收集 Google Cloud Load Balancing 日志
支持的平台:
Google SecOps
SIEM
本文档介绍了如何通过启用将 Google Cloud 遥测数据提取到 Google 安全运营中心的功能来收集 Google Cloud 负载均衡日志,以及日志字段如何映射到 Google 安全运营中心 Unified Data Model (UDM) 字段。 本文档还列出了受支持的 Google Cloud Load Balancing 版本。
如需了解详情,请参阅将数据提取到 Google 安全运营中心。
典型的部署包括启用 Google Security Operations 的 Google Cloud Load Balancing 日志。每个客户部署可能与此表示形式不同,并且可能更复杂。
该部署包含以下组件:
Google Cloud:您从中收集日志的 Google Cloud 服务和产品。
Google Cloud Load Balancing 日志:已启用以注入到 Google Security Operations 的 Google Cloud Load Balancing 日志。
Google Security Operations:Google Security Operations 会保留和分析来自 Google Cloud Load Balancing 的日志。
注入标签标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 GCP_LOADBALANCING 注入标签的解析器。
准备工作
确保您使用的是 Google Cloud 负载均衡版本 1。
确保部署架构中的所有系统都采用世界协调时间 (UTC) 时区进行配置。
配置 Google Cloud 以提取 Google Cloud Load Balancing 日志
如需将 Google Cloud 负载均衡日志注入 Google Security Operations,请按照将 Google Cloud 日志注入 Google Security Operations 页面上的步骤操作。
如果您在注入 Google Cloud Load Balancing 日志时遇到问题,请与 Google Security Operations 支持团队联系。
字段映射参考文档
本部分介绍 Google Security Operations 解析器如何将 Google Cloud 负载均衡字段映射到 Google Security Operations 统一数据模型 (UDM) 字段。
字段映射参考信息:GCP_LOADBALANCING 日志字段到 UDM 字段
下表列出了 GCP_LOADBALANCING 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
If the following values are not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.
Else, if the following values are not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED.
Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
logName |
metadata.product_event_type |
|
insertId |
metadata.product_log_id |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
httpRequest.protocol |
network.application_protocol |
If the httpRequest.requestUrl log field value matches the regular expression https or the httpRequest.protocol log field value matches the regular expression HTTPS, then the network.application_protocol UDM field is set to HTTPS.Else, if the httpRequest.requestUrl log field value matches the regular expression http or the httpRequest.protocol log field value matches the regular expression HTTP, then the network.application_protocol UDM field is set to HTTP. |
jsonPayload.clientLocation.asn |
network.asn |
|
httpRequest.requestMethod |
network.http.method |
|
httpRequest.referer |
network.http.referral_url |
|
httpRequest.status |
network.http.response_code |
|
httpRequest.userAgent |
network.http.user_agent |
|
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 0, then the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL.Else, if the jsonPayload.connection.protocol log field value is equal to 1, then the network.ip_protocol UDM field is set to ICMP.Else, if the jsonPayload.connection.protocol log field value is equal to 2, then the network.ip_protocol UDM field is set to IGMP.Else, if the jsonPayload.connection.protocol log field value is equal to 6, then the network.ip_protocol UDM field is set to TCP.Else, if the jsonPayload.connection.protocol log field value is equal to 17, then the network.ip_protocol UDM field is set to UDP.Else, if the jsonPayload.connection.protocol log field value is equal to 41, then the network.ip_protocol UDM field is set to IP6IN4.Else, if the jsonPayload.connection.protocol log field value is equal to 47, then the network.ip_protocol UDM field is set to GRE.Else, if the jsonPayload.connection.protocol log field value is equal to 50, then the network.ip_protocol UDM field is set to ESP.Else, if the jsonPayload.connection.protocol log field value is equal to 58, then the network.ip_protocol UDM field is set to ICMP6.Else, if the jsonPayload.connection.protocol log field value is equal to 88, then the network.ip_protocol UDM field is set to EIGRP.Else, if the jsonPayload.connection.protocol log field value is equal to 97, then the network.ip_protocol UDM field is set to ETHERIP.Else, if the jsonPayload.connection.protocol log field value is equal to 103, then the network.ip_protocol UDM field is set to PIM.Else, if the jsonPayload.connection.protocol log field value is equal to 112, then the network.ip_protocol UDM field is set to VRRP.Else, if the jsonPayload.connection.protocol log field value is equal to 132, then the network.ip_protocol UDM field is set to SCTP. |
httpRequest.responseSize |
network.received_bytes |
|
jsonPayload.bytesReceived |
network.received_bytes |
|
jsonPayload.packetsReceived |
network.received_packets |
|
httpRequest.requestSize |
network.sent_bytes |
|
jsonPayload.packetsSent |
network.sent_packets |
|
jsonPayload.bytesSent |
network.sent_packets |
|
jsonPayload.rtt |
network.session_duration.seconds |
Grok: Extracted sec from the log field jsonPayload.rtt and mapped it to the network.session_duration.seconds UDM field. |
jsonPayload.rtt |
network.session_duration.nanos |
Grok: Extracted nano from the log field jsonPayload.rtt and mapped it to the network.session_duration.nanos UDM field. |
jsonPayload.tls.cipher |
network.tls.cipher |
|
jsonPayload.securityPolicyRequestData.tlsJa3Fingerprint |
network.tls.client.ja3 |
|
jsonPayload.tls.protocol |
network.tls.next_protocol |
|
httpRequest.remoteIp |
principal.ip |
If the httpRequest.remoteIp log field value is not empty, then Grok: Extracted ip and port from the log field httpRequest.remoteIp and mapped it to the principal.ip and principal.port UDM field respectively.
|
jsonPayload.remoteIp |
principal.ip |
If the jsonPayload.remoteIp log field value is not empty, then Grok: Extracted ip and port from the log field jsonPayload.remoteIp and mapped it to the principal.ip and principal.port UDM field respectively.
|
jsonPayload.connection.clientIp |
principal.ip |
|
clientInstance.vmIp |
principal.ip |
|
jsonPayload.clientLocation.city |
principal.location.city |
|
jsonPayload.clientLocation.regionCode |
principal.location.country_or_region |
|
jsonPayload.securityPolicyRequestData.remoteIpInfo.regionCode |
principal.location.name |
|
jsonPayload.clientLocation.subRegion |
principal.location.state |
|
jsonPayload.connection.clientPort |
principal.port |
|
jsonPayload.clientGkeDetails.cluster.clusterLocation |
principal.resource_ancestors.attribute.cloud.availability_zone |
|
jsonPayload.clientVpc.projectId |
principal.resource_ancestors.name |
|
jsonPayload.clientVpc.vpc |
principal.resource_ancestors.name |
|
jsonPayload.clientVpc.subnetwork |
principal.resource_ancestors.name |
|
jsonPayload.clientGkeDetails.cluster.cluster |
principal.resource_ancestors.name |
|
jsonPayload.clientGkeDetails.pod.pod |
principal.resource_ancestors.name |
|
jsonPayload.clientGkeDetails.service.service |
principal.resource_ancestors.name |
|
jsonPayload.clientInstance.projectId |
principal.resource_ancestors.product_object_id |
|
|
principal.resource_ancestors.resource_subtype |
If the jsonPayload.clientVpc.projectId log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_projectId.If the jsonPayload.clientVpc.vpc log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_vpc.If the jsonPayload.clientVpc.subnetwork log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_subnetwork.If the jsonPayload.clientGkeDetails.cluster.cluster log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_cluster.If the jsonPayload.clientGkeDetails.pod.pod log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_pod.If the jsonPayload.clientGkeDetails.service.service log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_service. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.clientVpc.projectId log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.clientVpc.vpc log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.clientVpc.subnetwork log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.clientGkeDetails.cluster.cluster log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLUSTER.If the jsonPayload.clientGkeDetails.pod.pod log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.clientGkeDetails.service.service log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. |
jsonPayload.clientInstance.zone |
principal.resource.attribute.cloud.availability_zone |
|
jsonPayload.clientInstance.vm |
principal.resource.name |
|
|
principal.resource.resource_subtype |
If the jsonPayload.clientInstance.vm log field value is not empty, then the principal.resource.resource_subtype UDM field is set to client_instance_vm. |
|
principal.resource.resource_type |
If the jsonPayload.clientInstance.vm log field value is not empty, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
security_result.action |
If the jsonPayload.enforcedSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.enforcedSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW.If the jsonPayload.previewSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.previewSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW.If the jsonPayload.enforcedEdgeSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.enforcedEdgeSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW.If the jsonPayload.previewEdgeSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.previewEdgeSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW. |
jsonPayload.enforcedSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.previewSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.enforcedEdgeSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.previewEdgeSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.enforcedSecurityPolicy.outcome |
security_result.outcomes[jsonpayload_enforcedsecuritypolicy_outcome] |
|
jsonPayload.enforcedSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.previewSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.enforcedEdgeSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.previewEdgeSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.enforcedSecurityPolicy.name |
security_result.rule_name |
|
jsonPayload.securityPolicyRequestData.recaptchaActionToken.score |
security_result.risk_score |
If the jsonPayload.securityPolicyRequestData.recaptchaActionToken.score log field value is not empty, then the jsonPayload.securityPolicyRequestData.recaptchaActionToken.score log field is mapped to the security_result.risk_score UDM field. |
jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score |
security_result.risk_score |
If the jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score log field value is not empty, then the jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score log field is mapped to the security_result.risk_score UDM field. |
jsonPayload.previewSecurityPolicy.name |
security_result.rule_name |
|
jsonPayload.enforcedEdgeSecurityPolicy.name |
security_result.rule_name |
|
jsonPayload.previewEdgeSecurityPolicy.name |
security_result.rule_name |
|
|
security_result.severity |
If the severity log field value matches the regular expression DEFAULT or DEBUG or INFO or NOTICE, then the security_result.severity UDM field is set to LOW.Else, if the severity log field value matches the regular expression WARNING or ERROR, then the security_result.severity UDM field is set to MEDIUM.Else, if the severity log field value matches the regular expression CRITICAL or ALERT or EMERGENCY, then the security_result.severity UDM field is set to HIGH. |
severity |
security_result.severity_details |
|
jsonPayload.statusDetails |
security_result.summary |
|
jsonPayload.proxyStatus |
security_result.summary |
|
resource.labels.backend_service_name |
target.application |
|
resource.labels.backend_name |
target.group.group_display_name |
|
resource.labels.backend_group_name |
target.group.group_display_name |
|
httpRequest.serverIp |
target.ip |
|
jsonPayload.connection.serverIp |
target.ip |
|
serverInstance.vmIp |
target.ip |
|
jsonPayload.connection.serverPort |
target.port |
|
resource.labels.backend_scope |
target.resource_ancestors.attribute.cloud.availability_zone |
If the resource.labels.backend_target_name log field value is not empty, then the resource.labels.backend_scope log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.serverInstance.zone |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.serverInstance.vm log field value is not empty, then the jsonPayload.serverInstance.zone log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.serverGkeDetails.cluster.clusterLocation |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the jsonPayload.serverGkeDetails.cluster.clusterLocation log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
resource.labels.backend_zone |
target.resource_ancestors.attribute.cloud.availability_zone |
If the resource.labels.backend_zone log field value is not empty, then the resource.labels.backend_zone log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
resource.labels.backend_target_name |
target.resource_ancestors.name |
|
jsonPayload.serverInstance.vm |
target.resource_ancestors.name |
|
jsonPayload.serverGkeDetails.cluster.cluster |
target.resource_ancestors.name |
|
jsonPayload.serverGkeDetails.pod.pod |
target.resource_ancestors.name |
|
jsonPayload.serverGkeDetails.service.service |
target.resource_ancestors.name |
|
resource.labels.network_name |
target.resource_ancestors.name |
|
resource.labels.project_id |
target.resource_ancestors.product_object_id |
|
jsonPayload.serverInstance.projectId |
target.resource_ancestors.product_object_id |
If the jsonPayload.serverInstance.vm log field value is not empty, then the jsonPayload.serverInstance.projectId log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.project |
target.resource_ancestors.product_object_id |
|
resource.labels.backend_target_type |
target.resource_ancestors.resource_subtype |
If the resource.labels.backend_target_name log field value is not empty, then the resource.labels.backend_target_type log field is mapped to the target.resource_ancestors.resource_subtype UDM field.If the jsonPayload.serverInstance.vm log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverInstance_vm.If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_cluster.If the jsonPayload.serverGkeDetails.pod.pod log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_pod.If the jsonPayload.serverGkeDetails.service.service log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_service.If the resource.labels.network_name log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to network_name. |
|
target.resource_ancestors.resource_type |
If the resource.labels.backend_target_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.If the jsonPayload.serverInstance.vm log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the jsonPayload.serverGkeDetails.pod.pod log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.serverGkeDetails.service.service log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.If the resource.labels.network_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK. |
resource.labels.region |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.endpoint_zone |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.zone |
target.resource.attribute.cloud.availability_zone |
|
|
target.resource.attribute.cloud.environment |
The target.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
resource.labels.load_balancer_name |
target.resource.name |
|
resource.type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to DEVICE. |
httpRequest.requestUrl |
target.url |
|
jsonPayload.backendTargetProjectNumber |
about.labels[backend_target_project_number] (deprecated) |
|
jsonPayload.backendTargetProjectNumber |
additional.fields[backend_target_project_number] |
|
jsonPayload.cacheDecision |
about.labels[cache_decision] |
|
jsonPayload.cacheId |
about.labels[cache_id] (deprecated) |
|
jsonPayload.cacheId |
additional.fields[cache_id] |
|
jsonPayload.endTime |
about.labels[end_time] (deprecated) |
|
jsonPayload.endTime |
additional.fields[end_time] |
|
jsonPayload.@type |
about.labels[metadata_type] (deprecated) |
|
jsonPayload.@type |
additional.fields[metadata_type] |
|
spanId |
about.labels[span_id] (deprecated) |
|
spanId |
additional.fields[span_id] |
|
jsonPayload.startTime |
about.labels[start_time] (deprecated) |
|
jsonPayload.startTime |
additional.fields[start_time] |
|
traceSampled |
about.labels[trace_sampled] (deprecated) |
|
traceSampled |
additional.fields[trace_sampled] |
|
trace |
about.labels[trace] (deprecated) |
|
trace |
additional.fields[trace] |
|
jsonPayload.clientLocation.continent |
principal.labels[client_loacation_continent] (deprecated) |
|
jsonPayload.clientLocation.continent |
additional.fields[client_loacation_continent] |
|
jsonPayload.networkTier.networkTier |
principal.labels[network_tier] (deprecated) |
|
jsonPayload.networkTier.networkTier |
additional.fields[network_tier] |
|
jsonPayload.clientGkeDetails.pod.podNamespace |
principal.resource_ancestors.attribute.labels[pod_namespace] |
|
jsonPayload.clientGkeDetails.service.serviceNamespace |
principal.resource_ancestors.attribute.labels[service_namespace] |
|
jsonPayload.clientInstance.region |
principal.resource.attribute.labels[client_instance_region] |
|
resource.labels.forwarding_rule_name |
security_result.rule_labels[forwarding_rule_name] |
|
jsonPayload.enforcedSecurityPolicy.matchedFieldName |
security_result.rule_labels[matched_field_name] |
|
jsonPayload.enforcedSecurityPolicy.matchedFieldType |
security_result.rule_labels[matched_field_type] |
|
jsonPayload.enforcedSecurityPolicy.matchedFieldValue |
security_result.rule_labels[matched_field_value] |
|
jsonPayload.enforcedSecurityPolicy.matchedLength |
security_result.rule_labels[matched_length] |
|
jsonPayload.enforcedSecurityPolicy.preconfiguredExprIds |
security_result.rule_labels[preconfigured_expr_ids] |
|
jsonPayload.enforcedSecurityPolicy.threatIntelligence.categories |
security_result.rule_labels[threat_intelligence_category] |
|
resource.labels.backend_group_scope |
target.group.attribute.labels[backend_group_scope] |
|
resource.labels.backend_group_type |
target.group.attribute.labels[backend_group_type] |
|
resource.labels.backend_type |
target.group.attribute.labels[backend_type] |
|
resource.labels.forwarding_rule_network_tier |
target.labels[forwarding_rule_network_tier] (deprecated)` |
|
resource.labels.forwarding_rule_network_tier |
additional.fields[forwarding_rule_network_tier] |
|
httpRequest.cacheFillBytes |
target.labels[http_request_cache_fill_bytes] (deprecated) |
|
httpRequest.cacheFillBytes |
additional.fields[http_request_cache_fill_bytes] |
|
httpRequest.cacheHit |
target.labels[http_request_cache_hit] (deprecated) |
|
httpRequest.cacheHit |
additional.fields[http_request_cache_hit] |
|
httpRequest.cacheLookup |
target.labels[http_request_cache_lookup] (deprecated) |
|
httpRequest.cacheLookup |
additional.fields[http_request_cache_lookup] |
|
httpRequest.cacheValidatedWithOriginServer |
target.labels[http_request_cache_validated_with_origin_server] (deprecated) |
|
httpRequest.cacheValidatedWithOriginServer |
additional.fields[http_request_cache_validated_with_origin_server] |
|
httpRequest.latency |
target.labels[http_request_latency] (deprecated) |
|
httpRequest.latency |
additional.fields[http_request_latency] |
|
resource.labels.primary_target_pool |
target.labels[primary_target_pool] (deprecated) |
|
resource.labels.primary_target_pool |
additional.fields[primary_target_pool] |
|
resource.labels.target_pool |
target.labels[target_pool] (deprecated) |
|
resource.labels.target_pool |
additional.fields[target_pool] |
|
resource.labels.target_proxy_name |
target.labels[target_proxy_name] (deprecated) |
|
resource.labels.target_proxy_name |
additional.fields[target_proxy_name] |
|
resource.labels.url_map_name |
target.labels[url_map_name] (deprecated) |
|
resource.labels.url_map_name |
additional.fields[url_map_name] |
|
resource.labels.backend_failover_configuration |
target.resource_ancestors.attribute.labels[backend_failover_configuration] |
|
resource.labels.backend_network_name |
target.resource_ancestors.attribute.labels[backend_network_name] |
|
resource.labels.backend_scope_type |
target.resource_ancestors.attribute.labels[backend_scope_type] |
|
resource.labels.backend_subnetwork_name |
target.resource_ancestors.attribute.labels[backend_subnetwork_name] |
|
jsonPayload.serverInstance.region |
target.resource_ancestors.attribute.labels[client_instance_region] |
|
jsonPayload.serverGkeDetails.pod.podNamespace |
target.resource_ancestors.attribute.labels[pod_namespace] |
|
jsonPayload.serverGkeDetails.service.serviceNamespace |
target.resource_ancestors.attribute.labels[service_namespace] |
|
resource.labels.matched_url_path_rule |
target.resource.attribute.labels[matched_url_path_rule] |
|
resource.labels.loadbalancing_scheme_name |
target.resource.attribute.labels[loadbalancing_scheme_name] |
|
jsonPayload.enforcedSecurityPolicy.rateLimitAction.key |
security_result.rule_labels[enforcedsecuritypolicy_ratelimitaction_key] |
|
jsonPayload.enforcedSecurityPolicy.rateLimitAction.outcome |
security_result.rule_labels[enforcedsecuritypolicy_ratelimitaction_outcome] |
|
jsonPayload.enforcedSecurityPolicy.adaptiveProtection.autoDeployAlertId |
security_result.rule_labels[adaptiveprotection_autodeployalertid] |
|
jsonPayload.previewSecurityPolicy.rateLimitAction.key |
security_result.rule_labels[previewsecuritypolicy_ratelimitaction_key] |
|
jsonPayload.previewSecurityPolicy.rateLimitAction.outcome |
security_result.rule_labels[previewsecuritypolicy_ratelimitaction_outcome] |
|
jsonPayload.previewSecurityPolicy.outcome |
security_result.outcomes[previewsecuritypolicy_outcome] |
|
jsonPayload.previewSecurityPolicy.preconfiguredExprIds |
security_result.rule_labels[previewsecuritypolicy_preconfigured_expr_ids] |
|
jsonPayload.enforcedEdgeSecurityPolicy.outcome |
security_result.outcomes[enforcededgesecuritypolicy_outcome] |
|
jsonPayload.previewEdgeSecurityPolicy.outcome |
security_result.outcomes[previewedgesecuritypolicy_outcome] |