name |
target.labels[url_map_name] |
|
resource.labels.backend_failover_configuration |
target.resource_ancestors.attribute.labels[backend_failover_configuration] |
|
resource.labels.backend_network_name |
target.resource_ancestors.attribute.labels[backend_network_name] |
|
resource.labels.backend_scope_type |
target.resource_ancestors.attribute.labels[backend_scope_type] |
|
resource.labels.backend_subnetwork_name |
target.resource_ancestors.attribute.labels[backend_subnetwork_name] |
|
jsonPayload.serverInstance.region |
target.resource_ancestors.attribute.labels[client_instance_region] |
|
jsonPayload.serverGkeDetails.pod.podNamespace |
target.resource_ancestors.attribute.labels[pod_namespace] |
|
jsonPayload.serverGkeDetails.service.serviceNamespace |
target.resource_ancestors.attribute.labels[service_namespace] |
|
resource.labels.matched_url_path_rule |
target.resource.attribute.labels[matched_url_path_rule] |
|
resource.labels.loadbalancing_scheme_name |
target.resource.attribute.labels[loadbalancing_scheme_name] |
|
jsonPayload.enforcedSecurityPolicy.rateLimitAction.key |
security_result.rule_labels[enforcedsecuritypolicy_ratelimitaction_key] |
|
jsonPayload.enforcedSecurityPolicy.rateLimitAction.outcome |
security_result.rule_labels[enforcedsecuritypolicy_ratelimitaction_outcome] |
|
jsonPayload.enforcedSecurityPolicy.adaptiveProtection.autoDeployAlertId |
security_result.rule_labels[adaptiveprotection_autodeployalertid] |
|
jsonPayload.previewSecurityPolicy.rateLimitAction.key |
security_result.rule_labels[previewsecuritypolicy_ratelimitaction_key] |
|
jsonPayload.previewSecurityPolicy.rateLimitAction.outcome |
security_result.rule_labels[previewsecuritypolicy_ratelimitaction_outcome] |
|
jsonPayload.previewSecurityPolicy.outcome |
security_result.outcomes[previewsecuritypolicy_outcome] |
|
jsonPayload.previewSecurityPolicy.preconfiguredExprIds |
security_result.rule_labels[previewsecuritypolicy_preconfigured_expr_ids] |
|
jsonPayload.enforcedEdgeSecurityPolicy.outcome |
security_result.outcomes[enforcededgesecuritypolicy_outcome] |
|
jsonPayload.previewEdgeSecurityPolicy.outcome |
security_result.outcomes[previewedgesecuritypolicy_outcome] |