Collect Security Command Center findings

Supported in:

This document describes how you can collect Security Command Center logs by configuring Security Command Center and ingesting findings to Google Security Operations. This document also lists the supported events.

For more information, see Data ingestion to Google Security Operations and Exporting Security Command Center findings to Google Security Operations. A typical deployment consists of Security Command Center and the Google Security Operations feed configured to send logs to Google Security Operations. Each customer deployment might differ and might be more complex.

The deployment contains the following components:

  • Google Cloud: The system to be monitored in which Security Command Center is installed.

  • Security Command Center Event Threat Detection Findings: Collects information from the data source and generates findings.

  • Google Security Operations: Retains and analyzes the logs from the Security Command Center.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the Security Command Center parser with the following ingestion labels:

  • GCP_SECURITYCENTER_ERROR

  • GCP_SECURITYCENTER_MISCONFIGURATION

  • GCP_SECURITYCENTER_OBSERVATION

  • GCP_SECURITYCENTER_THREAT

  • GCP_SECURITYCENTER_UNSPECIFIED

  • GCP_SECURITYCENTER_VULNERABILITY

  • GCP_SECURITYCENTER_POSTURE_VIOLATION

  • GCP_SECURITYCENTER_TOXIC_COMBINATION

Configure Security Command Center and Google Cloud to send findings to Google Security Operations

Supported Event Threat Detection findings

This section lists the supported Event Threat Detection findings. For information about the Security Command Center Event Threat Detection rules and findings, see Event Threat Detection rules.

Finding name Description
Active Scan: Log4j Vulnerable to RCE Detects active Log4j vulnerabilities by identifying DNS queries for unobfuscated domains that were initiated by supported Log4j vulnerability scanners.
Breakglass Account Used: break_glass_account Detects the usage of an emergency access (breakglass) account
Brute Force: SSH Detection of successful brute force of SSH on a host.
Configurable Bad Domain: APT29_Domains Detects a connection to a specified domain name
Configurable Bad IP Detects a connection to a specified IP address
Credential Access: External Member Added To Privileged Group Detects when an external member is added to a privileged Google Group (a group granted sensitive roles or permissions). A finding is generated only if the group doesn't already contain other external members from the same organization as the newly added member. To learn more, see Unsafe Google Group changes.
Credential Access: Privileged Group Opened To Public Detects when a privileged Google Group (a group granted sensitive roles or permissions) is changed to be accessible to the general public. To learn more, see Unsafe Google Group changes.
Credential Access: Sensitive Role Granted To Hybrid Group Detects when sensitive roles are granted to a Google Group with external members. To learn more, see Unsafe Google Group changes.
Custom role with prohibited permission Detects when a custom role with any of the specified IAM permissions is granted to a principal.
Defense Evasion: Modify VPC Service Control Detects a change to an existing VPC Service Control perimeter that would lead to a reduction in the protection offered by that perimeter.
Discovery: Can get sensitive Kubernetes object checkPreview A malicious actor attempted to determine what sensitive objects in Google Kubernetes Engine (GKE) they can query for, by using the kubectl auth can-i get command.
Discovery: Service Account Self-Investigation Detection of an Identity and Access Management (IAM) service account credential that is used to investigate the roles and permissions associated with that same service account.
Evasion: Access from Anonymizing Proxy Detection of Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses.
Execution: Added Malicious Binary Executed The detector looks for a binary being executed that was not part of the original container image, and was identified as malicious based on threat intelligence.
Execution: Modified Malicious Binary Executed The detector looks for a binary being executed that was originally included in the container image but modified during run time, and was identified as malicious based on threat intelligence.
Exfiltration: BigQuery Data Exfiltration Detects the following scenarios:
  • Resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations.
  • Attempts to access BigQuery resources that are protected by VPC Service Control.
Exfiltration: BigQuery Data Extraction Detects the following scenarios:
  • A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Cloud Storage bucket outside the organization.
  • A BigQuery resource owned by the protected organization is saved, through extraction operations, to a publicly accessible Cloud Storage bucket owned by that organization.
Exfiltration: BigQuery Data to Google Drive Detects the following scenarios:

A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Google Drive folder.

Exfiltration: Cloud SQL Data Exfiltration Detects the following scenarios:
  • Live instance data exported to a Cloud Storage bucket outside of the organization.
  • Live instance data exported to a Cloud Storage bucket that is owned by the organization and is publicly accessible.
Exfiltration: Cloud SQL Restore Backup to External Organization Detects when a Cloud SQL instance's backup is restored to an instance outside of the organization.
Exfiltration: Cloud SQL SQL Over-Privileged Grant Detects when a Cloud SQL Postgres user or role has been granted all privileges to a database or to all tables, procedures, or functions in a schema.
Impair Defenses: Strong Authentication Disabled 2-step verification was disabled for the organization.
Impair Defenses: Two Step Verification Disabled A user disabled 2-step verification.
Initial Access: Account Disabled Hijacked A user's account was suspended due to suspicious activity.
Initial Access: Disabled Password Leak A user's account is disabled because a password leak was detected.
Initial Access: Dormant Service Account Key Created Detects events where a key is created for a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
Initial Access: Government Based Attack Government-backed attackers might have tried to compromise a user account or computer.
Initial Access: Log4j Compromise Attempt Detects Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters. These lookups may indicate attempts at Log4Shell exploitation. These findings have low severity, because they only indicate a detection or exploit attempt, not a vulnerability or a compromise.
Initial Access: Suspicious Login Blocked A suspicious login to a user's account was detected and blocked.
Log4j Malware: Bad Domain Detection of Log4j exploit traffic based on a connection to, or a lookup of, a known domain used in Log4j attacks.
Log4j Malware: Bad IP Detection of Log4j exploit traffic based on a connection to a known IP address used in Log4j attacks.
Malware: Bad Domain Detection of malware based on a connection to, or a lookup of, a known bad domain.
Malware: Bad IP Detection of malware based on a connection to a known bad IP address.
Malware: Cryptomining Bad Domain Detection of cryptomining based on a connection to, or a lookup of, a known cryptocurrency mining domain.
Malware: Cryptomining Bad IP Detection of cryptocurrency mining based on a connection to a known mining IP address.
Outgoing DoS Detection of outgoing denial of service traffic.
Persistence: Compute Engine Admin Added SSH Key Detection of a modification to the Compute Engine instance metadata SSH key value on an established instance (older than 1 week).
Persistence: Compute Engine Admin Added Startup Script Detection of a modification to the Compute Engine instance metadata startup script value on an established instance (older than 1 week).
Persistence: IAM Anomalous Grant Detection of privileges granted to IAM users and service accounts that are not members of the organization. This detector uses an organization's existing IAM policies as context. If a sensitive IAM grant to an external member occurs, and there are less than three existing IAM policies that are similar to it, this detector generates a finding.
Persistence: New API MethodPreview Detection of anomalous usage of Google Cloud services by IAM service accounts.
Persistence: New Geography Detection of IAM user and service accounts accessing Google Cloud from anomalous locations, based on the geolocation of the requesting IP addresses.
Persistence: New User Agent Detection of IAM service accounts accessing Google Cloud from anomalous or suspicious user agents.
Persistence: SSO Enablement Toggle The Enable SSO (single sign-on) setting on the admin account was disabled.
Persistence: SSO Settings Changed The SSO settings for the admin account were changed.
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity Detects when an anomalous multistep delegated request is found for an administrative activity.
Privilege Escalation: Changes to sensitive Kubernetes RBAC objectsPreview To escalate privilege, a malicious actor attempted to modify cluster-admin ClusterRole and ClusterRoleBinding objects by using a PUT or PATCH request.
Privilege Escalation: Create Kubernetes CSR for master certPreview A potentially malicious actor created a Kubernetes master certificate signing request (CSR), which gives them cluster-admin access.
Privilege Escalation: Creation of sensitive Kubernetes bindingsPreview A malicious actor attempted to create new cluster-admin RoleBinding or ClusterRoleBinding objects to escalate their privilege.
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentialsPreview A malicious actor queried for a certificate signing request (CSR), with the kubectl command, using compromised bootstrap credentials.
Privilege Escalation: Launch of privileged Kubernetes containerPreview A malicious actor created Pods containing privileged containers or containers with privilege escalation capabilities.

A privileged container has the privileged field set to true. A container with privilege escalation capabilities has the allowPrivilegeEscalation field set to true.

Process Tree The detector checks the process tree of all running processes. If a process is a shell binary, the detector checks its parent process. If the parent process is a binary that should not spawn a shell process, the detector triggers a finding.
Unexpected Child Shell The detector checks the process tree of all running processes. If a process is a shell binary, the detector checks its parent process. If the parent process is a binary that should not spawn a shell process, the detector triggers a finding.
Unexpected Cloud API Call Detects when a specified principal calls a specified method against a specified resource. A finding is generated only if all regular expressions are matched in a single log entry.
Unexpected Compute Engine instance type Detects the creation of Compute Engine instances that do not match a specified instance type or configuration.
Unexpected Compute Engine region Detects the creation of a Compute Engine instance in a region that is not in a specified list.
Unexpected Compute Engine source image Detects the creation of a Compute Engine instance with an image or image family that does not match a specified list
Unexpected Role Grant: Forbidden roles Detects when a specified role is granted to a user

Supported GCP_SECURITYCENTER_ERROR findings

You can find the UDM mapping in the Field mapping reference: ERROR table.

Finding name Description
API_DISABLED A required API is disabled for the project. The disabled service can't send findings to Security Command Center.
GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster.
KTD_BLOCKED_BY_ADMISSION_CONTROLLER Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires.

When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object.

KTD_IMAGE_PULL_FAILURE Container Threat Detection can't be enabled on the cluster because a required container image can't be pulled (downloaded) from gcr.io, the Container Registry image host. The image is needed to deploy the Container Threat Detection DaemonSet that Container Threat Detection requires.
KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled.
MISCONFIGURED_CLOUD_LOGGING_EXPORT The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging.
SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS The Security Command Center service account is missing permissions required to function properly. No findings are produced.
VPC_SC_RESTRICTION Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter.

Supported GCP_SECURITYCENTER_OBSERVATION findings

You can find the UDM mapping in the Field mapping reference: OBSERVATION table.

Finding name Description
Persistence: Add Sensitive Role A sensitive or highly-privileged organization-level IAM role was granted in an organization that is more than 10 days old.
Persistence: Project SSH Key Added A project-level SSH key was created in a project, for a project that is more than 10 days old.

Supported GCP_SECURITYCENTER_UNSPECIFIED findings

You can find the UDM mapping in the Field mapping reference: UNSPECIFIED table.

Finding name Description
OPEN_FIREWALL A firewall is configured to be open to public access.

Supported GCP_SECURITYCENTER_VULNERABILITY findings

You can find UDM mapping in the Field mapping reference: VULNERABILITY table.

Finding name Description
ACCESSIBLE_ENV_FILE An ENV file is exposed publicly. To resolve this finding, remove public unintentional access to the ENV file.
ACCESSIBLE_GIT_REPOSITORY A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository.
ACCESSIBLE_SVN_REPOSITORY An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository.
ALPHA_CLUSTER_ENABLED Alpha cluster features are enabled for a GKE cluster.
APACHE_HTTPD_RCE A flaw was found in Apache HTTP Server 2.4.49 that allows an attacker to use a path traversal attack to map URLs to files outside the expected document root and see the source of interpreted files, like CGI scripts. This issue is known to be exploited in the wild. This issue affects Apache 2.4.49 and 2.4.50 but not earlier versions. For more information about this vulnerability, see:

CVE record CVE-2021-41773

Apache HTTP Server 2.4 vulnerabilities

APACHE_HTTPD_SSRF Attackers can craft a URI to the Apache web server that causes mod_proxy to forward the request to an origin server that is chosen by the attacker. This issue affects Apache HTTP server 2.4.48 and earlier. For more information about this vulnerability, see:

CVE record CVE-2021-40438

Apache HTTP Server 2.4 vulnerabilities

AUTO_REPAIR_DISABLED A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.
AUTO_UPGRADE_DISABLED A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.
BASIC_AUTHENTICATION_ENABLED IAM or client certificate authentication should be enabled on Kubernetes Clusters.
CACHEABLE_PASSWORD_INPUT Passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage.
CLEAR_TEXT_PASSWORD Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network.
CLIENT_CERT_AUTHENTICATION_DISABLED Kubernetes Clusters should be created with Client Certificate enabled.
CLUSTER_SHIELDED_NODES_DISABLED Shielded GKE nodes are not enabled for a cluster
CONSUL_RCE Attackers can execute arbitrary code on a Consul server because the Consul instance is configured with -enable-script-checks set to true and the Consul HTTP API is unsecured and accessible over the network. In Consul 0.9.0 and earlier, script checks are on by default. For more information, see Protecting Consul from RCE Risk in Specific Configurations. To check for this vulnerability, Rapid Vulnerability Detection registers a service on the Consul instance by using the /v1/health/service REST endpoint, which then executes one of the following: * A curl command to a remote server outside of the network. An attacker can use the curl command to exfiltrate data from the server. * A printf command. Rapid Vulnerability Detection then verifies the output of the command by using the /v1/health/service REST endpoint. * After the check, Rapid Vulnerability Detection cleans up and deregisters the service by using the /v1/agent/service/deregister/ REST endpoint.
COS_NOT_USED Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely.
DATAPROC_IMAGE_OUTDATED A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046).
DISK_CSEK_DISABLED Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector.
DNSSEC_DISABLED DNSSEC is disabled for Cloud DNS zones.
DRUID_RCE Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. For more information, see CVE-2021-25646 Detail.
DRUPAL_RCE

Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are vulnerable to remote code execution on Form API AJAX requests.

Drupal versions 8.5.x before 8.5.11 and 8.6.x before 8.6.10 are vulnerable to remote code execution when either the RESTful Web Service module or the JSON:API is enabled. This vulnerability can be exploited by an unauthenticated attacker using a custom POST request.

ELASTICSEARCH_API_EXPOSED The Elasticsearch API lets callers perform arbitrary queries, write and execute scripts, and add additional documents to the service.
EXPOSED_GRAFANA_ENDPOINT In Grafana 8.0.0 to 8.3.0, users can access without authentication an endpoint that has a directory traversal vulnerability that allows any user to read any file on the server without authentication. For more information, see CVE-2021-43798.
EXPOSED_METABASE Versions x.40.0 to x.40.4 of Metabase, an open source data analytics platform, contain a vulnerability in the custom GeoJSON map support and potential local file inclusion, including environment variables. URLs were not validated prior to being loaded. For more information, see CVE-2021-41277.
EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT This detector checks whether sensitive Actuator endpoints of Spring Boot applications are exposed. Some of the default endpoints, like /heapdump, might expose sensitive information. Other endpoints, like /env, might lead to remote code execution. Currently, only /heapdump is checked.
FLINK_FILE_DISCLOSURE A vulnerability in Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 lets attackers read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.
GITLAB_RCE In GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 and later, GitLab does not properly validate image files that are passed to a file parser. An attacker can exploit this vulnerability for remote command execution.
GKE_RUNTIME_OS_VULNERABILITY
GKE_SECURITY_BULLETIN
GoCD_RCE In GoCD 21.2.0 and earlier, there is an endpoint that can be accessed without authentication. This endpoint has a directory traversal vulnerability that allows a user to read any file on the server without authentication.
HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API This detector checks whether the Hadoop Yarn ResourceManager API, which controls the computation and storage resources of a Hadoop cluster, is exposed and allows unauthenticated code execution.
INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected root domain is part of the Origin header value before reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards, prepend the dot to the root domain—for example, .endsWith("".google.com"").
INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected domain fully matches the Origin header value before reflecting it in the Access-Control-Allow-Origin response header—for example, .equals("".google.com"").
INTEGRITY_MONITORING_DISABLED Integrity monitoring is disabled for a GKE cluster.
INVALID_CONTENT_TYPE A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set X-Content-Type-Options HTTP header with the correct value.
INVALID_HEADER A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly.
IP_ALIAS_DISABLED A GKE cluster was created with alias IP ranges disabled.
JAVA_JMX_RMI_EXPOSED The Java Management Extension (JMX) allows remote monitoring and diagnostics for Java applications. Running JMX with unprotected Remote Method Invocation endpoint allows any remote users to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs.
JENKINS_RCE Jenkins versions 2.56 and earlier, and 2.46.1 LTS and earlier are vulnerable to remote code execution. This vulnerability can be triggered by an unauthenticated attacker using a malicious serialized Java object.
JOOMLA_RCE

Joomla versions 1.5.x, 2.x, and 3.x before 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered with a crafted header containing serialized PHP objects.

Joomla versions 3.0.0 through 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered by sending a POST request that contains a crafted serialized PHP object.

JUPYTER_NOTEBOOK_EXPOSED_UI This detector checks whether an unauthenticated Jupyter Notebook is exposed. Jupyter allows remote code execution by design on the host machine. An unauthenticated Jupyter Notebook puts the hosting VM at risk of remote code execution.
KMS_PUBLIC_KEY A Cloud KMS cryptographic key is publicly accessible.
KUBERNETES_API_EXPOSED The Kubernetes API is exposed, and can be accessed by unauthenticated callers. This allows arbitrary code execution on the Kubernetes cluster.
LABELS_NOT_USED Labels can be used to break down billing information.
LEGACY_METADATA_ENABLED Legacy metadata is enabled on GKE clusters.
LOG4J_RCE In Apache Log4j2 2.14.1 and earlier, JNDI features that are used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. For more information, see CVE-2021-44228.
MANTISBT_PRIVILEGE_ESCALATION MantisBT through version 2.3.0 allows arbitrary password reset and unauthenticated admin access by supplying an empty confirm_hash value to verify.php.
MISMATCHING_SECURITY_HEADER_VALUES A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly.
MISSPELLED_SECURITY_HEADER_NAME A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly.
MIXED_CONTENT Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS.
OGNL_RCE Confluence Server and Data Center instances contain an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code. For more information, see CVE-2021-26084.
OPENAM_RCE OpenAM server 14.6.2 and earlier and ForgeRock AM server 6.5.3 and earlier have a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application. For more information, see CVE-2021-35464.
ORACLE_WEBLOGIC_RCE Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise an Oracle WebLogic Server. Successful attacks of this vulnerability can result in a takeover of Oracle WebLogic Server. For more information, see CVE-2020-14882.
OS_VULNERABILITY VM Manager detected a vulnerability in the installed operating system (OS) package for a Compute Engine VM.
OUTDATED_LIBRARY A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version.
PHP_CGI_RCE PHP versions before 5.3.12, and versions 5.4.x before 5.4.2, when configured as a CGI script, allow remote code execution. The vulnerable code does not properly handle query strings that lack an = (equals sign) character. This lets attackers add command line options that are executed on the server.
PHPUNIT_RCE PHPUnitversions prior to 5.6.3 allow remote code execution with a single unauthenticated POST request.
PORTAL_RCE Deserialization of untrusted data in Liferay Portal versions prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code through JSON web services.
PUBLIC_DATASET A dataset is configured to be open to public access.
PUBLIC_LOG_BUCKET A storage bucket used as a log sink is publicly accessible.
PUBLIC_STORAGE_OBJECT Storage object ACL should not grant access to allUsers.
REDIS_RCE If a Redis instance does not require authentication to execute admin commands, attackers might be able to execute arbitrary code.
REDIS_ROLE_USED_ON_ORG A Redis IAM role is assigned at the organization or folder level.
RELEASE_CHANNEL_DISABLED A GKE cluster is not subscribed to a release channel.
RSASHA1_FOR_SIGNING RSASHA1 is used for key signing in Cloud DNS zones.
SERVER_SIDE_REQUEST_FORGERY A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an allowlist to limit the domains and IP addresses that the web application can make requests to.
SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE IAM recommender detected that the original default IAM role granted to a service agent was replaced with one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and should not be granted to service agents.
SESSION_ID_LEAK When making a cross-domain request, the web application includes the user's session identifier in its Referer request header. This vulnerability gives the receiving domain access to the session identifier, which can be used to impersonate or uniquely identify the user.
SOLR_FILE_EXPOSED Authentication is not enabled in Apache Solr, an open source search server. When Apache Solr does not require authentication, an attacker can directly craft a request to enable a specific configuration, and eventually implement a server-side request forgery (SSRF) or read arbitrary files.
SOLR_RCE Apache Solr versions 5.0.0 through Apache Solr 8.3.1 are vulnerable to remote code execution through the VelocityResponseWriter if params.resource.loader.enabled is set to true. This allows attackers to create a parameter that contains a malicious Velocity template.
SQL_BROAD_ROOT_LOGIN Root access to a SQL database should be limited to allowlisted trusted IPs.
SQL_CONTAINED_DATABASE_AUTHENTICATION The contained database authentication database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_CROSS_DB_OWNERSHIP_CHAINING The cross_db_ownership_chaining database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_EXTERNAL_SCRIPTS_ENABLED The external scripts enabled database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_INJECTION A potential SQL injection vulnerability was detected. To resolve this finding, use parameterized queries to prevent user inputs from influencing the structure of the SQL query.
SQL_LOCAL_INFILE The local_infile database flag for a Cloud SQL for MySQL instance is not set to off.
SQL_LOG_ERROR_VERBOSITY The log_error_verbosity database flag for a Cloud SQL for PostgreSQL instance is not set to default or stricter.
SQL_LOG_EXECUTOR_STATS_ENABLED The log_executor_status database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_HOSTNAME_ENABLED The log_hostname database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED The log_min_duration_statement database flag for a Cloud SQL for PostgreSQL instance is not set to "-1".
SQL_LOG_MIN_ERROR_STATEMENT The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance is not set appropriately.
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance does not have an appropriate severity level.
SQL_LOG_MIN_MESSAGES The log_min_messages database flag for a Cloud SQL for PostgreSQL instance is not set to warning.
SQL_LOG_PARSER_STATS_ENABLED The log_parser_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_PLANNER_STATS_ENABLED The log_planner_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_STATEMENT_STATS_ENABLED The log_statement_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_TEMP_FILES The log_temp_files database flag for a Cloud SQL for PostgreSQL instance is not set to "0".
SQL_REMOTE_ACCESS_ENABLED The remote access database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_SKIP_SHOW_DATABASE_DISABLED The skip_show_database database flag for a Cloud SQL for MySQL instance is not set to on.
SQL_TRACE_FLAG_3625 The 3625 (trace flag) database flag for a Cloud SQL for SQL Server instance is not set to on.
SQL_USER_CONNECTIONS_CONFIGURED The user connections database flag for a Cloud SQL for SQL Server instance is configured.
SQL_USER_OPTIONS_CONFIGURED The user options database flag for a Cloud SQL for SQL Server instance is configured.
SQL_WEAK_ROOT_PASSWORD A Cloud SQL database has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
STRUTS_INSECURE_DESERIALIZATION The use of a vulnerable version of Apache Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version.
STRUTS_RCE
  • Apache Struts versions before 2.3.32 and 2.5.x before 2.5.10.1 are vulnerable to remote code execution. The vulnerability can be triggered by an unauthenticated attacker providing a crafted Content-Type header.
  • The REST plugin in Apache Struts versions 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 are vulnerable to remote code execution when deserializing crafted XML payloads.
  • Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are vulnerable to remote code execution when alwaysSelectFullNamespace is set to true and certain other action configurations exist.
TOMCAT_FILE_DISCLOSURE Apache Tomcat versions 9.x before 9.0.31, 8.x before 8.5.51, 7.x before 7.0.100, and all 6.x are vulnerable to source code and configuration disclosure through an exposed Apache JServ Protocol connector. In some cases, this is leveraged to perform remote code execution if file uploading is allowed.
UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE This detector checks for an unauthenticated Jenkins instance by sending a probe ping to the /view/all/newJob endpoint as an anonymous visitor. An authenticated Jenkins instance shows the createItem form, which allows the creation of arbitrary jobs that could lead to remote code execution.
UNFINISHED_WORDPRESS_INSTALLATION This detector checks whether a WordPress installation is unfinished. An unfinished WordPress installation exposes the /wp-admin/install.php page, which allows attacker to set the admin password and, possibly, compromise the system.
UNUSED_IAM_ROLE IAM recommender detected a user account that has an IAM role that has not been used in the last 90 days.
VBULLETIN_RCE vBulletin servers running versions 5.0.0 up to 5.5.4 are vulnerable to remote code execution. This vulnerability can be exploited by an unauthenticated attacker using a query parameter in a routestring request.
VCENTER_RCE VMware vCenter Server versions 7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n are vulnerable to remote code execution. This vulnerability can be triggered by an attacker uploading a crafted Java Server Pages file to a web-accessible directory, then triggering execution of that file.
WEAK_CREDENTIALS This detector checks for weak credentials using ncrack brute force methods.

Supported services: SSH, RDP, FTP, WordPress, TELNET, POP3, IMAP, VCS, SMB, SMB2, VNC, SIP, REDIS, PSQL, MYSQL, MSSQL, MQTT, MONGODB, WINRM, DICOM

WEBLOGIC_RCE Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a remote code execution vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. This vulnerability is related to CVE-2020-14750, CVE-2020-14882, CVE-2020-14883. For more information, see CVE-2020-14883.
XSS A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data.
XSS_ANGULAR_CALLBACK A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework.
XSS_ERROR A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data.
XXE_REFLECTED_FILE_LEAKAGE An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to leak a file on the host. To resolve this finding, configure your XML parsers to disallow external entities.

Supported GCP_SECURITYCENTER_MISCONFIGURATION findings

You can find the UDM mapping in the Field mapping reference: MISCONFIGURATION table.

Finding name Description
ADMIN_SERVICE_ACCOUNT A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts.
API_KEY_APIS_UNRESTRICTED There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application.
API_KEY_APPS_UNRESTRICTED There are API keys being used in an unrestricted way, allowing use by any untrusted app
API_KEY_EXISTS A project is using API keys instead of standard authentication.
API_KEY_NOT_ROTATED The API key hasn't been rotated for more than 90 days
AUDIT_CONFIG_NOT_MONITORED Log metrics and alerts aren't configured to monitor Audit Configuration changes.
AUDIT_LOGGING_DISABLED Audit logging has been disabled for this resource.
AUTO_BACKUP_DISABLED A Cloud SQL database doesn't have automatic backups enabled.
AUTO_REPAIR_DISABLED A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.
AUTO_UPGRADE_DISABLED A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.
BIGQUERY_TABLE_CMEK_DISABLED A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable.
BINARY_AUTHORIZATION_DISABLED Binary Authorization is disabled on a GKE cluster.
BUCKET_CMEK_DISABLED A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
BUCKET_IAM_NOT_MONITORED Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes.
BUCKET_LOGGING_DISABLED There is a storage bucket without logging enabled.
BUCKET_POLICY_ONLY_DISABLED Uniform bucket-level access, previously called Bucket Policy Only, isn't configured.
CLUSTER_LOGGING_DISABLED Logging isn't enabled for a GKE cluster.
CLUSTER_MONITORING_DISABLED Monitoring is disabled on GKE clusters.
CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.
CLUSTER_SECRETS_ENCRYPTION_DISABLED Application-layer secrets encryption is disabled on a GKE cluster.
CLUSTER_SHIELDED_NODES_DISABLED Shielded GKE nodes are not enabled for a cluster
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED Project-wide SSH keys are used, allowing login to all instances in the project.
COMPUTE_SECURE_BOOT_DISABLED This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits.
COMPUTE_SERIAL_PORTS_ENABLED Serial ports are enabled for an instance, allowing connections to the instance's serial console.
CONFIDENTIAL_COMPUTING_DISABLED Confidential Computing is disabled on a Compute Engine instance.
CUSTOM_ROLE_NOT_MONITORED Log metrics and alerts aren't configured to monitor Custom Role changes.
DATASET_CMEK_DISABLED A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable.
DEFAULT_NETWORK The default network exists in a project.
DEFAULT_SERVICE_ACCOUNT_USED An instance is configured to use the default service account.
DISK_CMEK_DISABLED Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
DNS_LOGGING_DISABLED DNS logging on a VPC network is not enabled.
EGRESS_DENY_RULE_NOT_SET An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic.
FIREWALL_NOT_MONITORED Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes.
FIREWALL_RULE_LOGGING_DISABLED Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access.
FLOW_LOGS_DISABLED There is a VPC subnetwork that has flow logs disabled.
FULL_API_ACCESS An instance is configured to use the default service account with full access to all Google Cloud APIs.
HTTP_LOAD_BALANCER An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.
INTRANODE_VISIBILITY_DISABLED Intranode visibility is disabled for a GKE cluster.
IP_FORWARDING_ENABLED IP forwarding is enabled on instances.
KMS_KEY_NOT_ROTATED Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days.
kms_key_region_europe Due to company policy, all encryption keys should remain stored in Europe.
kms_non_euro_region Due to company policy, all encryption keys should remain stored in Europe.
KMS_PROJECT_HAS_OWNER A user has Owner permissions on a project that has cryptographic keys.
KMS_ROLE_SEPARATION Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter.
LEGACY_AUTHORIZATION_ENABLED Legacy Authorization is enabled on GKE clusters.
LEGACY_NETWORK A legacy network exists in a project.
LOAD_BALANCER_LOGGING_DISABLED Logging is disabled for the load balancer.
LOCKED_RETENTION_POLICY_NOT_SET A locked retention policy is not set for logs.
LOG_NOT_EXPORTED There is a resource that doesn't have an appropriate log sink configured.
MASTER_AUTHORIZED_NETWORKS_DISABLED Control Plane Authorized Networks is not enabled on GKE clusters.
MFA_NOT_ENFORCED There are users who aren't using 2-step verification.
NETWORK_NOT_MONITORED Log metrics and alerts aren't configured to monitor VPC network changes.
NETWORK_POLICY_DISABLED Network policy is disabled on GKE clusters.
NODEPOOL_BOOT_CMEK_DISABLED Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
NODEPOOL_SECURE_BOOT_DISABLED Secure Boot is disabled for a GKE cluster.
NON_ORG_IAM_MEMBER There is a user who isn't using organizational credentials. As per CIS Google Cloud Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector.
OBJECT_VERSIONING_DISABLED Object versioning isn't enabled on a storage bucket where sinks are configured.
OPEN_CASSANDRA_PORT A firewall is configured to have an open Cassandra port that allows generic access.
OPEN_CISCOSECURE_WEBSM_PORT A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access.
OPEN_DIRECTORY_SERVICES_PORT A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access.
OPEN_DNS_PORT A firewall is configured to have an open DNS port that allows generic access.
OPEN_ELASTICSEARCH_PORT A firewall is configured to have an open ELASTICSEARCH port that allows generic access.
OPEN_FIREWALL A firewall is configured to be open to public access.
OPEN_FTP_PORT A firewall is configured to have an open FTP port that allows generic access.
OPEN_GROUP_IAM_MEMBER A Google Groups account that can be joined without approval is used as an IAM allow policy principal.
OPEN_HTTP_PORT A firewall is configured to have an open HTTP port that allows generic access.
OPEN_LDAP_PORT A firewall is configured to have an open LDAP port that allows generic access.
OPEN_MEMCACHED_PORT A firewall is configured to have an open MEMCACHED port that allows generic access.
OPEN_MONGODB_PORT A firewall is configured to have an open MONGODB port that allows generic access.
OPEN_MYSQL_PORT A firewall is configured to have an open MYSQL port that allows generic access.
OPEN_NETBIOS_PORT A firewall is configured to have an open NETBIOS port that allows generic access.
OPEN_ORACLEDB_PORT A firewall is configured to have an open NETBIOS port that allows generic access.
OPEN_POP3_PORT A firewall is configured to have an open POP3 port that allows generic access.
OPEN_POSTGRESQL_PORT A firewall is configured to have an open PostgreSQL port that allows generic access.
OPEN_RDP_PORT A firewall is configured to have an open RDP port that allows generic access.
OPEN_REDIS_PORT A firewall is configured to have an open REDIS port that allows generic access.
OPEN_SMTP_PORT A firewall is configured to have an open SMTP port that allows generic access.
OPEN_SSH_PORT A firewall is configured to have an open SSH port that allows generic access.
OPEN_TELNET_PORT A firewall is configured to have an open TELNET port that allows generic access.
OS_LOGIN_DISABLED OS Login is disabled on this instance.
OVER_PRIVILEGED_ACCOUNT A service account has overly broad project access in a cluster.
OVER_PRIVILEGED_SCOPES A node service account has broad access scopes.
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account.
OWNER_NOT_MONITORED Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes.
POD_SECURITY_POLICY_DISABLED PodSecurityPolicy is disabled on a GKE cluster.
PRIMITIVE_ROLES_USED A user has the basic role, Owner, Writer, or Reader. These roles are too permissive and shouldn't be used.
PRIVATE_CLUSTER_DISABLED A GKE cluster has a Private cluster disabled.
PRIVATE_GOOGLE_ACCESS_DISABLED There are private subnetworks without access to Google public APIs.
PUBLIC_BUCKET_ACL A Cloud Storage bucket is publicly accessible.
PUBLIC_COMPUTE_IMAGE A Compute Engine image is publicly accessible.
PUBLIC_IP_ADDRESS An instance has a public IP address.
PUBLIC_SQL_INSTANCE A Cloud SQL database instance accepts connections from all IP addresses.
PUBSUB_CMEK_DISABLED A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
RELEASE_CHANNEL_DISABLED A GKE cluster is not subscribed to a release channel.
ROUTE_NOT_MONITORED Log metrics and alerts aren't configured to monitor VPC network route changes.
SERVICE_ACCOUNT_KEY_NOT_ROTATED A service account key hasn't been rotated for more than 90 days.
SERVICE_ACCOUNT_ROLE_SEPARATION A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle.
SHIELDED_VM_DISABLED Shielded VM is disabled on this instance.
SQL_CMEK_DISABLED A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
SQL_CONTAINED_DATABASE_AUTHENTICATION The contained database authentication database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_CROSS_DB_OWNERSHIP_CHAINING The cross_db_ownership_chaining database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_INSTANCE_NOT_MONITORED Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes.
SQL_LOCAL_INFILE The local_infile database flag for a Cloud SQL for MySQL instance is not set to off.
SQL_LOG_CHECKPOINTS_DISABLED The log_checkpoints database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_CONNECTIONS_DISABLED The log_connections database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_DISCONNECTIONS_DISABLED The log_disconnections database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_DURATION_DISABLED The log_duration database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_LOCK_WAITS_DISABLED The log_lock_waits database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_MIN_ERROR_STATEMENT The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance is not set appropriately.
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance does not have an appropriate severity level.
SQL_LOG_STATEMENT The log_statement database flag for a Cloud SQL for PostgreSQL instance is not set to Ddl (all data definition statements).
SQL_LOG_TEMP_FILES The log_temp_files database flag for a Cloud SQL for PostgreSQL instance is not set to "0".
SQL_NO_ROOT_PASSWORD A Cloud SQL database doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
SQL_PUBLIC_IP A Cloud SQL database has a public IP address.
SQL_REMOTE_ACCESS_ENABLED The remote access database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_SKIP_SHOW_DATABASE_DISABLED The skip_show_database database flag for a Cloud SQL for MySQL instance is not set to on.
SQL_TRACE_FLAG_3625 The 3625 (trace flag) database flag for a Cloud SQL for SQL Server instance is not set to on.
SQL_USER_CONNECTIONS_CONFIGURED The user connections database flag for a Cloud SQL for SQL Server instance is configured.
SQL_USER_OPTIONS_CONFIGURED The user options database flag for a Cloud SQL for SQL Server instance is configured.
SSL_NOT_ENFORCED A Cloud SQL database instance doesn't require all incoming connections to use SSL.
TOO_MANY_KMS_USERS There are more than three users of cryptographic keys.
USER_MANAGED_SERVICE_ACCOUNT_KEY A user manages a service account key.
WEAK_SSL_POLICY An instance has a weak SSL policy.
WEB_UI_ENABLED The GKE web UI (dashboard) is enabled.
WORKLOAD_IDENTITY_DISABLED A GKE cluster is not subscribed to a release channel.

Supported GCP_SECURITYCENTER_POSTURE_VIOLATION findings

You can find the UDM mapping in the Field mapping reference: POSTURE VIOLATION table.

Finding name Description
SECURITY_POSTURE_DETECTOR_DELETE The security posture service detected that a Security Health Analytics custom module was deleted. This deletion occurred outside of a posture update.
SECURITY_POSTURE_DETECTOR_DRIFT The security posture service detected a change to a Security Health Analytics detector that occurred outside of a posture update.
SECURITY_POSTURE_DRIFT Drift from the defined policies within security posture. This is detected by the security posture service.
SECURITY_POSTURE_POLICY_DELETE The security posture service detected that an organization policy was deleted. This deletion occurred outside of a posture update.
SECURITY_POSTURE_POLICY_DRIFT The security posture service detected a change to an organization policy that occurred outside of a posture update.

Field mapping reference

This section explains how the Google Security Operations parser maps Security Command Center log fields to Google Security Operations Unified Data Model (UDM) fields for the data sets.

Field mapping reference: raw log fields to UDM fields

The following table lists the log fields and corresponding UDM mappings for the Security Command Center Event Threat Detection findings.

RawLog field UDM mapping Logic
target.resource_ancestors.resource_type If the message log field value matches the regular expression pattern kubernetes, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
Else, If message log field value matches the regular expression kubernetes.*?pods, then the target.resource_ancestors.resource_type UDM field is set to POD.
about.resource.attribute.cloud.environment The about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
extension.auth.type If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Two Step Verification Disabled or Persistence: SSO Enablement Toggle, then the extension.auth.type UDM field is set to SSO.
extension.mechanism If the category log field value is equal to Brute Force: SSH, then the extension.mechanism UDM field is set to USERNAME_PASSWORD.
extensions.auth.type If the principal.user.user_authentication_status log field value is equal to ACTIVE, then the extensions.auth.type UDM field is set to SSO.
intermediary.resource.resource_type If the category log field value is equal to Initial Access: Log4j Compromise Attempt, then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE.
metadata.product_name The metadata.product_name UDM field is set to Security Command Center.
metadata.vendor_name The metadata.vendor_name UDM field is set to Google.
network.application_protocol If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the network.application_protocol UDM field is set to DNS.
principal.user.account_type If the access.principalSubject log field value matches the regular expression serviceAccount, then the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE.

Else if, the access.principalSubject log field value matches the regular expression user, then the principal.user.account_type UDM field is set to CLOUD_ACCOUNT_TYPE.
security_result.about.user.attribute.roles.name If the message log field value matches the regular expression contacts.?security, then the security_result.about.user.attribute.roles.name UDM field is set to security.

If the message log field value matches the regular expression contacts.?technical, then the security_result.about.user.attribute.roles.name UDM field is set to Technical.
security_result.action If the category log field value is equal to Initial Access: Suspicious Login Blocked, then the security_result.action UDM field is set to BLOCK.

If the category log field value is equal to Brute Force: SSH, then if the sourceProperties.properties.attempts.authResult log field value is equal to SUCCESS, then the security_result.action UDM field is set to BLOCK.

Else, the security_result.action UDM field is set to BLOCK.
security_result.alert_state If the state log field value is equal to ACTIVE, then the security_result.alert_state UDM field is set to ALERTING.

Else, the security_result.alert_state UDM field is set to NOT_ALERTING.
target.resource.resource_type If the sourceProperties.properties.extractionAttempt.destinations.collectionType log field value matches the regular expression BUCKET, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.

Else if, the category log field value is equal to Brute Force: SSH, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the target.resource.resource_type UDM field is set to TABLE.
target.labels [Environment_Variables_val] (deprecated)
additional.fields [Environment_Variables_val]
target.resource_ancestors.resource_type
target.resource.resource_type If the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike or Application DDoS Attack Attempt, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

If the category log field value is equal to Configurable Bad Domain, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.
is_alert If the state log field value is equal to ACTIVE, then if the mute_is_not_present field value is not equal to true and (the mute log field value is equal to UNMUTED or the mute log field value is equal to UNDEFINED), then the is_alert UDM field is set to true else, the is_alert UDM field is set to false.
is_significant If the state log field value is equal to ACTIVE, then if the mute_is_not_present field value is not equal to true and (the mute log field value is equal to UNMUTED or the mute log field value is equal to UNDEFINED), then the is_significant UDM field is set to true else, the is_significant UDM field is set to false.
access.callerIp principal.ip If the category log field value is equal to Defense Evasion: Modify VPC Service Control or access.callerIp or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Persistence: New Geography or Persistence: IAM Anomalous Grant, then the access.callerIp log field is mapped to the principal.ip UDM field.
access.callerIpGeo.regionCode principal.location.country_or_region
access.methodName target.labels [access_methodName] (deprecated)
access.methodName additional.fields [access_methodName]
access.principalEmail principal.user.email_addresses If the category log field value is equal to Defense Evasion: Modify VPC Service Control or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Persistence: New Geography, then the access.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
access.principalSubject principal.user.attribute.labels.key/value [access_principalSubject]
access.serviceAccountDelegationInfo.principalEmail principal.user.email_addresses
access.serviceAccountDelegationInfo.principalSubject principal.user.attribute.labels.key/value [access_serviceAccountDelegationInfo_principalSubject]
access.serviceAccountKeyName principal.user.attribute.labels.key/value [access_serviceAccountKeyName]
access.serviceName target.application If the category log field value is equal to Defense Evasion: Modify VPC Service Control or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Exfiltration: CloudSQL Over-Privileged Grant or Persistence: New Geography or Persistence: IAM Anomalous Grant, then the access.serviceName log field is mapped to the target.application UDM field.
access.userAgentFamily network.http.user_agent
additional.fields[failedActions_attemptTimes] sourceProperties.properties.failedActions.attemptTimes If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.attemptTimes log field is mapped to the additional.fields UDM field.
additional.fields[failedActions_lastOccurredTime] sourceProperties.properties.failedActions.lastOccurredTime If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.lastOccurredTime log field. is mapped to the additional.fields UDM field.
additional.fields[failedActions_methodName] sourceProperties.properties.failedActions.methodName If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.methodName log field is mapped to the additional.fields UDM field.
additional.fields[failedActions_serviceName] sourceProperties.properties.failedActions.serviceName If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.serviceName log field is mapped to the additional.fields UDM field.
assetDisplayName target.asset.attribute.labels[asset_display_name]
assetId target.asset.asset_id
canonicalName metadata.product_log_id The finding_id is extracted from the canonicalName log field using a Grok pattern.

If the finding_id log field value is not empty, then the finding_id log field is mapped to the metadata.product_log_id UDM field.
canonicalName src.resource.attribute.labels.key/value [finding_id] If the finding_id log field value is not empty, then the finding_id log field is mapped to the src.resource.attribute.labels.key/value [finding_id] UDM field.

If the category log field value is equal to one of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
  • Exfiltration: BigQuery Data Extraction
  • Exfiltration: BigQuery Data to Google Drive
  • Exfiltration: BigQuery Data Exfiltration
  • Exfiltration: CloudSQL Restore Backup to External Organization
canonicalName src.resource.product_object_id If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.product_object_id UDM field.

If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
  • Exfiltration: BigQuery Data Extraction
  • Exfiltration: BigQuery Data to Google Drive
  • Exfiltration: BigQuery Data Exfiltration
  • Exfiltration: CloudSQL Restore Backup to External Organization
canonicalName src.resource.attribute.labels.key/value [source_id] If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.attribute.labels.key/value [source_id] UDM field.

If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
  • Exfiltration: BigQuery Data Extraction
  • Exfiltration: BigQuery Data to Google Drive
  • Exfiltration: BigQuery Data Exfiltration
  • Exfiltration: CloudSQL Restore Backup to External Organization
canonicalName target.resource.attribute.labels.key/value [finding_id] If the finding_id log field value is not empty, then the finding_id log field is mapped to the target.resource.attribute.labels.key/value [finding_id] UDM field.

If the category log field value is not equal to any of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
  • Exfiltration: BigQuery Data Extraction
  • Exfiltration: BigQuery Data to Google Drive
  • Exfiltration: BigQuery Data Exfiltration
  • Exfiltration: CloudSQL Restore Backup to External Organization
canonicalName target.resource.product_object_id If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.product_object_id UDM field.

If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
  • Exfiltration: BigQuery Data Extraction
  • Exfiltration: BigQuery Data to Google Drive
  • Exfiltration: BigQuery Data Exfiltration
  • Exfiltration: CloudSQL Restore Backup to External Organization
canonicalName target.resource.attribute.labels.key/value [source_id] If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.attribute.labels.key/value [source_id] UDM field.

If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
  • Exfiltration: BigQuery Data Extraction
  • Exfiltration: BigQuery Data to Google Drive
  • Exfiltration: BigQuery Data Exfiltration
  • Exfiltration: CloudSQL Restore Backup to External Organization
category metadata.product_event_type
category security_result.catgory_details The findingClass - category log field is mapped to the security_result.catgory_details UDM field.
compliances.ids about.labels [compliance_ids] (deprecated)
compliances.ids additional.fields [compliance_ids]
compliances.standard about.labels [compliances_standard] (deprecated)
compliances.standard additional.fields [compliances_standard]
compliances.version about.labels [compliance_version] (deprecated)
compliances.version additional.fields [compliance_version]
connections.destinationIp about.labels [connections_destination_ip] (deprecated) If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp, then the connections.destinationIp log field is mapped to the about.labels.value UDM field.
connections.destinationIp additional.fields [connections_destination_ip] If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp, then the connections.destinationIp log field is mapped to the additional.fields.value.string_value UDM field.
connections.destinationPort about.labels [connections_destination_port] (deprecated)
connections.destinationPort additional.fields [connections_destination_port]
connections.protocol about.labels [connections_protocol] (deprecated)
connections.protocol additional.fields [connections_protocol]
connections.sourceIp about.labels [connections_source_ip] (deprecated)
connections.sourceIp additional.fields [connections_source_ip]
connections.sourcePort about.labels [connections_source_port] (deprecated)
connections.sourcePort additional.fields [connections_source_port]
contacts.security.contacts.email security_result.about.user.email_addresses
contacts.technical.contacts.email security_result.about.user.email_addresses
containers.imageId target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
containers.labels.name/value target.resource_ancestors.attribute.labels.key/value [containers.labels.name/value] The containers.labels.name log field is mapped to the target.resource_ancestors.attribute.labels.key UDM field and the containers.labels.value log field is mapped to the target.resource_ancestors.attribute.labels.value UDM field.
containers.name target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
containers.uri target.resource_ancestors.attribute.labels.key/value [containers_uri]
createTime security_result.detection_fields.key/value[create_time]
database.displayName src.resource.attribute.labels.key/value [database_displayName] If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.
database.grantees src.resource.attribute.labels.key/value [database_grantees] If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the src.resource.attribute.labels.key UDM field is set to grantees and the database.grantees log field is mapped to the src.resource.attribute.labels.value UDM field.
database.name src.resource.name
database.query src.process.command_line If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.query log field is mapped to the src.process.command_line UDM field.
database.userName principal.user.userid If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.userName log field is mapped to the principal.user.userid UDM field.
description security_result.description
eventTime metadata.event_timestamp
exfiltration.sources.components src.resource.attribute.labels.key/value[exfiltration_sources_components] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction, then the src.resource.attribute.labels.key/value log field is mapped to the src.resource.attribute.labels.value UDM field.
exfiltration.sources.name src.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the exfiltration.sources.name log field is mapped to the src.resource.name UDM field and the resourceName log field is mapped to the src.resource_ancestors.name UDM field.
exfiltration.targets.components target.resource.attribute.labels.key/value[exfiltration_targets_components] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction, then the exfiltration.targets.components log field is mapped to the target.resource.attribute.labels.key/value UDM field.
exfiltration.targets.name target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

Else, the resourceName log field is mapped to the target.resource.name UDM field.
externalSystems.assignees about.resource.attribute.labels.key/value [externalSystems_assignees]
externalSystems.externalSystemUpdateTime about.resource.attribute.last_update_time
externalSystems.externalUid about.resource.product_object_id
externalSystems.name about.resource.name
externalSystems.status about.resource.attribute.labels.key/value [externalSystems_status]
finding.access.userAgent network.http.user_agent
findingClass security_result.catgory_details The findingClass - category log field is mapped to the security_result.catgory_details UDM field.
findingProviderId target.resource.attribute.labels[finding_provider_id]
indicator.signatures.memoryHashSignature.binaryFamily security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_binaryFamily]
indicator.signatures.memoryHashSignature.detections.binary security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_binary]
indicator.signatures.memoryHashSignature.detections.percentPagesMatched security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_percentPagesMatched]
indicator.signatures.yaraRuleSignature.yararule security_result.detection_fields.key/value [indicator_signatures_yaraRuleSignature_yararule]
indicator.uris about.url
kubernetes.accessReviews.group target.resource.attribute.labels.key/value [kubernetes_accessReviews_group]
kubernetes.accessReviews.name target.resource.attribute.labels.key/value [kubernetes_accessReviews_name]
kubernetes.accessReviews.ns target.resource.attribute.labels.key/value [kubernetes_accessReviews_ns]
kubernetes.accessReviews.resource target.resource.attribute.labels.key/value [kubernetes_accessReviews_resource]
kubernetes.accessReviews.subresource target.resource.attribute.labels.key/value [kubernetes_accessReviews_subresource]
kubernetes.accessReviews.verb target.resource.attribute.labels.key/value [kubernetes_accessReviews_verb]
kubernetes.accessReviews.version target.resource.attribute.labels.key/value [kubernetes_accessReviews_version]
kubernetes.bindings.name target.resource.attribute.labels.key/value [kubernetes_bindings_name]
kubernetes.bindings.ns target.resource.attribute.labels.key/value [kubernetes_bindings_ns]
kubernetes.bindings.role.kind target.resource.attribute.labels.key/value [kubernetes_bindings_role_kind]
kubernetes.bindings.role.name target.resource.attribute.roles.name
kubernetes.bindings.role.ns target.resource.attribute.labels.key/value [kubernetes_bindings_role_ns]
kubernetes.bindings.subjects.kind target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_kind]
kubernetes.bindings.subjects.name target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_name]
kubernetes.bindings.subjects.ns target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_ns]
kubernetes.nodePools.name target.resource_ancestors.name
kubernetes.nodePools.nodes.name target.resource.attribute.labels.key/value [kubernetes_nodePools_nodes_name]
kubernetes.nodes.name target.resource_ancestors.name
kubernetes.pods.containers.createTime target.resource_ancestors.attribute.labels[kubernetes_pods_containers_createTime]
kubernetes.pods.containers.imageId target.resource_ancestors.attribute.labels[kubernetes_pods_containers_imageId]
kubernetes.pods.containers.labels.name/value target.resource.attribute.labels.key/value [kubernetes.pods.containers.labels.name/value]
kubernetes.pods.containers.name target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
kubernetes.pods.containers.uri target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_containers_uri]
kubernetes.pods.labels.name/value target.resource.attribute.labels.key/value [kubernetes.pods.labels.name/value]
kubernetes.pods.name target.resource_ancestors.name
kubernetes.pods.ns target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_ns]
kubernetes.roles.kind target.resource.attribute.labels.key/value [kubernetes_roles_kind]
kubernetes.roles.name target.resource.attribute.labels.key/value [kubernetes_roles_name]
kubernetes.roles.ns target.resource.attribute.labels.key/value [kubernetes_roles_ns]
mitreAttack.additionalTactics security_result.detection_fields.key/value [mitreAttack_additionalTactics]
mitreAttack.additionalTechniques security_result.detection_fields.key/value [mitreAttack_additionalTechniques]
mitreAttack.primaryTactic security_result.detection_fields.key/value [mitreAttack_primaryTactic]
mitreAttack.primaryTechniques.0 security_result.detection_fields.key/value [mitreAttack_primaryTechniques]
mitreAttack.version security_result.detection_fields.key/value [mitreAttack_version]
mute security_result.detection_fields.key/value [mute]
muteInitiator security_result.detection_fields.key/value [mute_initiator] If the mute log field value is equal to MUTED or UNMUTED, then the muteInitiator log field is mapped to the security_result.detection_fields.value UDM field.
muteUpdateTime security_result.detection_fields.key/value [mute_update_time] If the mute log field value is equal to MUTED or UNMUTED, then the muteUpdateTimer log field is mapped to the security_result.detection_fields.value UDM field.
name security_result.url_back_to_product
nextSteps security_result.outcomes.key/value [next_steps]
parent src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the parent log field is mapped to the src.resource_ancestors.name UDM field.
parent target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
parentDisplayName metadata.description
principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_srcVpc_projectId] principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_srcVpc_projectId] If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.srcVpc.projectId log field is mapped to the principal.resource_ancestors.attribute.labels.value UDM field.
processes.args target.process.command_line_history [processes.args]
processes.argumentsTruncated target.labels [processes_argumentsTruncated] (deprecated)
processes.argumentsTruncated additional.fields [processes_argumentsTruncated]
processes.binary.contents target.labels [processes_binary_contents] (deprecated)
processes.binary.contents additional.fields [processes_binary_contents]
processes.binary.hashedSize target.labels [processes_binary_hashedSize] (deprecated)
processes.binary.hashedSize additional.fields [processes_binary_hashedSize]
processes.binary.partiallyHashed target.labels [processes_binary_partiallyHashed] (deprecated)
processes.binary.partiallyHashed additional.fields [processes_binary_partiallyHashed]
processes.binary.path target.process.file.full_path
processes.binary.sha256 target.process.file.sha256
processes.binary.size target.process.file.size
processes.envVariables.name target.labels [processes_envVariables_name] (deprecated)
processes.envVariables.name additional.fields [processes_envVariables_name]
processes.envVariables.val target.labels [processes_envVariables_val] (deprecated)
processes.envVariables.val additional.fields [processes_envVariables_val]
processes.envVariablesTruncated target.labels [processes_envVariablesTruncated] (deprecated)
processes.envVariablesTruncated additional.fields [processes_envVariablesTruncated]
processes.libraries.contents target.labels [processes_libraries_contents] (deprecated)
processes.libraries.contents additional.fields [processes_libraries_contents]
processes.libraries.hashedSize target.labels [processes_libraries_hashedSize] (deprecated)
processes.libraries.hashedSize additional.fields [processes_libraries_hashedSize]
processes.libraries.partiallyHashed target.labels [processes_libraries_partiallyHashed] (deprecated)
processes.libraries.partiallyHashed additional.fields [processes_libraries_partiallyHashed]
processes.libraries.path target.process.file.full_path
processes.libraries.sha256 target.process.file.sha256
processes.libraries.size target.process.file.size
processes.name target.process.file.full_path
processes.name target.process.file.names
processes.parentPid target.parent_process.pid
processes.pid target.process.pid
processes.script.contents target.labels [processes_script_contents] (deprecated)
processes.script.contents additional.fields [processes_script_contents]
processes.script.hashedSize target.labels [processes_script_hashedSize] (deprecated)
processes.script.hashedSize additional.fields [processes_script_hashedSize]
processes.script.partiallyHashed target.labels [processes_script_partiallyHashed] (deprecated)
processes.script.partiallyHashed additional.fields [processes_script_partiallyHashed]
processes.script.path target.process.file.full_path
processes.script.sha256 target.process.file.sha256
processes.script.size target.process.file.size
resource.display_name src.resource.attribute.labels.key/value [resource_display_name] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.display_name log field is mapped to the src.resource.attribute.labels.value UDM field.
resource.displayName src.resource.attribute.labels.key/value [resource_displayName] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.
resource.displayName principal.hostname If the resource.type log field value matches the regular expression pattern (?i)google.compute.Instance or google.container.Cluster, then the resource.displayName log field is mapped to the principal.hostname UDM field.
resource.folders.resourceFolder src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.folders.resourceFolder log field is mapped to the src.resource_ancestors.name UDM field.
resource.folders.resourceFolderDisplayName src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.folders.resourceFolderDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
resource.parent target.resource_ancestors.attribute.labels.key/value [resource_project]
resource.parentDisplayName src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.parentDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
resource.parentName src.resource_ancestors.attribute.labels.key/value [resource_parentName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.parentName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
resource.project target.resource_ancestors.attribute.labels.key/value [resource_parent]
resource.projectDisplayName src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.projectDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
resource.projectName principal.resource.name
resource.resourcePathString src.resource.attribute.labels[resource_path_string] If the category log field value contain one of the following values, then the resource.resourcePathString log field is mapped to the src.resource.attribute.labels[resource_path_string] UDM field.
  • Exfiltration: BigQuery Data Extraction
  • Exfiltration: BigQuery Data to Google Drive
  • Exfiltration: BigQuery Data Exfiltration
  • Exfiltration: CloudSQL Restore Backup to External Organization
Else, the resource.resourcePathString log field is mapped to the target.resource.attribute.labels[resource_path_string] UDM field.
resource.type src.resource_ancestors.resource_subtype If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.type log field is mapped to the src.resource_ancestors.resource_subtype UDM field.
resourceName src.resource_ancestors.name If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the resourceName log field is mapped to the src.resource_ancestors.name UDM field.
resourceName src.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the exfiltration.sources.name log field is mapped to the src.resource.name UDM field and the resourceName log field is mapped to the src.resource_ancestors.name UDM field.
resourceName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
resourceName target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

Else, the resourceName log field is mapped to the target.resource.name UDM field.
resourceName principal.asset.location.name If the parentDisplayName log field value is equal to Virtual Machine Threat Detection, then Grok : Extracted project_name, region, zone_suffix, asset_prod_obj_id from resourceName log field, then the region log field is mapped to the principal.asset.location.name UDM field.
resourceName principal.asset.product_object_id If the parentDisplayName log field value is equal to Virtual Machine Threat Detection, then Grok : Extracted project_name, region, zone_suffix, asset_prod_obj_id from resourceName log field, then the asset_prod_obj_id log field is mapped to the principal.asset.product_object_id UDM field.
resourceName principal.asset.attribute.cloud.availability_zone If the parentDisplayName log field value is equal to Virtual Machine Threat Detection, then Grok : Extracted project_name, region, zone_suffix, asset_prod_obj_id from resourceName log field, then the zone_suffix log field is mapped to the principal.asset.attribute.cloud.availability_zone UDM field.
resourceName principal.asset.attribute.labels[project_name] If the parentDisplayName log field value is equal to Virtual Machine Threat Detection, then Grok : Extracted project_name, region, zone_suffix, asset_prod_obj_id from resourceName log field, then the project_name log field is mapped to the principal.asset.attribute.labels.value UDM field.
securityMarks.canonicalName security_result.detection_fields.key/value [securityMarks_cannonicleName]
securityMarks.marks security_result.detection_fields.key/value [securityMarks_marks]
securityMarks.name security_result.detection_fields.key/value [securityMarks_name]
severity security_result.severity
sourceDisplayName target.resource.attribute.labels[source_display_name]
sourceProperties.Added_Binary_Kind target.resource.attribute.labels[sourceProperties_Added_Binary_Kind]
sourceProperties.Added_Library_Fullpath target.process.file.full_path
sourceProperties.Added_Library_Kind target.resource.attribute.labels[sourceProperties_Added_Library_Kind
sourceProperties.affectedResources.gcpResourceName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
sourceProperties.affectedResources.gcpResourceName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
sourceProperties.affectedResources.gcpResourceName target.resource_ancestors.name
sourceProperties.Backend_Service target.resource.name If the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike or Application DDoS Attack Attempt, then the sourceProperties.Backend_Service log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
sourceProperties.Container_Creation_Timestamp.nanos target.resource.attribute.labels[sourceProperties_Container_Creation_Timestamp_nanos]
sourceProperties.Container_Creation_Timestamp.seconds target.resource.attribute.labels[sourceProperties_Container_Creation_Timestamp_seconds]
sourceProperties.Container_Image_Id target.resource_ancestors.product_object_id
sourceProperties.Container_Image_Uri target.resource.attribute.labels[sourceProperties_Container_Image_Uri]
sourceProperties.Container_Name target.resource_ancestors.name
sourceProperties.contextUris.cloudLoggingQueryUri.url security_result.detection_fields.key/value[sourceProperties_contextUris_cloudLoggingQueryUri_url]
sourceProperties.contextUris.mitreUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.mitreUri.url/displayName]
sourceProperties.contextUris.relatedFindingUri.url/displayName metadata.url_back_to_product If the category log field value is equal to Active Scan: Log4j Vulnerable to RCE or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Over-Privileged Grant or Exfiltration: CloudSQL Restore Backup to External Organization or Initial Access: Log4j Compromise Attempt or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP or Persistence: IAM Anomalous Grant, then the security_result.detection_fields.key UDM field is set to sourceProperties_contextUris_relatedFindingUri_url and the sourceProperties.contextUris.relatedFindingUri.url log field is mapped to the metadata.url_back_to_product UDM field.
sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName] If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP, then the sourceProperties.contextUris.virustotalIndicatorQueryUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.virustotalIndicatorQueryUri.url log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.contextUris.workspacesUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.workspacesUri.url/displayName] If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Strong Authentication Disabled or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.contextUris.workspacesUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.workspacesUri.url log field is mapped to the security_result.detection_fields.key/value UDM field.
sourceProperties.detectionCategory.indicator security_result.detection_fields.key/value [sourceProperties_detectionCategory_indicator]
sourceProperties.detectionCategory.ruleName security_result.rule_name
sourceProperties.detectionCategory.subRuleName security_result.rule_labels.key/value [sourceProperties_detectionCategory_subRuleName]
sourceProperties.detectionCategory.technique security_result.detection_fields.key/value [sourceProperties_detectionCategory_technique]
sourceProperties.detectionPriority security_result.priority If the sourceProperties.detectionPriority log field value is equal to HIGH, then the security_result.priority UDM field is set to HIGH_PRIORITY.

Else if, the sourceProperties.detectionPriority log field value is equal to MEDIUM, then the security_result.priority UDM field is set to MEDIUM_PRIORITY.

Else if, the sourceProperties.detectionPriority log field value is equal to LOW, then the security_result.priority UDM field is set to LOW_PRIORITY.
sourceProperties.detectionPriority security_result.priority_details
sourceProperties.Environment_Variables target.labels [Environment_Variables_name] (deprecated)
sourceProperties.Environment_Variables additional.fields [Environment_Variables_name]
sourceProperties.evidence.sourceLogId.insertId metadata.product_log_id If the canonicalName log field value is not empty, then the finding_id is extracted from the canonicalName log field using a Grok pattern.

If the finding_id log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.

If the canonicalName log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.
sourceProperties.findingId metadata.product_log_id
sourceProperties.Kubernetes_Labels target.resource.attribute.labels.key/value [sourceProperties_Kubernetes_Labels.name/value]
sourceProperties.Long_Term_Allowed_RPS target.resource.attribute.labels[sourceProperties_Long_Term_Allowed_RPS]
sourceProperties.Long_Term_Denied_RPS target.resource.attribute.labels[sourceProperties_Long_Term_Denied_RPS]
sourceProperties.Long_Term_Incoming_RPS target.resource.attribute.labels[sourceProperties_Long_Term_Incoming_RPS]
sourceProperties.Parent_Pid target.process.parent_process.pid
sourceProperties.Pid target.process.pid
sourceProperties.Pod_Name target.resource_ancestors.name
sourceProperties.Pod_Namespace target.resource_ancestors.attribute.labels.key/value [sourceProperties_Pod_Namespace]
sourceProperties.Process_Arguments target.process.command_line
sourceProperties.Process_Binary_Fullpath target.process.file.full_path
sourceProperties.Process_Creation_Timestamp.nanos target.labels [sourceProperties_Process_Creation_Timestamp_nanos] (deprecated)
sourceProperties.Process_Creation_Timestamp.nanos additional.fields [sourceProperties_Process_Creation_Timestamp_nanos]
sourceProperties.Process_Creation_Timestamp.seconds target.labels [sourceProperties_Process_Creation_Timestamp_seconds] (deprecated)
sourceProperties.Process_Creation_Timestamp.seconds additional.fields [sourceProperties_Process_Creation_Timestamp_seconds]
sourceProperties.properties.anomalousLocation.anomalousLocation principal.location.name If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.anomalousLocation.anomalousLocation log field is mapped to the principal.location.name UDM field.
sourceProperties.properties.anomalousLocation.callerIp principal.ip If the category log field value is equal to Persistence: New Geography, then the sourceProperties.properties.anomalousLocation.callerIp log field is mapped to the principal.ip UDM field.
sourceProperties.properties.anomalousLocation.notSeenInLast target.user.attribute.labels.key/value [sourceProperties_properties_anomalousLocation_notSeenInLast] If the category log field value is equal to Persistence: New Geography, then the sourceProperties.properties.anomalousLocation.notSeenInLast log field is mapped to the target.user.attribute.labels.value UDM field.
sourceProperties.properties.anomalousLocation.principalEmail principal.user.email_addresses If the category log field value is equal to Persistence: New Geography, then the sourceProperties.properties.anomalousLocation.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
sourceProperties.properties.anomalousLocation.typicalGeolocations.country.identifier principal.location.country_or_region If the category log field value is equal to Persistence: New Geography or Persistence: IAM Anomalous Grant, then the sourceProperties.properties.anomalousLocation.typicalGeolocations.country.identifier log field is mapped to the principal.location.country_or_region UDM field.
sourceProperties.properties.anomalousSoftware.anomalousSoftwareClassification security_result.detection_fields.key/value [sourceProperties_properties_anomalousSoftware_anomalousSoftwareClassification] If the category log field value is equal to Persistence: New User Agent, then the sourceProperties.properties.anomalousSoftware.anomalousSoftwareClassification log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.anomalousSoftware.behaviorPeriod network.session_duration If the category log field value is equal to Persistence: New User Agent, then the sourceProperties.properties.anomalousSoftware.behaviorPeriod log field is mapped to the network.session_duration UDM field.
sourceProperties.properties.anomalousSoftware.callerUserAgent network.http.user_agent If the category log field value is equal to Persistence: New User Agent, then the sourceProperties.properties.anomalousSoftware.callerUserAgent log field is mapped to the network.http.user_agent UDM field.
sourceProperties.properties.anomalousSoftware.principalEmail principal.user.email_addresses If the category log field value is equal to Persistence: New User Agent, then the sourceProperties.properties.anomalousSoftware.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
sourceProperties.properties.attempts.authResult security_result.detection_fields.key/value [sourceProperties_properties_attempts_authResult] If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.authResult log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.attempts.sourceIp principal.ip If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.sourceIp log field is mapped to the principal.ip UDM field.
sourceProperties.properties.attempts.sourceIp security_result.about.ip If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.sourceIp log field is mapped to the security_result.about.ip UDM field.
sourceProperties.properties.attempts.username target.user.userid If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.username log field is mapped to the target.user.userid UDM field.

If the category log field value is equal to Initial Access: Suspicious Login Blocked, then the userid log field is mapped to the target.user.userid UDM field.
sourceProperties.properties.attempts.vmName target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

Else, the resourceName log field is mapped to the target.resource.name UDM field.
sourceProperties.properties.autofocusContextCards.indicator.firstSeenTsGlobal security_result.detection_fields.key/value [sourcePropertiesproperties_autofocusContextCards_indicator_firstSeenTsGlobal] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.indicator.firstSeenTsGlobal log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.indicator.indicatorType security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_indicatorType] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.indicator.indicatorType log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.indicator.lastSeenTsGlobal security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_lastSeenTsGlobal] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.indicator.lastSeenTsGlobal log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.indicator.summaryGenerationTs security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_summaryGenerationTs] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.indicator.summaryGenerationTs log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.customer_industry security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_customer_industry] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.customer_industry log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.customer_name security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_customer_name] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.customer_name log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.description security_result.detection_fields.key/value [sourceProperties.properties.autofocusContextCards.tags.public_tag_name/description] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.description log field is mapped to the intermediary.labels.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.downVotes security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tagsdownVotes] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.downVotes log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.lasthit security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_lasthit] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.lasthit log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.myVote security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_myVote] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.public_tag_name security_result.detection_fields.key/value [sourceProperties.properties.autofocusContextCards.tags.public_tag_name/description] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.public_tag_name log field is mapped to the intermediary.labels.key UDM field.
sourceProperties.properties.autofocusContextCards.tags.source security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_source] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.myVote log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.support_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_support_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.support_id log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.tag_class_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_class_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_class_id log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.tag_definition_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_id log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_scope_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.tag_definition_status_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_status_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_status_id log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.tag_name security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_name] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_name log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.autofocusContextCards.tags.upVotes security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_upVotes] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.upVotes log field is mapped to the security_result.detection_fields.value UDM field.
sourceProperties.properties.callerIp sourceProperties.properties.indicatorContext.ipAddress principal.ip If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then if the sourceProperties.properties.ipConnection.srcIp log field value is not equal to the sourceProperties.properties.indicatorContext.ipAddress, then the sourceProperties.properties.indicatorContext.ipAddress log field is mapped to the principal.ip UDM field.
sourceProperties.properties.callerUserAgent network.http.user_agent If the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.callerUserAgent log field is mapped to the network.http.user_agent UDM field.
sourceProperties.properties.changeFromBadIp.ip principal.ip If the category log field value is equal to Evasion: Access from Anonymizing Proxy, then the sourceProperties.properties.changeFromBadIp.ip log field is mapped to the principal.ip UDM field.
sourceProperties.properties.changeFromBadIp.principalEmail principal.user.email_addresses If the category log field value is equal to Evasion: Access from Anonymizing Proxy, then the sourceProperties.properties.changeFromBadIp.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
sourceProperties.properties.customProperties.domain_category target.resource.attribute.labels[sourceProperties_properties_customProperties_domain_category]
sourceProperties.properties.customRoleSensitivePermissions.permissions target.group.attribute.permissions.name If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.customRoleSensitivePermissions.permissions log field is mapped to the target.group.attribute.permissions.name UDM field.
sourceProperties.properties.customRoleSensitivePermissions.principalEmail principal.user.email_addresses If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.customRoleSensitivePermissions.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
sourceProperties.properties.customRoleSensitivePermissions.principalEmail principal.user.userid Grok : Extracted user_id from sourceProperties.properties.customRoleSensitivePermissions.principalEmail log field, then the user_id field is mapped to the principal.user.userid UDM field.
sourceProperties.properties.customRoleSensitivePermissions.roleName target.group.attribute.roles.name If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.customRoleSensitivePermissions.roleName log field is mapped to the target.group.attribute.roles.name UDM field.
sourceProperties.properties.dataExfiltrationAttempt.destinationTables.datasetId target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_datasetId] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.datasetId log field is mapped to the target.resource.attribute.labels.value UDM field.
sourceProperties.properties.dataExfiltrationAttempt.destinationTables.projectId target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_projectId] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.projectId log field is mapped to the target.resource.attribute.labels.value UDM field.
sourceProperties.properties.dataExfiltrationAttempt.destinationTables.resourceUri target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_resourceUri] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.resourceUri log field is mapped to the target.resource.attribute.labels.value UDM field.
sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

Else, the resourceName log field is mapped to the target.resource.name UDM field.
sourceProperties.properties.dataExfiltrationAttempt.job.jobId principal.process.pid If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.job.jobId log field is mapped to the principal.process.pid UDM field.
sourceProperties.properties.dataExfiltrationAttempt.job.location principal.location.country_or_region If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.job.location log field is mapped to the principal.location.country_or_region UDM field.
sourceProperties.properties.dataExfiltrationAttempt.jobLink principal.process.file.full_path If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.jobLink log field is mapped to the principal.process.file.full_path UDM field.
sourceProperties.properties.dataExfiltrationAttempt.jobState principal.labels [sourceProperties.properties.dataExfiltrationAttempt.jobState] (deprecated) If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.jobState log field is mapped to the principal.labels.key/value and UDM field.
sourceProperties.properties.dataExfiltrationAttempt.jobState additional.fields [sourceProperties.properties.dataExfiltrationAttempt.jobState] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.jobState log field is mapped to the additional.fields.value.string_value UDM field.
sourceProperties.properties.dataExfiltrationAttempt.query target.process.command_line If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.query log field is mapped to the target.process.command_line UDM field.
sourceProperties.properties.dataExfiltrationAttempt.sourceTables.datasetId src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_datasetId] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.datasetId log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
sourceProperties.properties.dataExfiltrationAttempt.sourceTables.projectId src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_projectId] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.projectId log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
sourceProperties.properties.dataExfiltrationAttempt.sourceTables.resourceUri src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_resourceUri] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.resourceUri log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
sourceProperties.properties.dataExfiltrationAttempt.sourceTables.tableId src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.tableId log field is mapped to the src.resource_ancestors.name UDM field and the src.resource_ancestors.resource_type UDM field is set to TABLE.
sourceProperties.properties.dataExfiltrationAttempt.userEmail principal.user.email_addresses If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.userEmail log field is mapped to the principal.user.email_addresses UDM field.
sourceProperties.properties.delta.accessLevels.action security_result.action_details If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.delta.accessLevels.action log field is mapped to the security_result.action_details UDM field.
sourceProperties.properties.delta.accessLevels.policyName security_result.about.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.delta.accessLevels.policyName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to ACCESS_POLICY.
sourceProperties.properties.delta.allowedServices.action security_result.action_details If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.delta.allowedServices.action log field is mapped to the security_result.action_details UDM field.
sourceProperties.properties.delta.allowedServices.serviceName security_result.about.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.delta.allowedServices.serviceName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to BACKEND_SERVICE.
sourceProperties.properties.delta.restrictedResources.action security_result.action_details If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.delta.restrictedResources.action log field is mapped to the security_result.action_details UDM field.
sourceProperties.properties.delta.restrictedResources.resourceName security_result.about.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the Restricted Resource: sourceProperties.properties.delta.restrictedResources.resourceName log field is mapped to the security_result.about.resource.name UDM field.

If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.delta.restrictedResources.resourceName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to CLOUD_PROJECT.
sourceProperties.properties.delta.restrictedServices.action security_result.action_details If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.delta.restrictedServices.action log field is mapped to the security_result.action_details UDM field.
sourceProperties.properties.delta.restrictedServices.serviceName security_result.about.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.delta.restrictedServices.serviceName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to BACKEND_SERVICE.
sourceProperties.properties.destVpc.projectId target.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_projectId] If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.destVpc.projectId log field is mapped to the target.resource_ancestors.attribute.labels.value UDM field.
sourceProperties.properties.destVpc.subnetworkName target.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_subnetworkName] If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.destVpc.subnetworkName log field is mapped to the target.resource_ancestors.attribute.labels.value UDM field.
sourceProperties.properties.destVpc.vpcName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
sourceProperties.properties.dnsContexts.authAnswer network.dns.authoritative If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.authAnswer log field is mapped to the network.dns.authoritative UDM field.
sourceProperties.properties.dnsContexts.queryName network.dns.questions.name If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.queryName log field is mapped to the network.dns.questions.name UDM field.
sourceProperties.properties.dnsContexts.queryType network.dns.questions.type If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.queryType log field is mapped to the network.dns.questions.type UDM field.
sourceProperties.properties.dnsContexts.responseCode network.dns.response_code If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.responseCode log field is mapped to the network.dns.response_code UDM field.
sourceProperties.properties.dnsContexts.responseData.domainName network.dns.answers.name If the category log field value is equal to Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.domainName log field is mapped to the network.dns.answers.name UDM field.
sourceProperties.properties.dnsContexts.responseData.responseClass network.dns.answers.class If the category log field value is equal to Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.responseClass log field is mapped to the network.dns.answers.class UDM field.
sourceProperties.properties.dnsContexts.responseData.responseType network.dns.answers.type If the category log field value is equal to Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.responseType log field is mapped to the network.dns.answers.type UDM field.
sourceProperties.properties.dnsContexts.responseData.responseValue network.dns.answers.data If the category log field value matches the regular expression Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.responseValue log field is mapped to the network.dns.answers.data UDM field.
sourceProperties.properties.dnsContexts.responseData.ttl network.dns.answers.ttl If the category log field value is equal to Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.ttl log field is mapped to the network.dns.answers.ttl UDM field.
sourceProperties.properties.dnsContexts.sourceIp principal.ip If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.sourceIp log field is mapped to the principal.ip UDM field.
sourceProperties.properties.domainName target.domain.name If the category log field value is equal to Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.properties.domainName log field is mapped to the target.domain.name UDM field.
sourceProperties.properties.domains.0 target.domain.name If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.domains.0 log field is mapped to the target.domain.name UDM field.
sourceProperties.properties.exportToGcs.bucketAccess target.resource.attribute.permissions.name If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketAccess log field is mapped to the target.resource.attribute.permissions.name UDM field.
sourceProperties.properties.exportToGcs.bucketResource target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

Else, the resourceName log field is mapped to the target.resource.name UDM field.
sourceProperties.properties.exportToGcs.cloudsqlInstanceResource src.resource.name If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource log field is mapped to the src.resource.name UDM field and the src.resource.resource_subtype UDM field is set to CloudSQL.

Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.cloudsqlInstanceResource log field is mapped to the src.resource.name UDM field and the src.resource.resource_subtype UDM field is set to CloudSQL.
sourceProperties.properties.exportToGcs.exportScope target.resource.attribute.labels.key/value [sourceProperties_properties_exportToGcs_exportScope] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the target.resource.attribute.labels.key UDM field is set to exportScope and the sourceProperties.properties.exportToGcs.exportScope log field is mapped to the target.resource.attribute.labels.value UDM field.
sourceProperties.properties.exportToGcs.gcsUri target.url If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.gcsUri log field is mapped to the target.url UDM field.
sourceProperties.properties.exportToGcs.principalEmail principal.user.email_addresses
sourceProperties.properties.externalMemberAddedToPrivilegedGroup.groupName target.group.group_display_name If the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.groupName log field is mapped to the target.group.group_display_name UDM field.
sourceProperties.properties.externalMemberAddedToPrivilegedGroup.principalEmail principal.user.email_addresses If the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.resource target.resource_ancestors.name If the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.resource log field is mapped to the target.resource_ancestors.name UDM field.
sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.roleName target.group.attribute.roles.name If the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.roleName log field is mapped to the target.group.attribute.roles.name UDM field.
sourceProperties.properties.extractionAttempt.destinations.collectionName target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

Else, the resourceName log field is mapped to the target.resource.name UDM field.
sourceProperties.properties.extractionAttempt.destinations.collectionType target.resource.resource_subtype If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.resource_subtype UDM field.

Else if, the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the target.resource.resource_subtype UDM field is set to Privileged Group.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the target.resource.resource_subtype UDM field is set to BigQuery.
sourceProperties.properties.extractionAttempt.destinations.objectName target.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_destinations_objectName] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.objectName log field is mapped to the target.resource.attribute.labels.value UDM field.
sourceProperties.properties.extractionAttempt.destinations.originalUri target.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_destinations_originalUri] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.originalUri log field is mapped to the target.resource.attribute.labels.value UDM field.
sourceProperties.properties.extractionAttempt.job.jobId principal.process.pid If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.job.jobId log field is mapped to the principal.process.pid UDM field.
sourceProperties.properties.extractionAttempt.job.location principal.location.country_or_region If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.job.location log field is mapped to the principal.location.country_or_region UDM field.
sourceProperties.properties.extractionAttempt.jobLink principal.process.file.full_path If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.jobLink log field is mapped to the principal.process.file.full_path UDM field.
sourceProperties.properties.extractionAttempt.jobLink target.url If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.jobLink log field is mapped to the target.url UDM field.

If the category log field value is equal to Exfiltration: BigQuery Data Extraction, then the sourceProperties.properties.extractionAttempt.jobLink log field is mapped to the target.url UDM field.
sourceProperties.properties.extractionAttempt.sourceTable.datasetId src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_datasetId] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.sourceTable.datasetId log field is mapped to the src.resource.attribute.labels.value UDM field.
sourceProperties.properties.extractionAttempt.sourceTable.projectId src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_projectId] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.sourceTable.projectId log field is mapped to the src.resource.attribute.labels.value UDM field.
sourceProperties.properties.extractionAttempt.sourceTable.resourceUri src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_resourceUri] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.sourceTable.resourceUri log field is mapped to the src.resource.attribute.labels.value UDM field.
sourceProperties.properties.extractionAttempt.sourceTable.tableId src.resource.product_object_id If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.sourceTable.tableId log field is mapped to the src.resource.product_object_id UDM field.
sourceProperties.properties.gceInstanceId target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the sourceProperties.properties.gceInstanceId log field is mapped to the target.resource_ancestors.product_object_id UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
sourceProperties.properties.indicatorContext.asn network.asn If the category log field value is equal to Malware: Cryptomining Bad IP, then the sourceProperties.properties.indicatorContext.asn log field is mapped to the network.asn UDM field.
sourceProperties.properties.indicatorContext.carrierName network.carrier_name If the category log field value is equal to Malware: Cryptomining Bad IP, then the sourceProperties.properties.indicatorContext.carrierName log field is mapped to the network.carrier_name UDM field.
sourceProperties.properties.indicatorContext.countryCode principal.location.country_or_region If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.indicatorContext.countryCode log field is mapped to the principal.location.country_or_region UDM field.
sourceProperties.properties.indicatorContext.organizationName network.organization_name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.indicatorContext.organizationName log field is mapped to the network.organization_name UDM field.
sourceProperties.properties.indicatorContext.reverseDnsDomain network.dns_domain If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.indicatorContext.reverseDnsDomain log field is mapped to the network.dns_domain UDM field.
sourceProperties.properties.instanceDetails target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

Else, the resourceName log field is mapped to the target.resource.name UDM field.
sourceProperties.properties.instanceId target.resource.product_object_id If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.instanceId log field is mapped to the target.resource.product_object_id UDM field.
sourceProperties.properties.ipConnection.destIp target.ip If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Outgoing DoS, then the sourceProperties.properties.ipConnection.destIp log field is mapped to the target.ip UDM field.
sourceProperties.properties.ipConnection.destPort target.port If the category log field value is equal to Malware: Bad IP or Malware: Outgoing DoS, then the sourceProperties.properties.ipConnection.destPort log field is mapped to the target.port UDM field.
sourceProperties.properties.ipConnection.protocol network.ip_protocol If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Outgoing DoS, then the network.ip_protocol UDM field is set to one of the following values:
  • ICMP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 1 or ICMP.
  • IGMP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 2 or IGMP.
  • TCP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 6 or TCP.
  • UDP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 17 or UDP.
  • IP6IN4 when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 41 or IP6IN4.
  • GRE when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 47 or GRE.
  • ESP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 50 or ESP.
  • EIGRP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 88 or EIGRP.
  • ETHERIP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 97 or ETHERIP.
  • PIM when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 103 or PIM.
  • VRRP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 112 or VRRP.
  • UNKNOWN_IP_PROTOCOL if the sourceProperties.properties.ipConnection.protocol log field value is equal to any other value.
    sourceProperties.properties.ipConnection.srcIp principal.ip If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Outgoing DoS, then the sourceProperties.properties.ipConnection.srcIp log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.ipConnection.srcPort principal.port If the category log field value is equal to Malware: Bad IP or Malware: Outgoing DoS, then the sourceProperties.properties.ipConnection.srcPort log field is mapped to the principal.port UDM field.
    sourceProperties.properties.loadBalancerName intermediary.resource.name If the category log field value is equal to Initial Access: Log4j Compromise Attempt, then the sourceProperties.properties.loadBalancerName log field is mapped to the intermediary.resource.name UDM field.
    sourceProperties.properties.metadataKeyOperation target.resource.attribute.labels.key/value [sourceProperties_properties_metadataKeyOperation] If the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.metadataKeyOperation log field is mapped to the target.resource.attribute.labels.key/value UDM field.
    sourceProperties.properties.methodName target.labels [sourceProperties_properties_methodName] (deprecated) If the category log field value is equal to Impair Defenses: Strong Authentication Disabled or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.properties.methodName log field is mapped to the target.labels.value UDM field.
    sourceProperties.properties.methodName additional.fields [sourceProperties_properties_methodName] If the category log field value is equal to Impair Defenses: Strong Authentication Disabled or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.properties.methodName log field is mapped to the additional.fields.value.string_value UDM field.
    sourceProperties.properties.name target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    sourceProperties.properties.network.location target.location.name If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.network.location log field is mapped to the target.location.name UDM field.
    sourceProperties.properties.network.subnetworkId target.resource_ancestors.labels.key/value [sourceProperties_properties_network_subnetworkId] If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP, then the sourceProperties.properties.network.subnetworkId log field is mapped to the target.resource_ancestors.value UDM field.
    sourceProperties.properties.network.subnetworkName target.resource_ancestors.key/value [sourceProperties_properties_network_subnetworkName] If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP, then the sourceProperties.properties.network.subnetworkName log field is mapped to the target.resource_ancestors.value UDM field.
    sourceProperties.properties.policyLink target.url If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.policyLink log field is mapped to the target.url UDM field.
    sourceProperties.properties.principalEmail principal.user.email_addresses If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive or Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Impair Defenses: Strong Authentication Disabled or Impair Defenses: Two Step Verification Disabled or Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the sourceProperties.properties.principalEmail log field is mapped to the principal.user.email_addresses UDM field.

    If the category log field value is equal to Initial Access: Suspicious Login Blocked, then the sourceProperties.properties.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.principalEmail target.user.userid If the category log field value is equal to Initial Access: Suspicious Login Blocked, then the userid log field is mapped to the target.user.userid UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.groupName target.group.group_display_name If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.groupName log field is mapped to the target.group.group_display_name UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.principalEmail principal.user.email_addresses If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.resource target.resource_ancestors.name If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.resource log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.roleName target.group.attribute.roles.name If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.roleName log field is mapped to the target.group.attribute.roles.name UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.whoCanJoin target.group.attribute.permissions.name If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.whoCanJoin log field is mapped to the target.group.attribute.permissions.name UDM field.
    sourceProperties.properties.projectId principal.resource.name If the sourceProperties.properties.projectId log field value is not empty, then the sourceProperties.properties.projectId log field is mapped to the principal.resource.name UDM field.
    sourceProperties.properties.projectId target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.requestUrl target.url If the category log field value is equal to Initial Access: Log4j Compromise Attempt, then the sourceProperties.properties.requestUrl log field is mapped to the target.url UDM field.
    sourceProperties.properties.restoreToExternalInstance.backupId src.resource.attribute.labels.key/value [sourceProperties_properties_restoreToExternalInstance_backupId] If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.backupId log field is mapped to the src.resource.attribute.labels.value UDM field.
    sourceProperties.properties.restoreToExternalInstance.principalEmail principal.user.email_addresses If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource src.resource.name If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource log field is mapped to the src.resource.name UDM field and the src.resource.resource_subtype UDM field is set to CloudSQL.
    sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    sourceProperties.properties.scannerDomain principal.labels [sourceProperties_properties_scannerDomain] (deprecated) If the category log field value matches the regular expression Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.scannerDomain log field is mapped to the principal.labels.key/value UDM field.
    sourceProperties.properties.scannerDomain additional.fields [sourceProperties_properties_scannerDomain] If the category log field value matches the regular expression Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.scannerDomain log field is mapped to the additional.fields.value.string_value UDM field.
    sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.action target.group.attribute.labels.key/value [sourceProperties_properties_sensitiveRoleGrant_bindingDeltas_action] If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.action log field is mapped to the target.group.attribute.labels.key/value UDM field.
    sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.member target.group.attribute.labels.key/value[sourceProperties_properties_sensitiveRoleGrant_bindingDeltas_member] If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.member log field is mapped to the target.group.attribute.labels.key/value UDM field.
    sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.role target.group.attribute.roles.name If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.role log field is mapped to the target.group.attribute.roles.name UDM field.
    sourceProperties.properties.sensitiveRoleGrant.principalEmail principal.user.email_addresses If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.sensitiveRoleGrant.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.sensitiveRoleGrant.principalEmail principal.user.userid Grok : Extracted user_id from sourceProperties.properties.sensitiveRoleGrant.principalEmail log field, then the user_id field is mapped to the principal.user.userid UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.action target.group.attribute.labels.key/value [sourceProperties_properties_sensitiveRoleToHybridGroup_bindingDeltas_action] If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.action log field is mapped to the target.group.attribute.labels.key/value UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.member target.group.attribute.labels.key/value[sourceProperties_properties_sensitiveRoleToHybridGroup] If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.member log field is mapped to the target.group.attribute.labels.key/value UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.role target.group.attribute.roles.name If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.role log field is mapped to the target.group.attribute.roles.name UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.groupName target.group.group_display_name If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.groupName log field is mapped to the target.group.group_display_name UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.principalEmail principal.user.email_addresses If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerIp principal.ip If the category log field value is equal to Discovery: Service Account Self-Investigation, then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerIp log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerUserAgent principal.user.attribute.labels.key/value [sourceProperties_properties_serviceAccountGetsOwnIamPolicy_callerUserAgent] If the category log field value is equal to Discovery: Service Account Self-Investigation, then the principal.user.attribute.labels.key UDM field is set to rawUserAgent and the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerUserAgent log field is mapped to the principal.user.attribute.labels.value UDM field.
    sourceProperties.properties.serviceAccountGetsOwnIamPolicy.principalEmail principal.user.email_addresses If the category log field value is equal to Discovery: Service Account Self-Investigation, then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.serviceAccountGetsOwnIamPolicy.projectId principal.resource.name If the category log field value is equal to Discovery: Service Account Self-Investigation, then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.projectId log field is mapped to the principal.resource.name UDM field.
    sourceProperties.properties.serviceAccountGetsOwnIamPolicy.rawUserAgent network.http.user_agent If the category log field value is equal to Discovery: Service Account Self-Investigation, then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.rawUserAgent log field is mapped to the network.http.user_agent UDM field.
    sourceProperties.properties.serviceName target.application If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Strong Authentication Disabled or Impair Defenses: Two Step Verification Disabled or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.properties.serviceName log field is mapped to the target.application UDM field.
    sourceProperties.properties.sourceInstanceDetails principal.resource.name If the category log field value is equal to Malware: Outgoing DoS, then the sourceProperties.properties.sourceInstanceDetails log field is mapped to the principal.resource.name UDM field.
    sourceProperties.properties.sourceIp principal.ip If the category log field value matches the regular expression Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.sourceIp log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.srcVpc.subnetworkName principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_subnetworkName] If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.srcVpc.subnetworkName log field is mapped to the principal.resource_ancestors.attribute.labels.value UDM field.
    sourceProperties.properties.srcVpc.vpcName principal.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the principal.resource_ancestors.name UDM field and the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    sourceProperties.properties.ssoState principal.user.user_authentication_status If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Two Step Verification Disabled or Persistence: SSO Enablement Toggle, then the sourceProperties.properties.ssoState log field is mapped to the principal.user.user_authentication_status UDM field.
    sourceProperties.properties.threatIntelligenceSource security_result.about.application If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.threatIntelligenceSource log field is mapped to the security_result.about.application UDM field.
    sourceProperties.properties.vpc.vpcName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.vpcName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.vpcViolation.userEmail principal.user.email_addresses If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.vpcViolation.userEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.vpcViolation.violationReason security_result.summary If the category log field value is equal to Exfiltration: BigQuery Exfiltration, then the sourceProperties.properties.vpcViolation.violationReason log field is mapped to the security_result.summary UDM field.
    sourceProperties.properties.zone target.resource.attribute.cloud.availability_zone If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field.
    sourceProperties.Script_Content target.resource.attribute.labels[script_content]
    sourceProperties.Script_SHA256 target.resource.attribute.labels[script_sha256]
    sourceProperties.Security_Policy target.resource.attribute.labels[sourceProperties_Security_Policy]
    sourceProperties.Short_Term_Allowed_RPS target.resource.attribute.labels[sourceProperties_Short_Term_Allowed_RPS]
    sourceProperties.sourceId.customerOrganizationNumber principal.resource.attribute.labels.key/value [sourceProperties_sourceId_customerOrganizationNumber] If the message log field value matches the regular expression sourceProperties.sourceId.*?customerOrganizationNumber, then the sourceProperties.sourceId.customerOrganizationNumber log field is mapped to the principal.resource.attribute.labels.key/value UDM field.
    sourceProperties.sourceId.customerOrganizationNumber src.resource_ancestors.product_object_id If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.sourceId.customerOrganizationNumber log field is mapped to the src.resource_ancestors.product_object_id UDM field.
    sourceProperties.sourceId.customerOrganizationNumber target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    sourceProperties.sourceId.organizationNumber src.resource_ancestors.product_object_id If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.sourceId.organizationNumber log field is mapped to the src.resource_ancestors.product_object_id UDM field.
    sourceProperties.sourceId.organizationNumber target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    sourceProperties.sourceId.projectNumber src.resource_ancestors.product_object_id If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.sourceId.projectNumber log field is mapped to the src.resource_ancestors.product_object_id UDM field.
    sourceProperties.sourceId.projectNumber target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    sourceProperties.threats.memory_hash_detector.binary security_result.detection_fields[memory_hash_detector_binary]
    sourceProperties.threats.memory_hash_detector.detections.binary_name security_result.detection_fields[binary_name]
    sourceProperties.threats.memory_hash_detector.detections.percent_pages_matched security_result.detection_fields[percent_pages_matched]
    sourceProperties.threats.yara_rule_detector.yara_rule_name security_result.detection_fields[yara_rule_name]
    sourceProperties.VM_Instance_Name target.resource_ancestors.name If the category log field value is equal to Added Binary Executed or Added Library Loaded, then the sourceProperties.VM_Instance_Name log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    state security_result.detection_fields[state]
    target.labels[failedActions_attemptTimes] sourceProperties.properties.failedActions.attemptTimes If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.attemptTimes log field is mapped to the target.labels UDM field.
    target.labels[failedActions_lastOccurredTime] sourceProperties.properties.failedActions.lastOccurredTime If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.lastOccurredTime log field is mapped to the target.labels UDM field.
    target.labels[failedActions_methodName] sourceProperties.properties.failedActions.methodName If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.methodName log field is mapped to the target.labels UDM field.
    target.labels[failedActions_serviceName] sourceProperties.properties.failedActions.serviceName If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.serviceName log field is mapped to the target.labels UDM field.
    vulnerability.cve.cvssv3.attackComplexity extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_attackComplexity] (deprecated)
    vulnerability.cve.cvssv3.attackComplexity additional.fields [vulnerability_cve_cvssv3_attackComplexity]
    vulnerability.cve.cvssv3.attackVector extensions.vulns.vulnerabilities.cvss_vector
    vulnerability.cve.cvssv3.availabilityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_availabilityImpact] (deprecated)
    vulnerability.cve.cvssv3.availabilityImpact additional.fields [vulnerability_cve_cvssv3_availabilityImpact]
    vulnerability.cve.cvssv3.baseScore extensions.vulns.vulnerabilities.cvss_base_score
    vulnerability.cve.cvssv3.confidentialityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_confidentialityImpact] (deprecated)
    vulnerability.cve.cvssv3.confidentialityImpact additional.fields [vulnerability_cve_cvssv3_confidentialityImpact]
    vulnerability.cve.cvssv3.integrityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_integrityImpact] (deprecated)
    vulnerability.cve.cvssv3.integrityImpact additional.fields [vulnerability_cve_cvssv3_integrityImpact]
    vulnerability.cve.cvssv3.privilegesRequired extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_privilegesRequired] (deprecated)
    vulnerability.cve.cvssv3.privilegesRequired additional.fields [vulnerability_cve_cvssv3_privilegesRequired]
    vulnerability.cve.cvssv3.scope extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_scope] (deprecated)
    vulnerability.cve.cvssv3.scope additional.fields [vulnerability_cve_cvssv3_scope]
    vulnerability.cve.cvssv3.userInteraction extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_userInteraction] (deprecated)
    vulnerability.cve.cvssv3.userInteraction additional.fields [vulnerability_cve_cvssv3_userInteraction]
    vulnerability.cve.id extensions.vulns.vulnerabilities.cve_id
    vulnerability.cve.references.source extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_references_source] (deprecated)
    vulnerability.cve.references.source additional.fields [vulnerability_cve_references_source]
    vulnerability.cve.references.uri extensions.vulns.vulnerabilities.about.labels [vulnerability.cve.references.uri] (deprecated)
    vulnerability.cve.references.uri additional.fields [vulnerability.cve.references.uri]
    vulnerability.cve.upstreamFixAvailable extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_upstreamFixAvailable] (deprecated)
    vulnerability.cve.upstreamFixAvailable additional.fields [vulnerability_cve_upstreamFixAvailable]
    workflowState security_result.about.investigation.status

    Field mapping reference: event identifier to event type

    Event Identifier Event Type Security Category
    account_has_leaked_credentials SCAN_UNCATEGORIZED DATA_AT_REST
    Active Scan: Log4j Vulnerable to RCE SCAN_UNCATEGORIZED
    Added Binary Executed USER_RESOURCE_ACCESS
    Added Library Loaded USER_RESOURCE_ACCESS
    Allowed Traffic Spike USER_RESOURCE_ACCESS
    Application DDoS Attack Attempt SCAN_NETWORK
    Breakglass Account Used: break_glass_account SCAN_UNCATEGORIZED
    Brute Force: SSH USER_LOGIN AUTH_VIOLATION
    Configurable bad domain NETWORK_CONNECTION
    Configurable Bad Domain: APT29_Domains SCAN_UNCATEGORIZED
    Configurable Bad IP SCAN_UNCATEGORIZED
    Credential Access: External Member Added To Privileged Group GROUP_MODIFICATION
    Credential Access: Privileged Group Opened To Public GROUP_MODIFICATION
    Credential Access: Sensitive Role Granted To Hybrid Group GROUP_MODIFICATION
    Custom role with prohibited permission SCAN_UNCATEGORIZED
    Defense Evasion: Modify VPC Service Control SERVICE_MODIFICATION
    Defense Evasion: Unexpected ftrace handler SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected interrupt handler SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected kernel code modification USER_RESOURCE_UPDATE_CONTENT SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected kernel modules SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected kernel read-only data modification USER_RESOURCE_UPDATE_CONTENT SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected kprobe handler SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected processes in runqueue PROCESS_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected system call handler SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Discovery: Can get sensitive Kubernetes object checkPreview SCAN_UNCATEGORIZED
    Discovery: Service Account Self-Investigation USER_UNCATEGORIZED
    Evasion: Access from Anonymizing Proxy SERVICE_MODIFICATION
    Execution: Added Malicious Binary Executed SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Execution: Cryptocurrency Mining Combined Detection SCAN_UNCATEGORIZED
    Execution: Cryptocurrency Mining Hash Match SCAN_UNCATEGORIZED
    Execution: Cryptocurrency Mining YARA Rule SCAN_UNCATEGORIZED
    Execution: Modified Malicious Binary Executed SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Exfiltration: BigQuery Data Exfiltration USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: BigQuery Data Extraction USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: BigQuery Data to Google Drive USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: CloudSQL Data Exfiltration USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: CloudSQL Over-Privileged Grant USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: CloudSQL Restore Backup to External Organization USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Impair Defenses: Strong Authentication Disabled USER_CHANGE_PERMISSIONS
    Impair Defenses: Two Step Verification Disabled USER_CHANGE_PERMISSIONS
    Increasing Deny Ratio USER_RESOURCE_UPDATE_CONTENT
    Initial Access: Account Disabled Hijacked SETTING_MODIFICATION
    Initial Access: Disabled Password Leak SETTING_MODIFICATION
    Initial Access: Dormant Service Account Action SCAN_UNCATEGORIZED
    Initial Access: Dormant Service Account Key Created RESOURCE_CREATION
    Initial Access: Government Based Attack USER_UNCATEGORIZED
    Initial Access: Log4j Compromise Attempt SCAN_UNCATEGORIZED EXPLOIT
    Initial Access: Suspicious Login Blocked USER_LOGIN ACL_VIOLATION
    Log4j Malware: Bad Domain NETWORK_CONNECTION SOFTWARE_MALICIOUS
    Log4j Malware: Bad IP SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Malicious Script Executed SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Malicious URL Observed SCAN_UNCATEGORIZED NETWORK_MALICIOUS
    Malware: Bad Domain NETWORK_CONNECTION SOFTWARE_MALICIOUS
    Malware: Bad IP SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Malware: Cryptomining Bad Domain NETWORK_CONNECTION SOFTWARE_MALICIOUS
    Malware: Cryptomining Bad IP NETWORK_CONNECTION SOFTWARE_MALICIOUS
    Malware: Outgoing DoS NETWORK_CONNECTION NETWORK_DENIAL_OF_SERVICE
    Persistence: GCE Admin Added SSH Key SETTING_MODIFICATION
    Persistence: GCE Admin Added Startup Script SETTING_MODIFICATION
    Persistence: IAM Anomalous Grant USER_UNCATEGORIZED POLICY_VIOLATION
    Persistence: New API MethodPreview SCAN_UNCATEGORIZED
    Persistence: New Geography USER_RESOURCE_ACCESS NETWORK_SUSPICIOUS
    Persistence: New User Agent USER_RESOURCE_ACCESS
    Persistence: SSO Enablement Toggle SETTING_MODIFICATION
    Persistence: SSO Settings Changed SETTING_MODIFICATION
    Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity SCAN_UNCATEGORIZED
    Privilege Escalation: Changes to sensitive Kubernetes RBAC objectsPreview RESOURCE_PERMISSIONS_CHANGE
    Privilege Escalation: Create Kubernetes CSR for master certPreview RESOURCE_CREATION
    Privilege Escalation: Creation of sensitive Kubernetes bindingsPreview RESOURCE_CREATION
    Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentialsPreview USER_RESOURCE_ACCESS
    Privilege Escalation: Launch of privileged Kubernetes containerPreview RESOURCE_CREATION
    Process Tree PROCESS_UNCATEGORIZED
    Reverse Shell SCAN_UNCATEGORIZED EXPLOIT
    Unexpected Child Shell PROCESS_UNCATEGORIZED
    Unexpected Cloud API Call SCAN_UNCATEGORIZED
    Unexpected Compute Engine instance type SCAN_UNCATEGORIZED
    Unexpected Compute Engine region SCAN_UNCATEGORIZED
    Unexpected Compute Engine source image SCAN_UNCATEGORIZED
    Unexpected Role Grant: Forbidden roles SCAN_UNCATEGORIZED



    The following tables contain UDM event types and UDM fields mapping for Security Command Center - VULNERABILITY, MISCONFIGURATION, OBSERVATION, ERROR, UNSPECIFIED, POSTURE_VIOLATION finding classes.

    VULNERABILITY category to UDM event type

    The following table lists the VULNERABILITY category and their corresponding UDM event types.

    Event Identifier Event Type Security Category
    ACCESSIBLE_GIT_REPOSITORY SCAN_UNCATEGORIZED DATA_EXFILTRATION
    ACCESSIBLE_SVN_REPOSITORY SCAN_NETWORK DATA_EXFILTRATION
    ALPHA_CLUSTER_ENABLED SCAN_UNCATEGORIZED
    APACHE_HTTPD_RCE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    APACHE_HTTPD_SSRF SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    AUTO_REPAIR_DISABLED SCAN_UNCATEGORIZED
    AUTO_UPGRADE_DISABLED SCAN_UNCATEGORIZED
    BASIC_AUTHENTICATION_ENABLED SCAN_UNCATEGORIZED
    CACHEABLE_PASSWORD_INPUT SCAN_NETWORK NETWORK_SUSPICIOUS
    CLEAR_TEXT_PASSWORD SCAN_NETWORK NETWORK_MALICIOUS
    CLIENT_CERT_AUTHENTICATION_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_SHIELDED_NODES_DISABLED SCAN_UNCATEGORIZED
    CONSUL_RCE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    COS_NOT_USED SCAN_UNCATEGORIZED
    DATAPROC_IMAGE_OUTDATED SCAN_VULN_NETWORK
    DISK_CSEK_DISABLED SCAN_UNCATEGORIZED
    DNSSEC_DISABLED SCAN_UNCATEGORIZED
    DRUID_RCE SCAN_VULN_NETWORK
    DRUPAL_RCE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    ELASTICSEARCH_API_EXPOSED SCAN_VULN_NETWORK NETWORK_MALICIOUS
    EXPOSED_GRAFANA_ENDPOINT SCAN_VULN_NETWORK NETWORK_MALICIOUS
    EXPOSED_METABASE SCAN_VULN_NETWORK NETWORK_MALICIOUS
    EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT SCAN_VULN_NETWORK
    FLINK_FILE_DISCLOSURE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    GITLAB_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    GoCD_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    IAM_ROLE_HAS_EXCESSIVE_PERMISSIONS SCAN_UNCATEGORIZED SOFTWARE_SUSPICIOUS
    INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION SCAN_UNCATEGORIZED
    INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION SCAN_UNCATEGORIZED
    INTEGRITY_MONITORING_DISABLED SCAN_UNCATEGORIZED
    INVALID_CONTENT_TYPE SCAN_UNCATEGORIZED
    INVALID_HEADER SCAN_UNCATEGORIZED
    IP_ALIAS_DISABLED SCAN_UNCATEGORIZED
    JAVA_JMX_RMI_EXPOSED SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    JENKINS_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    JOOMLA_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    JUPYTER_NOTEBOOK_EXPOSED_UI SCAN_VULN_NETWORK
    KMS_PUBLIC_KEY SCAN_UNCATEGORIZED
    KUBERNETES_API_EXPOSED SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    LABELS_NOT_USED SCAN_UNCATEGORIZED
    LEGACY_METADATA_ENABLED SCAN_UNCATEGORIZED
    LOG4J_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    MANTISBT_PRIVILEGE_ESCALATION SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    MISMATCHING_SECURITY_HEADER_VALUES SCAN_UNCATEGORIZED
    MISSPELLED_SECURITY_HEADER_NAME SCAN_UNCATEGORIZED
    MIXED_CONTENT SCAN_UNCATEGORIZED
    OGNL_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    OPENAM_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    ORACLE_WEBLOGIC_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    OS_VULNERABILITY SCAN_VULN_HOST
    OUTDATED_LIBRARY SCAN_VULN_HOST SOFTWARE_SUSPICIOUS
    PHP_CGI_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    PHPUNIT_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    PORTAL_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    PUBLIC_DATASET SCAN_UNCATEGORIZED
    PUBLIC_LOG_BUCKET SCAN_UNCATEGORIZED
    PUBLIC_STORAGE_OBJECT SCAN_UNCATEGORIZED
    REDIS_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    REDIS_ROLE_USED_ON_ORG SCAN_UNCATEGORIZED
    RELEASE_CHANNEL_DISABLED SCAN_UNCATEGORIZED
    RSASHA1_FOR_SIGNING SCAN_UNCATEGORIZED
    SERVER_SIDE_REQUEST_FORGERY SCAN_NETWORK NETWORK_MALICIOUS
    SERVICE_AGENT_GRANTED_BASIC_ROLE SCAN_UNCATEGORIZED SOFTWARE_SUSPICIOUS
    SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE SCAN_UNCATEGORIZED SOFTWARE_SUSPICIOUS
    SESSION_ID_LEAK SCAN_NETWORK DATA_EXFILTRATION
    SOLR_FILE_EXPOSED SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    SOLR_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    SQL_BROAD_ROOT_LOGIN SCAN_UNCATEGORIZED
    SQL_CONTAINED_DATABASE_AUTHENTICATION SCAN_UNCATEGORIZED
    SQL_CROSS_DB_OWNERSHIP_CHAINING SCAN_UNCATEGORIZED
    SQL_EXTERNAL_SCRIPTS_ENABLED SCAN_UNCATEGORIZED
    SQL_INJECTION SCAN_NETWORK EXPLOIT
    SQL_LOCAL_INFILE SCAN_UNCATEGORIZED
    SQL_LOG_ERROR_VERBOSITY SCAN_UNCATEGORIZED
    SQL_LOG_EXECUTOR_STATS_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_HOSTNAME_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_MIN_DURATION_STATEMENT_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_MIN_ERROR_STATEMENT SCAN_UNCATEGORIZED
    SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY SCAN_UNCATEGORIZED
    SQL_LOG_MIN_MESSAGES SCAN_UNCATEGORIZED
    SQL_LOG_PARSER_STATS_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_PLANNER_STATS_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_STATEMENT_STATS_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_TEMP_FILES SCAN_UNCATEGORIZED
    SQL_REMOTE_ACCESS_ENABLED SCAN_UNCATEGORIZED
    SQL_SKIP_SHOW_DATABASE_DISABLED SCAN_UNCATEGORIZED
    SQL_TRACE_FLAG_3625 SCAN_UNCATEGORIZED
    SQL_USER_CONNECTIONS_CONFIGURED SCAN_UNCATEGORIZED
    SQL_USER_OPTIONS_CONFIGURED SCAN_UNCATEGORIZED
    SQL_WEAK_ROOT_PASSWORD SCAN_UNCATEGORIZED
    STRUTS_INSECURE_DESERIALIZATION SCAN_VULN_HOST SOFTWARE_SUSPICIOUS
    STRUTS_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    TOMCAT_FILE_DISCLOSURE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    UNFINISHED_WORDPRESS_INSTALLATION SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    UNUSED_IAM_ROLE SCAN_UNCATEGORIZED
    VBULLETIN_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    VCENTER_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    WEAK_CREDENTIALS SCAN_VULN_NETWORK NETWORK_MALICIOUS
    WEBLOGIC_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    XSS SCAN_NETWORK SOFTWARE_SUSPICIOUS
    XSS_ANGULAR_CALLBACK SCAN_NETWORK SOFTWARE_SUSPICIOUS
    XSS_ERROR SCAN_HOST SOFTWARE_SUSPICIOUS
    XXE_REFLECTED_FILE_LEAKAGE SCAN_HOST SOFTWARE_SUSPICIOUS

    MISCONFIGURATION category to UDM event type

    The following table lists the MISCONFIGURATION category and their corresponding UDM event types.

    Event Identifier Event Type
    ADMIN_SERVICE_ACCOUNT SCAN_UNCATEGORIZED
    API_KEY_APIS_UNRESTRICTED SCAN_UNCATEGORIZED
    API_KEY_APPS_UNRESTRICTED SCAN_UNCATEGORIZED
    API_KEY_EXISTS SCAN_UNCATEGORIZED
    API_KEY_NOT_ROTATED SCAN_UNCATEGORIZED
    AUDIT_CONFIG_NOT_MONITORED SCAN_UNCATEGORIZED
    AUDIT_LOGGING_DISABLED SCAN_UNCATEGORIZED
    AUTO_BACKUP_DISABLED SCAN_UNCATEGORIZED
    AUTO_REPAIR_DISABLED SCAN_UNCATEGORIZED
    AUTO_UPGRADE_DISABLED SCAN_UNCATEGORIZED
    BIGQUERY_TABLE_CMEK_DISABLED SCAN_UNCATEGORIZED
    BINARY_AUTHORIZATION_DISABLED SCAN_UNCATEGORIZED
    BUCKET_CMEK_DISABLED SCAN_UNCATEGORIZED
    BUCKET_IAM_NOT_MONITORED SCAN_UNCATEGORIZED
    BUCKET_LOGGING_DISABLED SCAN_UNCATEGORIZED
    BUCKET_POLICY_ONLY_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_LOGGING_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_MONITORING_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_SECRETS_ENCRYPTION_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_SHIELDED_NODES_DISABLED SCAN_UNCATEGORIZED
    COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED SCAN_UNCATEGORIZED
    COMPUTE_SECURE_BOOT_DISABLED SCAN_HOST
    COMPUTE_SERIAL_PORTS_ENABLED SCAN_NETWORK
    CONFIDENTIAL_COMPUTING_DISABLED SCAN_HOST
    CUSTOM_ROLE_NOT_MONITORED SCAN_UNCATEGORIZED
    DATASET_CMEK_DISABLED SCAN_UNCATEGORIZED
    DEFAULT_NETWORK SCAN_NETWORK
    DEFAULT_SERVICE_ACCOUNT_USED SCAN_UNCATEGORIZED
    DISK_CMEK_DISABLED SCAN_UNCATEGORIZED
    DNS_LOGGING_DISABLED SCAN_NETWORK
    EGRESS_DENY_RULE_NOT_SET SCAN_NETWORK
    FIREWALL_NOT_MONITORED SCAN_NETWORK
    FIREWALL_RULE_LOGGING_DISABLED SCAN_NETWORK
    FLOW_LOGS_DISABLED SCAN_NETWORK
    FULL_API_ACCESS SCAN_UNCATEGORIZED
    GKE_CAPABILITIES SCAN_UNCATEGORIZED
    GKE_HOST_NAMESPACES SCAN_UNCATEGORIZED
    GKE_HOST_PATH_VOLUMES SCAN_UNCATEGORIZED
    GKE_HOST_PORTS SCAN_UNCATEGORIZED
    GKE_PRIVILEGE_ESCALATION SCAN_UNCATEGORIZED
    GKE_PRIVILEGED_CONTAINERS SCAN_UNCATEGORIZED
    GKE_RUN_AS_NONROOT SCAN_UNCATEGORIZED
    HTTP_LOAD_BALANCER SCAN_NETWORK
    INSTANCE_OS_LOGIN_DISABLED SCAN_UNCATEGORIZED
    INTRANODE_VISIBILITY_DISABLED SCAN_UNCATEGORIZED
    IP_FORWARDING_ENABLED SCAN_UNCATEGORIZED
    KMS_KEY_NOT_ROTATED SCAN_UNCATEGORIZED
    kms_key_region_europe SCAN_UNCATEGORIZED
    kms_non_euro_region SCAN_UNCATEGORIZED
    KMS_PROJECT_HAS_OWNER SCAN_UNCATEGORIZED
    KMS_ROLE_SEPARATION SCAN_UNCATEGORIZED
    LEGACY_AUTHORIZATION_ENABLED SCAN_UNCATEGORIZED
    LEGACY_NETWORK SCAN_NETWORK
    LOAD_BALANCER_LOGGING_DISABLED SCAN_NETWORK
    LOCKED_RETENTION_POLICY_NOT_SET SCAN_UNCATEGORIZED
    LOG_NOT_EXPORTED SCAN_UNCATEGORIZED
    MASTER_AUTHORIZED_NETWORKS_DISABLED SCAN_UNCATEGORIZED
    MFA_NOT_ENFORCED SCAN_UNCATEGORIZED
    NETWORK_NOT_MONITORED SCAN_NETWORK
    NETWORK_POLICY_DISABLED SCAN_UNCATEGORIZED
    NODEPOOL_BOOT_CMEK_DISABLED SCAN_UNCATEGORIZED
    NODEPOOL_SECURE_BOOT_DISABLED SCAN_UNCATEGORIZED
    NON_ORG_IAM_MEMBER SCAN_UNCATEGORIZED
    OBJECT_VERSIONING_DISABLED SCAN_UNCATEGORIZED
    OPEN_CASSANDRA_PORT SCAN_NETWORK
    OPEN_CISCOSECURE_WEBSM_PORT SCAN_NETWORK
    OPEN_DIRECTORY_SERVICES_PORT SCAN_NETWORK
    OPEN_DNS_PORT SCAN_NETWORK
    OPEN_ELASTICSEARCH_PORT SCAN_NETWORK
    OPEN_FIREWALL SCAN_NETWORK
    OPEN_FTP_PORT SCAN_NETWORK
    OPEN_GROUP_IAM_MEMBER SCAN_UNCATEGORIZED
    OPEN_HTTP_PORT SCAN_NETWORK
    OPEN_LDAP_PORT SCAN_NETWORK
    OPEN_MEMCACHED_PORT SCAN_NETWORK
    OPEN_MONGODB_PORT SCAN_NETWORK
    OPEN_MYSQL_PORT SCAN_NETWORK
    OPEN_NETBIOS_PORT SCAN_NETWORK
    OPEN_ORACLEDB_PORT SCAN_NETWORK
    OPEN_POP3_PORT SCAN_NETWORK
    OPEN_POSTGRESQL_PORT SCAN_NETWORK
    OPEN_RDP_PORT SCAN_NETWORK
    OPEN_REDIS_PORT SCAN_NETWORK
    OPEN_SMTP_PORT SCAN_NETWORK
    OPEN_SSH_PORT SCAN_NETWORK
    OPEN_TELNET_PORT SCAN_NETWORK
    OS_LOGIN_DISABLED SCAN_UNCATEGORIZED
    OVER_PRIVILEGED_ACCOUNT SCAN_UNCATEGORIZED
    OVER_PRIVILEGED_SCOPES SCAN_UNCATEGORIZED
    OVER_PRIVILEGED_SERVICE_ACCOUNT_USER SCAN_UNCATEGORIZED
    OWNER_NOT_MONITORED SCAN_NETWORK
    POD_SECURITY_POLICY_DISABLED SCAN_UNCATEGORIZED
    PRIMITIVE_ROLES_USED SCAN_UNCATEGORIZED
    PRIVATE_CLUSTER_DISABLED SCAN_UNCATEGORIZED
    PRIVATE_GOOGLE_ACCESS_DISABLED SCAN_NETWORK
    PUBLIC_BUCKET_ACL SCAN_UNCATEGORIZED
    PUBLIC_COMPUTE_IMAGE SCAN_HOST
    PUBLIC_IP_ADDRESS SCAN_UNCATEGORIZED
    PUBLIC_SQL_INSTANCE SCAN_NETWORK
    PUBSUB_CMEK_DISABLED SCAN_UNCATEGORIZED
    RELEASE_CHANNEL_DISABLED SCAN_UNCATEGORIZED
    ROUTE_NOT_MONITORED SCAN_NETWORK
    SERVICE_ACCOUNT_KEY_NOT_ROTATED SCAN_UNCATEGORIZED
    SERVICE_ACCOUNT_ROLE_SEPARATION SCAN_UNCATEGORIZED
    SHIELDED_VM_DISABLED SCAN_UNCATEGORIZED
    SQL_CMEK_DISABLED SCAN_UNCATEGORIZED
    SQL_CONTAINED_DATABASE_AUTHENTICATION SCAN_UNCATEGORIZED
    SQL_CROSS_DB_OWNERSHIP_CHAINING SCAN_UNCATEGORIZED
    SQL_INSTANCE_NOT_MONITORED SCAN_UNCATEGORIZED
    SQL_LOCAL_INFILE SCAN_UNCATEGORIZED
    SQL_LOG_CHECKPOINTS_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_CONNECTIONS_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_DISCONNECTIONS_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_DURATION_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_LOCK_WAITS_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_MIN_ERROR_STATEMENT SCAN_UNCATEGORIZED
    SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY SCAN_UNCATEGORIZED
    SQL_LOG_STATEMENT SCAN_UNCATEGORIZED
    SQL_LOG_TEMP_FILES SCAN_UNCATEGORIZED
    SQL_NO_ROOT_PASSWORD SCAN_UNCATEGORIZED
    SQL_PUBLIC_IP SCAN_NETWORK
    SQL_REMOTE_ACCESS_ENABLED SCAN_UNCATEGORIZED
    SQL_SKIP_SHOW_DATABASE_DISABLED SCAN_UNCATEGORIZED
    SQL_TRACE_FLAG_3625 SCAN_UNCATEGORIZED
    SQL_USER_CONNECTIONS_CONFIGURED SCAN_UNCATEGORIZED
    SQL_USER_OPTIONS_CONFIGURED SCAN_UNCATEGORIZED
    SSL_NOT_ENFORCED SCAN_NETWORK
    TOO_MANY_KMS_USERS SCAN_UNCATEGORIZED
    USER_MANAGED_SERVICE_ACCOUNT_KEY SCAN_UNCATEGORIZED
    WEAK_SSL_POLICY SCAN_NETWORK
    WEB_UI_ENABLED SCAN_UNCATEGORIZED
    WORKLOAD_IDENTITY_DISABLED SCAN_UNCATEGORIZED

    OBSERVATION category to UDM event type

    The following table lists the OBSERVATION category and their corresponding UDM event types.

    Event Identifier Event Type
    Impact: GPU Instance Created USER_RESOURCE_CREATION
    Impact: Many Instances Created USER_RESOURCE_CREATION
    Persistence: Add Sensitive Role RESOURCE_PERMISSIONS_CHANGE
    Persistence: Project SSH Key Added SETTING_MODIFICATION

    ERROR category to UDM event type

    The following table lists the ERROR category and their corresponding UDM event types.

    Event Identifier Event Type
    API_DISABLED SCAN_UNCATEGORIZED
    GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS SCAN_UNCATEGORIZED
    KTD_BLOCKED_BY_ADMISSION_CONTROLLER SCAN_UNCATEGORIZED
    KTD_IMAGE_PULL_FAILURE SCAN_UNCATEGORIZED
    KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS SCAN_UNCATEGORIZED
    MISCONFIGURED_CLOUD_LOGGING_EXPORT SCAN_UNCATEGORIZED
    SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS SCAN_UNCATEGORIZED
    VPC_SC_RESTRICTION SCAN_UNCATEGORIZED

    UNSPECIFIED category to UDM event type

    The following table lists the UNSPECIFIED category and their corresponding UDM event types.

    Event Identifier Event Type Security Category
    OPEN_FIREWALL SCAN_VULN_HOST POLICY_VIOLATION

    POSTURE_VIOLATION category to UDM event type

    The following table lists the POSTURE_VIOLATION category and their corresponding UDM event types.

    Event Identifier Event Type
    SECURITY_POSTURE_DETECTOR_DELETE SCAN_UNCATEGORIZED
    SECURITY_POSTURE_DETECTOR_DRIFT SCAN_UNCATEGORIZED
    SECURITY_POSTURE_DRIFT SERVICE_MODIFICATION
    SECURITY_POSTURE_POLICY_DELETE SCAN_UNCATEGORIZED
    SECURITY_POSTURE_POLICY_DRIFT SCAN_UNCATEGORIZED

    Field mapping reference: VULNERABILITY

    The following table lists the log fields of the VULNERABILITY category and their corresponding UDM fields.

    RawLog field UDM mapping Logic
    assetDisplayName target.asset.attribute.labels.key/value [assetDisplayName]
    assetId target.asset.asset_id
    category extensions.vuln.vulnerabilities.name
    externalUri about.url
    findingProviderId target.resource.attribute.labels.key/value [findings_findingProviderId]
    iamBindings.action about.user.attribute.labels.key/value[action]
    iamBindings.member about.user.email_addresses
    iamBindings.role about.user.attribute.roles.name
    resourceName principal.asset.location.name Extracted region from resourceName using a Grok pattern, and mapped to the principal.asset.location.name UDM field.
    resourceName principal.asset.product_object_id Extracted asset_prod_obj_id from resourceName using a Grok pattern, and mapped to the principal.asset.product_object_id UDM field.
    resourceName principal.asset.attribute.cloud.availability_zone Extracted zone_suffix from resourceName using a Grok pattern, and mapped to the principal.asset.attribute.cloud.availability_zone UDM field.
    sourceDisplayName target.resource.attribute.labels.key/value [sourceDisplayName]
    sourceProperties.DeactivationReason security_result.detection_fields.key/value[deactivation_reason]
    sourceProperties.description extensions.vuln.vulnerabilities.description
    sourceProperties.finalUrl network.http.referral_url
    sourceProperties.form.fields target.resource.attribute.labels.key/value [sourceProperties_form_fields]
    sourceProperties.httpMethod network.http.method
    sourceProperties.name target.resource.attribute.labels.key/value [sourceProperties_name]
    sourceProperties.outdatedLibrary.learnMoreUrls target.resource.attribute.labels.key/value[sourceProperties_outdatedLibrary_learnMoreUrls]
    sourceProperties.outdatedLibrary.libraryName target.resource.attribute.labels.key/value[outdatedLibrary.libraryName]
    sourceProperties.outdatedLibrary.version target.resource.attribute.labels.key/value[sourceProperties_outdatedLibrary_libraryName]
    sourceProperties.ResourcePath target.resource.attribute.labels.key/value[sourceProperties_ResourcePath]
    sourceProperties.RevokedIamPermissionsCount security_result.detection_fields.key/value[revoked_Iam_permissions_count]
    sourceProperties.TotalRecommendationsCount security_result.detection_fields.key/value[total_recommendations_count]

    Field mapping reference: MISCONFIGURATION

    The following table lists the log fields of the MISCONFIGURATION category and their corresponding UDM fields.

    RawLog field UDM mapping
    assetDisplayName target.asset.attribute.labels.key/value [assetDisplayName]
    assetId target.asset.asset_id
    externalUri about.url
    findingProviderId target.resource.attribute.labels[findingProviderId]
    sourceDisplayName target.resource.attribute.labels[sourceDisplayName]
    sourceProperties.ActionRequiredOnProject target.resource.attribute.labels.key/value [sourceProperties_ActionRequiredOnProject]
    sourceProperties.ActivationTrigger target.resource.attribute.labels.key/value [sourceProperties_ActivationTrigger]
    sourceProperties.AllowedIpRange target.resource.attribute.labels.key/value [sourceProperties_AllowedIpRange]
    sourceProperties.AllowedOauthScopes target.resource.attribute.permissions.name
    sourceProperties.cli_remediation target.process.command_line_history
    sourceProperties.CompatibleFeatures target.resource.attribute.labels.key/value [sourceProperties_CompatibleFeatures]
    sourceProperties.DatabaseVersion target.resource.attribute.label[sourceProperties_DatabaseVersion]
    sourceProperties.DeactivationReason target.resource.attribute.labels.key/value [DeactivationReason]
    sourceProperties.ExceptionInstructions security_result.detection_fields.key/value[sourceProperties_ExceptionInstructions]
    sourceProperties.ExposedService target.application
    sourceProperties.ExternallyAccessibleProtocolsAndPorts.IPProtocol target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_IPProtocol]
    sourceProperties.ExternalSourceRanges target.resource.attribute.labels.key/value [sourceProperties_ExternalSourceRanges]
    sourceProperties.HasAdminRoles target.resource.attribute.labels.key/value [sourceProperties_HasAdminRoles]
    sourceProperties.HasDefaultPolicy target.resource.attribute.labels.key/value [sourceProperties_HasDefaultPolicy]
    sourceProperties.HasEditRoles target.resource.attribute.labels.key/value [sourceProperties_HasEditRoles]
    sourceProperties.MfaDetails.advancedProtection target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_advancedProtection]
    sourceProperties.MfaDetails.enforced target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_enforced]
    sourceProperties.MfaDetails.enrolled target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_enrolled]
    sourceProperties.MfaDetails.users target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_users]
    sourceProperties.OffendingIamRolesList.description about.user.attribute.roles.description
    sourceProperties.OffendingIamRolesList.member about.user.email_addresses
    sourceProperties.OffendingIamRolesList.roles about.user.attribute.roles.name
    sourceProperties.OpenPorts.SCTP target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_SCTP]
    sourceProperties.OpenPorts.TCP target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_TCP]
    sourceProperties.OpenPorts.UDP target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_UDP]
    sourceProperties.QualifiedLogMetricNames target.resource.attribute.labels.key/value [sourceProperties_QualifiedLogMetricNames]
    sourceProperties.ReactivationCount target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount]
    sourceProperties.Recommendation security_result.detection_fields.key/value[sourceProperties_Recommendation]
    sourceProperties.RecommendedLogFilter target.resource.attribute.labels.key/value [sourceProperties_RecommendedLogFilter]
    sourceProperties.ResourcePath target.resource.attribute.labels.key/value[sourceProperties_ResourcePath]
    sourceProperties.ScannerName principal.labels.key/value[sourceProperties_ScannerName]
    sourceProperties.TargetProxyUrl target.url
    sourceProperties.VulnerableNetworkInterfaceNames target.resource.attribute.labels.key/value [sourceProperties_VulnerableNetworkInterfaceNames]
    sourceProperties.VulnerableNodePools target.resource.attribute.labels.key/value [sourceProperties_VulnerableNodePools]
    sourceProperties.VulnerableNodePoolsList target.resource.attribute.labels.key/value [sourceProperties_VulnerableNodePoolsList]

    Field mapping reference: OBSERVATION

    The following table lists the log fields of the OBSERVATION category and their corresponding UDM fields.

    RawLog field UDM mapping
    assetDisplayName target.asset.attribute.labels.key/value [asset_display_name]
    assetId target.asset.asset_id
    findingProviderId target.resource.attribute.labels[findingProviderId]
    sourceDisplayName target.resource.attribute.labels.key/value [sourceDisplayName]

    Field mapping reference: ERROR

    The following table lists the log fields of the ERROR category and their corresponding UDM fields.

    RawLog field UDM mapping
    externalURI about.url
    findingProviderId target.resource.attribute.labels[findingProviderId]
    sourceDisplayName target.resource.attribute.labels.key/value [sourceDisplayName]
    sourceProperties.ReactivationCount target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount]

    Field mapping reference: UNSPECIFIED

    The following table lists the log fields of the UNSPECIFIED category and their corresponding UDM fields.

    RawLog field UDM mapping
    sourceDisplayName target.resource.attribute.labels.key/value [sourceDisplayName]
    sourceProperties.AllowedIpRange target.resource.attribute.labels.key/value [sourceProperties_AllowedIpRange]
    sourceProperties.ExternallyAccessibleProtocolsAndPorts.IPProtocol target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_IPProtocol]
    sourceProperties.ExternallyAccessibleProtocolsAndPorts.ports target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_ports
    sourceProperties.ReactivationCount target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount]
    sourceProperties.ResourcePath src.resource.attribute.labels.key/value [sourceProperties_ResourcePath]
    sourceProperties.ScannerName principal.labels.key/value [sourceProperties_ScannerName]

    Field mapping reference: POSTURE_VIOLATION

    The following table lists the log fields of the POSTURE_VIOLATION category and their corresponding UDM fields.

    Log field UDM mapping Logic
    cloudProvider about.resource.attribute.cloud.environment If the cloudProvider log field value contains one of the following values, then the cloudProvider log field is mapped to the about.resource.attribute.cloud.environment UDM field.
    • MICROSOFT_AZURE
    • GOOGLE_CLOUD_PLATFORM
    • AMAZON_WEB_SERVICES
    .
    finding.cloudProvider about.resource.attribute.cloud.environment If the finding.cloudProvider log field value contains one of the following values, then the finding.cloudProvider log field is mapped to the about.resource.attribute.cloud.environment UDM field.
    • MICROSOFT_AZURE
    • GOOGLE_CLOUD_PLATFORM
    • AMAZON_WEB_SERVICES
    .
    finding.originalProviderId target.resource.attribute.labels[original_provider_id]
    finding.propertyDataTypes.changed_policy.primitiveDataType security_result.rule_labels[changed_policy_primitive_data_type]
    finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.detected_configuration.primitiveDataType security_result.rule_labels[detected_configuration_primitive_data_type]
    finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.expected_configuration.primitiveDataType security_result.rule_labels[expected_configuration_primitive_data_type]
    finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.field_name.primitiveDataType security_result.rule_labels[field_name_primitive_data_type]
    finding.propertyDataTypes.posture_deployment_name.primitiveDataType security_result.detection_fields[posture_deployment_name_primitiveDataType]
    finding.propertyDataTypes.posture_deployment_resource.primitiveDataType security_result.detection_fields[posture_deployment_resource_primitiveDataType]
    finding.propertyDataTypes.posture_name.primitiveDataType security_result.detection_fields[posture_name_primitiveDataType]
    finding.propertyDataTypes.posture_revision_id.primitiveDataType security_result.detection_fields[posture_revision_id_primitiveDataType]
    finding.resourceName target.resource_ancestors.name If the finding.resourceName log field value is not empty, then the finding.resourceName log field is mapped to the target.resource.name UDM field.

    The project_name field is extracted from the finding.resourceName log field using the Grok pattern.

    If the project_name field value is not empty, then the project_name field is mapped to the target.resource_ancestors.name UDM field.
    finding.risks.riskCategory security_result.detection_fields[risk_category]
    finding.securityPosture.changedPolicy security_result.rule_labels[changed_policy]
    finding.securityPosture.name security_result.detection_fields[security_posture_name]
    finding.securityPosture.policyDriftDetails.detectedValue security_result.rule_labels[policy_drift_details_detected_value]
    finding.securityPosture.policyDriftDetails.expectedValue security_result.rule_labels[policy_drift_details_expected_value]
    finding.securityPosture.policyDriftDetails.field security_result.rule_labels[policy_drift_details_field]
    finding.securityPosture.policySet security_result.rule_set
    finding.securityPosture.postureDeployment security_result.detection_fields[posture_deployment]
    finding.securityPosture.postureDeploymentResource security_result.detection_fields[posture_deployment_resource]
    finding.securityPosture.revisionId security_result.detection_fields[security_posture_revision_id]
    finding.sourceProperties.changed_policy security_result.rule_name
    finding.sourceProperties.policy_drift_details.drift_details.detected_configuration security_result.rule_labels[policy_drift_details_detected_configuration]
    finding.sourceProperties.policy_drift_details.drift_details.expected_configuration security_result.rule_labels[policy_drift_details_expected_configuration]
    finding.sourceProperties.policy_drift_details.field_name security_result.rule_labels[policy_drift_details_field_name]
    finding.sourceProperties.posture_deployment_name security_result.detection_fields[source_properties_posture_deployment_name]
    finding.sourceProperties.posture_deployment_resource security_result.detection_fields[source_properties_posture_deployment_resource]
    finding.sourceProperties.posture_name target.application
    finding.sourceProperties.posture_revision_id security_result.detection_fields[source_properties_posture_revision_id]
    originalProviderId target.resource.attribute.labels[original_provider_id]
    propertyDataTypes.changed_policy.primitiveDataType security_result.rule_labels[changed_policy_primitive_data_type]
    propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.detected_configuration.primitiveDataType security_result.rule_labels[detected_configuration_primitive_data_type]
    propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.expected_configuration.primitiveDataType security_result.rule_labels[expected_configuration_primitive_data_type]
    propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.field_name.primitiveDataType security_result.rule_labels[field_name_primitive_data_type]
    propertyDataTypes.posture_deployment_name.primitiveDataType security_result.detection_fields[posture_deployment_name_primitiveDataType]
    propertyDataTypes.posture_deployment_resource.primitiveDataType security_result.detection_fields[posture_deployment_resource_primitiveDataType]
    propertyDataTypes.posture_name.primitiveDataType security_result.detection_fields[posture_name_primitiveDataType]
    propertyDataTypes.posture_revision_id.primitiveDataType security_result.detection_fields[posture_revision_id_primitiveDataType]
    resource.cloudProvider target.resource.attribute.cloud.environment If the resource.cloudProvider log field value contains one of the following values, then the resource.cloudProvider log field is mapped to the target.resource.attribute.cloud.environment UDM field.
    • MICROSOFT_AZURE
    • GOOGLE_CLOUD_PLATFORM
    • AMAZON_WEB_SERVICES
    .
    resource.gcpMetadata.organization target.resource.attribute.labels[resource_organization]
    resource.organization target.resource.attribute.labels[resource_organization]
    resource.resourcePath.nodes.displayName target.resource_ancestors.name
    resource.resourcePath.nodes.id target.resource_ancestors.product_object_id
    resource.resourcePath.nodes.nodeType target.resource_ancestors.resource_subtype
    resource.resourcePathString target.resource.attribute.labels[resource_path_string]
    resource.service target.resource_ancestors.name
    resourceName target.resource_ancestors.name If the resourceName log field value is not empty, then the resourceName log field is mapped to the target.resource.name UDM field.

    The project_name field is extracted from the resourceName log field using the Grok pattern.

    If the project_name field value is not empty, then the project_name field is mapped to the target.resource_ancestors.name UDM field.
    securityPosture.changedPolicy security_result.rule_labels[changed_policy]
    securityPosture.name security_result.detection_fields[security_posture_name]
    securityPosture.postureDeployment security_result.detection_fields[posture_deployment]
    securityPosture.postureDeploymentResource security_result.detection_fields[posture_deployment_resource]
    securityPosture.revisionId security_result.detection_fields[security_posture_revision_id]
    sourceProperties.categories security_result.detection_fields[source_properties_categories]
    sourceProperties.changed_policy security_result.rule_name
    sourceProperties.name target.application
    sourceProperties.policy_drift_details.drift_details.detected_configuration security_result.rule_labels[policy_drift_details_detected_configuration]
    sourceProperties.policy_drift_details.drift_details.expected_configuration security_result.rule_labels[policy_drift_details_expected_configuration]
    sourceProperties.policy_drift_details.field_name security_result.rule_labels[policy_drift_details_field_name]
    sourceProperties.posture_deployment security_result.detection_fields[source_properties_posture_deployment_name]
    sourceProperties.posture_deployment_name security_result.detection_fields[source_properties_posture_deployment_name]
    sourceProperties.posture_deployment_resource security_result.detection_fields[source_properties_posture_deployment_resource]
    sourceProperties.posture_name target.application
    sourceProperties.posture_revision_id security_result.detection_fields[source_properties_posture_revision_id]
    sourceProperties.revision_id security_result.detection_fields[source_properties_posture_revision_id]

    Common Fields: SECURITY COMMAND CENTER - VULNERABILITY, MISCONFIGURATION, OBSERVATION, ERROR, UNSPECIFIED, POSTURE_VIOLATION, TOXIC_COMBINATION

    The following table lists common fields of the SECURITY COMMAND CENTER - VULNERABILITY, MISCONFIGURATION, OBSERVATION, ERROR, UNSPECIFIED, POSTURE_VIOLATION, TOXIC_COMBINATION categories and their corresponding UDM fields.

    RawLog field UDM mapping Logic
    target.resource_ancestors.resource_type The target.resource_ancestors.resource_type UDM field is set to CLUSTER.
    about.resource.attribute.cloud.environment The about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
    principal.user.account_type If the access.principalSubject log field value matches the regular expression serviceAccount, then the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE.

    Else if, the access.principalSubject log field value matches the regular expression user, then the principal.user.account_type UDM field is set to CLOUD_ACCOUNT_TYPE.
    security_result.about.user.attribute.roles.name If the message log field value matches the regular expression contacts.?security, then the security_result.about.user.attribute.roles.name UDM field is set to security.

    If the message log field value matches the regular expression contacts.?technical, then the security_result.about.user.attribute.roles.name UDM field is set to Technical.
    security_result.alert_state If the state log field value is equal to ACTIVE, then the security_result.alert_state UDM field is set to ALERTING.

    Else, the security_result.alert_state UDM field is set to NOT_ALERTING.
    access.methodName target.labels [access_methodName] (deprecated)
    access.methodName additional.fields [access_methodName]
    access.principalEmail principal.user.email_addresses If the access.principalEmail log field value is not empty and the access.principalEmail log field value matches the regular expression ^.+@.+$, then the access.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    access.principalEmail principal.user.userid If the access.principalEmail log field value is not empty and the access.principalEmail log field value does not match the regular expression ^.+@.+$, then the access.principalEmail log field is mapped to the principal.user.userid UDM field.
    access.principalSubject principal.user.attribute.labels.key/value [access_principalSubject]
    access.serviceAccountDelegationInfo.principalSubject principal.user.attribute.labels.key/value [access_serviceAccountDelegationInfo_principalSubject]
    access.serviceAccountKeyName principal.user.attribute.labels.key/value [access_serviceAccountKeyName]
    access.serviceName target.application If the category log field value is equal to Defense Evasion: Modify VPC Service Control or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Exfiltration: CloudSQL Over-Privileged Grant or Persistence: New Geography or Persistence: IAM Anomalous Grant, then the access.serviceName log field is mapped to the target.application UDM field.
    additional.fields[resource_service] resource.service
    canonicalName metadata.product_log_id The finding_id is extracted from the canonicalName log field using a Grok pattern.

    If the finding_id log field value is not empty, then the finding_id log field is mapped to the metadata.product_log_id UDM field.
    canonicalName src.resource.attribute.labels.key/value [finding_id] If the finding_id log field value is not empty, then the finding_id log field is mapped to the src.resource.attribute.labels.key/value [finding_id] UDM field.

    If the category log field value is equal to one of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName src.resource.product_object_id If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.product_object_id UDM field.

    If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName src.resource.attribute.labels.key/value [source_id] If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.attribute.labels.key/value [source_id] UDM field.

    If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName target.resource.attribute.labels.key/value [finding_id] If the finding_id log field value is not empty, then the finding_id log field is mapped to the target.resource.attribute.labels.key/value [finding_id] UDM field.

    If the category log field value is not equal to any of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName target.resource.product_object_id If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.product_object_id UDM field.

    If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName target.resource.attribute.labels.key/value [source_id] If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.attribute.labels.key/value [source_id] UDM field.

    If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    category metadata.product_event_type
    compliances.ids about.labels [compliance_ids] (deprecated)
    compliances.ids additional.fields [compliance_ids]
    compliances.standard about.labels [compliances_standard] (deprecated)
    compliances.standard additional.fields [compliances_standard]
    compliances.version about.labels [compliance_version] (deprecated)
    compliances.version additional.fields [compliance_version]
    connections.destinationIp about.labels [connections_destination_ip] (deprecated) If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp, then the connections.destinationIp log field is mapped to the about.labels.value UDM field.
    connections.destinationIp additional.fields [connections_destination_ip] If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp, then the connections.destinationIp log field is mapped to the additional.fields.value UDM field.
    connections.destinationPort about.labels [connections_destination_port] (deprecated)
    connections.destinationPort additional.fields [connections_destination_port]
    connections.protocol about.labels [connections_protocol] (deprecated)
    connections.protocol additional.fields [connections_protocol]
    connections.sourceIp about.labels [connections_source_ip] (deprecated)
    connections.sourceIp additional.fields [connections_source_ip]
    connections.sourcePort about.labels [connections_source_port] (deprecated)
    connections.sourcePort additional.fields [connections_source_port]
    contacts.security.contacts.email security_result.about.user.email_addresses
    contacts.technical.contacts.email security_result.about.user.email_addresses
    containers.imageId target.resource_ancestors.product_object_id
    containers.labels.name/value target.resource_ancestors.attribute.labels.key/value [containers.labels.name/value]
    containers.name target.resource_ancestors.name
    containers.uri target.resource_ancestors.attribute.labels.key/value [containers_uri]
    createTime security_result.detection_fields.key/value [create_time]
    database.displayName src.resource.attribute.labels.key/value [database_displayName] If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.
    database.displayName src.resource.attribute.labels.key/value [database_displayName]
    database.grantees src.resource.attribute.labels.key/value [database_grantees] If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the src.resource.attribute.labels.key UDM field is set to grantees and the database.grantees log field is mapped to the src.resource.attribute.labels.value UDM field.
    database.grantees src.resource.attribute.labels.key/value [database_grantees]
    database.name src.resource.name
    database.query src.process.command_line If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.query log field is mapped to the src.process.command_line UDM field.

    Else, the database.query log field is mapped to the target.process.command_line UDM field.
    database.userName principal.user.userid
    description security_result.description
    eventTime metadata.event_timestamp
    exfiltration.sources.components src.resource.attribute.labels.key/value[exfiltration_sources_components] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction, then the exfiltration.sources.components log field is mapped to the src.resource.attribute.labels.value UDM field.
    exfiltration.sources.name src.resource.name
    exfiltration.targets.components target.resource.attribute.labels.key/value[exfiltration_targets_components] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction, then the exfiltration.targets.components log field is mapped to the target.resource.attribute.labels.key/value UDM field.
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_cpeUri] vulnerability.fixedPackage.cpeUri
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageName] vulnerability.fixedPackage.packageName
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageType] vulnerability.fixedPackage.packageType
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageVersion] vulnerability.fixedPackage.packageVersion
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_cpeUri] vulnerability.offendingPackage.cpeUri
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageName] vulnerability.offendingPackage.packageName
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageType] vulnerability.offendingPackage.packageType
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageVersion] vulnerability.offendingPackage.packageVersion
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_securityBulletin_bulletinId] vulnerability.securityBulletin.bulletinId
    externalSystems.assignees about.resource.attribute.labels.key/value [externalSystems_assignees]
    externalSystems.externalSystemUpdateTime about.resource.attribute.last_update_time
    externalSystems.externalUid about.resource.product_object_id
    externalSystems.name about.resource.name
    externalSystems.status about.resource.attribute.labels.key/value [externalSystems_status]
    findingClass, category security_result.catgory_details The findingClass - category log field is mapped to the security_result.catgory_details UDM field.
    indicator.signatures.memoryHashSignature.binaryFamily security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_binaryFamily]
    indicator.signatures.memoryHashSignature.detections.binary security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_binary]
    indicator.signatures.memoryHashSignature.detections.percentPagesMatched security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_percentPagesMatched]
    indicator.signatures.yaraRuleSignature.yararule security_result.detection_fields.key/value [indicator_signatures_yaraRuleSignature_yararule]
    indicator.uris about.url
    kubernetes_res_ancestor.attribute.labels[kubernetes_objects_group] kubernetes.objects.group
    kubernetes_res_ancestor.attribute.labels[kubernetes_objects_ns] kubernetes.objects.ns
    kubernetes.accessReviews.group target.resource.attribute.labels.key/value [kubernetes_accessReviews_group]
    kubernetes.accessReviews.name target.resource.attribute.labels.key/value [kubernetes_accessReviews_name]
    kubernetes.accessReviews.ns target.resource.attribute.labels.key/value [kubernetes_accessReviews_ns]
    kubernetes.accessReviews.resource target.resource.attribute.labels.key/value [kubernetes_accessReviews_resource]
    kubernetes.accessReviews.subresource target.resource.attribute.labels.key/value [kubernetes_accessReviews_subresource]
    kubernetes.accessReviews.verb target.resource.attribute.labels.key/value [kubernetes_accessReviews_verb]
    kubernetes.accessReviews.version target.resource.attribute.labels.key/value [kubernetes_accessReviews_version]
    kubernetes.bindings.name security_result.about.resource.attribute.labels.key/value [kubernetes_bindings_name]
    kubernetes.bindings.ns target.resource.attribute.labels.key/value [kubernetes_bindings_ns]
    kubernetes.bindings.role.kind target.resource.attribute.labels.key/value [kubernetes_bindings_role_kind]
    kubernetes.bindings.role.name target.resource.attribute.roles.name
    kubernetes.bindings.role.ns target.resource.attribute.labels.key/value [kubernetes_bindings_role_ns]
    kubernetes.bindings.subjects.kind target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_kind]
    kubernetes.bindings.subjects.name target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_name]
    kubernetes.bindings.subjects.ns target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_ns]
    kubernetes.nodePools.name target.resource_ancestors.name
    kubernetes.nodePools.nodes.name target.resource.attribute.labels.key/value [kubernetes_nodePools_nodes_name]
    kubernetes.nodes.name target.resource_ancestors.name
    kubernetes.objects.kind target.resource.attribute.labels[kubernetes_objects_kind]
    kubernetes.objects.name target.resource.attribute.labels[kubernetes_objects_name]
    kubernetes.objects.ns target.resource.attribute.labels[kubernetes_objects_ns]
    kubernetes.pods.containers.imageId target.resource_ancestors.product_object_id
    kubernetes.pods.containers.labels.name/value target.resource.attribute.labels.key/value [kubernetes.pods.containers.labels.name/value]
    kubernetes.pods.containers.name target.resource_ancestors.name
    kubernetes.pods.containers.uri target.resource.attribute.labels.key/value [kubernetes_pods_containers_uri]
    kubernetes.pods.labels.name/value target.resource.attribute.labels.key/value [kubernetes.pods.labels.name/value]
    kubernetes.pods.name target.resource_ancestors.name
    kubernetes.pods.ns target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_ns]
    kubernetes.roles.kind target.resource.attribute.labels.key/value [kubernetes_roles_kind]
    kubernetes.roles.name target.resource.attribute.labels.key/value [kubernetes_roles_name]
    kubernetes.roles.ns target.resource.attribute.labels.key/value [kubernetes_roles_ns]
    mitreAttack.additionalTactics security_result.detection_fields.key/value [mitreAttack_additionalTactics]
    mitreAttack.additionalTechniques security_result.detection_fields.key/value [mitreAttack_additionalTechniques]
    mitreAttack.primaryTactic security_result.detection_fields.key/value [mitreAttack_primaryTactic]
    mitreAttack.primaryTechniques.0 security_result.detection_fields.key/value [mitreAttack_primaryTechniques]
    mitreAttack.version security_result.detection_fields.key/value [mitreAttack_version]
    mute security_result.detection_fields.key/value [mute]
    muteInitiator security_result.detection_fields.key/value [mute_initiator] If the mute log field value is equal to MUTED or UNMUTED, then the muteInitiator log field is mapped to the security_result.detection_fields.value UDM field.
    muteUpdateTime security_result.detection_fields.key/value [mute_update_time] If the mute log field value is equal to MUTED or UNMUTED, then the muteUpdateTimer log field is mapped to the security_result.detection_fields.value UDM field.
    name security_result.url_back_to_product
    nextSteps security_result.outcomes.key/value [next_steps]
    parent target.resource_ancestors.name
    parentDisplayName metadata.description
    processes.args target.process.command_line_history [processes.args]
    processes.argumentsTruncated target.labels [processes_argumentsTruncated] (deprecated)
    processes.argumentsTruncated additional.fields [processes_argumentsTruncated]
    processes.binary.contents target.labels [processes_binary_contents] (deprecated)
    processes.binary.contents additional.fields [processes_binary_contents]
    processes.binary.hashedSize target.labels [processes_binary_hashedSize] (deprecated)
    processes.binary.hashedSize additional.fields [processes_binary_hashedSize]
    processes.binary.partiallyHashed target.labels [processes_binary_partiallyHashed] (deprecated)
    processes.binary.partiallyHashed additional.fields [processes_binary_partiallyHashed]
    processes.binary.path target.process.file.full_path
    processes.binary.sha256 target.process.file.sha256
    processes.binary.size target.process.file.size
    processes.envVariables.name target.labels [processes_envVariables_name] (deprecated)
    processes.envVariables.name additional.fields [processes_envVariables_name]
    processes.envVariables.val target.labels [processes_envVariables_val] (deprecated)
    processes.envVariables.val additional.fields [processes_envVariables_val]
    processes.envVariablesTruncated target.labels [processes_envVariablesTruncated] (deprecated)
    processes.envVariablesTruncated additional.fields [processes_envVariablesTruncated]
    processes.libraries.contents target.labels [processes_libraries_contents] (deprecated)
    processes.libraries.contents additional.fields [processes_libraries_contents]
    processes.libraries.hashedSize target.labels [processes_libraries_hashedSize] (deprecated)
    processes.libraries.hashedSize additional.fields [processes_libraries_hashedSize]
    processes.libraries.partiallyHashed target.labels [processes_libraries_partiallyHashed] (deprecated)
    processes.libraries.partiallyHashed additional.fields [processes_libraries_partiallyHashed]
    processes.libraries.path target.process.file.full_path
    processes.libraries.sha256 target.process.file.sha256
    processes.libraries.size target.process.file.size
    processes.name target.process.file.full_path
    processes.name target.process.file.names
    processes.parentPid target.parent_process.pid
    processes.pid target.process.pid
    processes.script.contents target.labels [processes_script_contents] (deprecated)
    processes.script.contents additional.fields [processes_script_contents]
    processes.script.hashedSize target.labels [processes_script_hashedSize] (deprecated)
    processes.script.hashedSize additional.fields [processes_script_hashedSize]
    processes.script.partiallyHashed target.labels [processes_script_partiallyHashed] (deprecated)
    processes.script.partiallyHashed additional.fields [processes_script_partiallyHashed]
    processes.script.path target.process.file.full_path
    processes.script.sha256 target.process.file.sha256
    processes.script.size target.process.file.size
    resource.display_name src.resource.attribute.labels.key/value [resource_display_name] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.display_name log field is mapped to the src.resource.attribute.labels.value UDM field.

    Else, the resource.display_name log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.display_name target.resource.attribute.labels.key/value [resource_display_name] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.display_name log field is mapped to the src.resource.attribute.labels.value UDM field.

    Else, the resource.display_name log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.displayName src.resource.attribute.labels.key/value [resource_displayName] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.

    Else, the resource.displayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.displayName target.resource.attribute.labels.key/value [resource_displayName] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.

    Else, the resource.displayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.folders.resourceFolderDisplayName src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.folders.resourceFolderDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.

    Else, the resource.folders.resourceFolderDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.gcpMetadata.folders.resourceFolder src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.folders.resourceFolder log field is mapped to the src.resource_ancestors.name UDM field.

    Else, the resource.gcpMetadata.folders.resourceFolder log field is mapped to the target.resource_ancestors.name UDM field.
    resource.gcpMetadata.folders.resourceFolderDisplay src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.folders.resourceFolderDisplay log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.

    Else, the resource.gcpMetadata.folders.resourceFolderDisplay log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.gcpMetadata.organization src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.organization log field is mapped to the src.resource_ancestors.name UDM field.

    Else, the resource.gcpMetadata.organization log field is mapped to the target.resource_ancestors.name UDM field.
    resource.gcpMetadata.parent src.resource_ancestors.attribute.labels.key/value [resource_parentName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.parent log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.gcpMetadata.parent log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.gcpMetadata.parentDisplayName src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.parentDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.gcpMetadata.parentDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.gcpMetadata.project principal.resource.name
    resource.gcpMetadata.projectDisplayName src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.projectDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.gcpMetadata.projectDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.organization src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.organization log field is mapped to the src.resource_ancestors.name UDM field.

    Else, the resource.organization log field is mapped to the target.resource_ancestors.name UDM field.
    resource.parent target.resource.attribute.labels.key/value [resource_parent]
    resource.parentDisplayName src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.parentDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.parentDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.parentName src.resource_ancestors.attribute.labels.key/value [resource_parentName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.parentName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.parentName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.project target.resource.attribute.labels.key/value [resource_project]
    resource.projectDisplayName src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.projectDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.projectDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.projectName principal.resource.name
    resource.type src.resource_ancestors.resource_subtype If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.type log field is mapped to the src.resource_ancestors.resource_subtype UDM field.
    resource.type src.resource_ancestors.resource_subtype If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.type log field is mapped to the src.resource_ancestors.resource_subtype UDM field.
    resourceName src.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the resourceName log field is mapped to the src.resource.name UDM field.
    resourceName target.resource_ancestors.name If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.
    resourceName
    exfiltration.targets.name
    target.resource.name If the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    security_result.detection_fields[vulnerability_securityBulletin_submissionTime] vulnerability.securityBulletin.submissionTime
    security_result.detection_fields[vulnerability_securityBulletin_suggestedUpgradeVersion] vulnerability.securityBulletin.suggestedUpgradeVersion
    securityMarks.canonicalName security_result.detection_fields.key/value [securityMarks_cannonicleName]
    securityMarks.marks security_result.detection_fields.key/value [securityMarks_marks]
    securityMarks.name security_result.detection_fields.key/value [securityMarks_name]
    severity security_result.severity
    sourceProperties.action_taken principal.labels [action_taken] (deprecated) If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.action_taken log field is mapped to principal.labels.value UDM field.
    sourceProperties.action_taken additional.fields [action_taken] If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.action_taken log field is mapped to additional.fields.value UDM field.
    sourceProperties.affectedResources.gcpResourceName target.resource_ancestors.name
    sourceProperties.compromised_account principal.user.userid If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.compromised_account log field is mapped to principal.user.userid UDM field and the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE.
    sourceProperties.contextUris.cloudLoggingQueryUri.url security_result.detection_fields.key/value[sourceProperties_contextUris_cloudLoggingQueryUri_url]
    sourceProperties.contextUris.mitreUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.mitreUri.url/displayName]
    sourceProperties.contextUris.relatedFindingUri.url/displayName metadata.url_back_to_product If the category log field value is equal to Active Scan: Log4j Vulnerable to RCE or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Over-Privileged Grant or Exfiltration: CloudSQL Restore Backup to External Organization or Initial Access: Log4j Compromise Attempt or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP or Persistence: IAM Anomalous Grant, then the security_result.detection_fields.key UDM field is set to sourceProperties_contextUris_relatedFindingUri_url and the sourceProperties.contextUris.relatedFindingUri.url log field is mapped to the metadata.url_back_to_product UDM field.
    sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName] If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP, then the sourceProperties.contextUris.virustotalIndicatorQueryUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.virustotalIndicatorQueryUri.url log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.contextUris.workspacesUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.workspacesUri.url/displayName] If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Strong Authentication Disabled or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.contextUris.workspacesUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.workspacesUri.url log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.detectionCategory.indicator security_result.detection_fields.key/value [sourceProperties_detectionCategory_indicator]
    sourceProperties.detectionCategory.ruleName security_result.rule_name
    sourceProperties.detectionCategory.subRuleName security_result.rule_labels.key/value [sourceProperties_detectionCategory_subRuleName]
    sourceProperties.detectionCategory.technique security_result.detection_fields.key/value [sourceProperties_detectionCategory_technique]
    sourceProperties.detectionPriority security_result.priority If the sourceProperties.detectionPriority log field value is equal to HIGH, then the security_result.priority UDM field is set to HIGH_PRIORITY.

    Else if, the sourceProperties.detectionPriority log field value is equal to MEDIUM, then the security_result.priority UDM field is set to MEDIUM_PRIORITY.

    Else if, the sourceProperties.detectionPriority log field value is equal to LOW, then the security_result.priority UDM field is set to LOW_PRIORITY.
    sourceProperties.evidence.sourceLogId.insertId metadata.product_log_id If the canonicalName log field value is not empty, then the finding_id is extracted from the canonicalName log field using a Grok pattern.

    If the finding_id log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.

    If the canonicalName log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.
    sourceProperties.finding_type principal.labels [finding_type] (deprecated) If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.finding_type log field is mapped to principal.labels.value UDM field.
    sourceProperties.finding_type additional.fields [finding_type] If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.finding_type log field is mapped to additional.fields.value UDM field.
    sourceProperties.findingId metadata.product_log_id
    sourceProperties.Header_Signature.significantValues.attackLikelihood security_result.detection_fields [attackLikelihood]
    sourceProperties.Header_Signature.significantValues.matchType security_result.detection_fields [matchType]
    sourceProperties.Header_Signature.significantValues.proportionInAttack security_result.detection_fields [proportionInAttack]
    sourceProperties.Header_Signature.significantValues.proportionInBaseline security_result.detection_fields [proportionInBaseline]
    sourceProperties.Header_Signature.significantValues.value principal.location.country_or_region If the sourceProperties.Header_Signature.name log field value is equal to RegionCode, then the sourceProperties.Header_Signature.significantValues.value log field is mapped to principal.location.country_or_region UDM field.
    sourceProperties.Header_Signature.significantValues.value principal.ip If the sourceProperties.Header_Signature.name log field value is equal to RemoteHost, then the sourceProperties.Header_Signature.significantValues.value log field is mapped to principal.ip UDM field.
    sourceProperties.Header_Signature.significantValues.value network.http.user_agent If the sourceProperties.Header_Signature.name log field value is equal to UserAgent, then the sourceProperties.Header_Signature.significantValues.value log field is mapped to network.http.user_agent UDM field.
    sourceProperties.Header_Signature.significantValues.value principal.url If the sourceProperties.Header_Signature.name log field value is equal to RequestUriPath, then the sourceProperties.Header_Signature.significantValues.value log field is mapped to principal.url UDM field.
    sourceProperties.private_key_identifier principal.user.attribute.labels.key/value [private_key_identifier] If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.private_key_identifier log field is mapped to principal.user.attribute.labels.value UDM field.
    sourceProperties.project_identifier principal.resource.product_object_id If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.project_identifier log field is mapped to principal.resource.product_object_id UDM field.
    sourceProperties.properties.zone target.resource.attribute.cloud.availability_zone If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field.
    sourceProperties.security_result.summary security_result.summary If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.security_result.summary log field is mapped to security_result.summary UDM field.
    sourceProperties.sourceId.customerOrganizationNumber principal.resource.attribute.labels.key/value [sourceProperties_sourceId_customerOrganizationNumber] If the message log field value matches the regular expression sourceProperties.sourceId.*?customerOrganizationNumber, then the sourceProperties.sourceId.customerOrganizationNumber log field is mapped to the principal.resource.attribute.labels.value UDM field.
    sourceProperties.sourceId.customerOrganizationNumber target.resource_ancestors.product_object_id
    sourceProperties.sourceId.organizationNumber target.resource_ancestors.product_object_id
    sourceProperties.sourceId.projectNumber target.resource_ancestors.product_object_id
    sourceProperties.url principal.user.attribute.labels.key/value [key_file_path] If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.url log field is mapped to principal.user.attribute.labels.value UDM field.
    target.location.name resource.location
    target.resource_ancestors.attribute.labels[kubernetes_object_kind] kubernetes.objects.kind
    target.resource_ancestors.name kubernetes.objects.name
    vulnerability.cve.cvssv3.attackComplexity extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_attackComplexity] (deprecated)
    vulnerability.cve.cvssv3.attackComplexity additional.fields [vulnerability_cve_cvssv3_attackComplexity]
    vulnerability.cve.cvssv3.attackVector extensions.vulns.vulnerabilities.cvss_vector
    vulnerability.cve.cvssv3.availabilityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_availabilityImpact] (deprecated)
    vulnerability.cve.cvssv3.availabilityImpact additional.fields [vulnerability_cve_cvssv3_availabilityImpact]
    vulnerability.cve.cvssv3.baseScore extensions.vulns.vulnerabilities.cvss_base_score
    vulnerability.cve.cvssv3.confidentialityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_confidentialityImpact] (deprecated)
    vulnerability.cve.cvssv3.confidentialityImpact additional.fields [vulnerability_cve_cvssv3_confidentialityImpact]
    vulnerability.cve.cvssv3.integrityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_integrityImpact] (deprecated)
    vulnerability.cve.cvssv3.integrityImpact additional.fields [vulnerability_cve_cvssv3_integrityImpact]
    vulnerability.cve.cvssv3.privilegesRequired extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_privilegesRequired] (deprecated)
    vulnerability.cve.cvssv3.privilegesRequired additional.fields [vulnerability_cve_cvssv3_privilegesRequired]
    vulnerability.cve.cvssv3.scope extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_scope] (deprecated)
    vulnerability.cve.cvssv3.scope additional.fields [vulnerability_cve_cvssv3_scope]
    vulnerability.cve.cvssv3.userInteraction extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_userInteraction] (deprecated)
    vulnerability.cve.cvssv3.userInteraction additional.fields [vulnerability_cve_cvssv3_userInteraction]
    vulnerability.cve.exploitationActivity extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_cve_exploitation_activity]
    vulnerability.cve.id extensions.vulns.vulnerabilities.cve_id
    vulnerability.cve.impact extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_cve_impact]
    vulnerability.cve.references.source extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_references_source] (deprecated)
    vulnerability.cve.references.source additional.fields [vulnerability_cve_references_source]
    vulnerability.cve.references.uri extensions.vulns.vulnerabilities.about.labels [vulnerability.cve.references.uri] (deprecated)
    vulnerability.cve.references.uri additional.fields [vulnerability.cve.references.uri]
    vulnerability.cve.upstreamFixAvailable extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_upstreamFixAvailable] (deprecated)
    vulnerability.cve.upstreamFixAvailable additional.fields [vulnerability_cve_upstreamFixAvailable]
    workflowState security_result.about.investigation.status

    What's next

    Need more help? Get answers from Community members and Google SecOps professionals.