Collect Security Command Center findings

Supported in:

This document describes how you can collect Security Command Center logs by configuring Security Command Center and ingesting findings to Google Security Operations. This document also lists the supported events.

For more information, see Data ingestion to Google Security Operations and Exporting Security Command Center findings to Google Security Operations. A typical deployment consists of Security Command Center and the Google Security Operations feed configured to send logs to Google Security Operations. Each customer deployment might differ and might be more complex.

The deployment contains the following components:

  • Google Cloud: The system to be monitored in which Security Command Center is installed.

  • Security Command Center Event Threat Detection Findings: Collects information from the data source and generates findings.

  • Google Security Operations: Retains and analyzes the logs from the Security Command Center.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the Security Command Center parser with the following ingestion labels:

  • GCP_SECURITYCENTER_ERROR

  • GCP_SECURITYCENTER_MISCONFIGURATION

  • GCP_SECURITYCENTER_OBSERVATION

  • GCP_SECURITYCENTER_THREAT

  • GCP_SECURITYCENTER_UNSPECIFIED

  • GCP_SECURITYCENTER_VULNERABILITY

  • GCP_SECURITYCENTER_POSTURE_VIOLATION

  • GCP_SECURITYCENTER_TOXIC_COMBINATION

Configure Security Command Center and Google Cloud to send findings to Google Security Operations

Supported Event Threat Detection findings

This section lists the supported Event Threat Detection findings. For information about the Security Command Center Event Threat Detection rules and findings, see Event Threat Detection rules.

Finding name Description
Active Scan: Log4j Vulnerable to RCE Detects active Log4j vulnerabilities by identifying DNS queries for unobfuscated domains that were initiated by supported Log4j vulnerability scanners.
Brute Force: SSH Detection of successful brute force of SSH on a host.
Credential Access: External Member Added To Privileged Group Detects when an external member is added to a privileged Google Group (a group granted sensitive roles or permissions). A finding is generated only if the group doesn't already contain other external members from the same organization as the newly added member. To learn more, see Unsafe Google Group changes.
Credential Access: Privileged Group Opened To Public Detects when a privileged Google Group (a group granted sensitive roles or permissions) is changed to be accessible to the general public. To learn more, see Unsafe Google Group changes.
Credential Access: Sensitive Role Granted To Hybrid Group Detects when sensitive roles are granted to a Google Group with external members. To learn more, see Unsafe Google Group changes.
Defense Evasion: Modify VPC Service Control Detects a change to an existing VPC Service Control perimeter that would lead to a reduction in the protection offered by that perimeter.
Discovery: Can get sensitive Kubernetes object checkPreview A malicious actor attempted to determine what sensitive objects in Google Kubernetes Engine (GKE) they can query for, by using the kubectl auth can-i get command.
Discovery: Service Account Self-Investigation Detection of an Identity and Access Management (IAM) service account credential that is used to investigate the roles and permissions associated with that same service account.
Evasion: Access from Anonymizing Proxy Detection of Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses.
Exfiltration: BigQuery Data Exfiltration Detects the following scenarios:
  • Resources owned by the protected organization that are saved outside of the organization, including copy or transfer operations.
  • Attempts to access BigQuery resources that are protected by VPC Service Control.
Exfiltration: BigQuery Data Extraction Detects the following scenarios:
  • A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Cloud Storage bucket outside the organization.
  • A BigQuery resource owned by the protected organization is saved, through extraction operations, to a publicly accessible Cloud Storage bucket owned by that organization.
Exfiltration: BigQuery Data to Google Drive Detects the following scenarios:

A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Google Drive folder.

Exfiltration: Cloud SQL Data Exfiltration Detects the following scenarios:
  • Live instance data exported to a Cloud Storage bucket outside of the organization.
  • Live instance data exported to a Cloud Storage bucket that is owned by the organization and is publicly accessible.
Exfiltration: Cloud SQL Restore Backup to External Organization Detects when a Cloud SQL instance's backup is restored to an instance outside of the organization.
Exfiltration: Cloud SQL SQL Over-Privileged Grant Detects when a Cloud SQL Postgres user or role has been granted all privileges to a database or to all tables, procedures, or functions in a schema.
Impair Defenses: Strong Authentication Disabled 2-step verification was disabled for the organization.
Impair Defenses: Two Step Verification Disabled A user disabled 2-step verification.
Initial Access: Account Disabled Hijacked A user's account was suspended due to suspicious activity.
Initial Access: Disabled Password Leak A user's account is disabled because a password leak was detected.
Initial Access: Government Based Attack Government-backed attackers might have tried to compromise a user account or computer.
Initial Access: Log4j Compromise Attempt Detects Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters. These lookups may indicate attempts at Log4Shell exploitation. These findings have low severity, because they only indicate a detection or exploit attempt, not a vulnerability or a compromise.
Initial Access: Suspicious Login Blocked A suspicious login to a user's account was detected and blocked.
Log4j Malware: Bad Domain Detection of Log4j exploit traffic based on a connection to, or a lookup of, a known domain used in Log4j attacks.
Log4j Malware: Bad IP Detection of Log4j exploit traffic based on a connection to a known IP address used in Log4j attacks.
Malware: Bad Domain Detection of malware based on a connection to, or a lookup of, a known bad domain.
Malware: Bad IP Detection of malware based on a connection to a known bad IP address.
Malware: Cryptomining Bad Domain Detection of cryptomining based on a connection to, or a lookup of, a known cryptocurrency mining domain.
Malware: Cryptomining Bad IP Detection of cryptocurrency mining based on a connection to a known mining IP address.
Outgoing DoS Detection of outgoing denial of service traffic.
Persistence: Compute Engine Admin Added SSH Key Detection of a modification to the Compute Engine instance metadata SSH key value on an established instance (older than 1 week).
Persistence: Compute Engine Admin Added Startup Script Detection of a modification to the Compute Engine instance metadata startup script value on an established instance (older than 1 week).
Persistence: IAM Anomalous Grant Detection of privileges granted to IAM users and service accounts that are not members of the organization. This detector uses an organization's existing IAM policies as context. If a sensitive IAM grant to an external member occurs, and there are less than three existing IAM policies that are similar to it, this detector generates a finding.
Persistence: New API MethodPreview Detection of anomalous usage of Google Cloud services by IAM service accounts.
Persistence: New Geography Detection of IAM user and service accounts accessing Google Cloud from anomalous locations, based on the geolocation of the requesting IP addresses.
Persistence: New User Agent Detection of IAM service accounts accessing Google Cloud from anomalous or suspicious user agents.
Persistence: SSO Enablement Toggle The Enable SSO (single sign-on) setting on the admin account was disabled.
Persistence: SSO Settings Changed The SSO settings for the admin account were changed.
Privilege Escalation: Changes to sensitive Kubernetes RBAC objectsPreview To escalate privilege, a malicious actor attempted to modify cluster-admin ClusterRole and ClusterRoleBinding objects by using a PUT or PATCH request.
Privilege Escalation: Create Kubernetes CSR for master certPreview A potentially malicious actor created a Kubernetes master certificate signing request (CSR), which gives them cluster-admin access.
Privilege Escalation: Creation of sensitive Kubernetes bindingsPreview A malicious actor attempted to create new cluster-admin RoleBinding or ClusterRoleBinding objects to escalate their privilege.
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentialsPreview A malicious actor queried for a certificate signing request (CSR), with the kubectl command, using compromised bootstrap credentials.
Privilege Escalation: Launch of privileged Kubernetes containerPreview A malicious actor created Pods containing privileged containers or containers with privilege escalation capabilities.

A privileged container has the privileged field set to true. A container with privilege escalation capabilities has the allowPrivilegeEscalation field set to true.

Initial Access: Dormant Service Account Key Created Detects events where a key is created for a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
Process Tree The detector checks the process tree of all running processes. If a process is a shell binary, the detector checks its parent process. If the parent process is a binary that should not spawn a shell process, the detector triggers a finding.
Unexpected Child Shell The detector checks the process tree of all running processes. If a process is a shell binary, the detector checks its parent process. If the parent process is a binary that should not spawn a shell process, the detector triggers a finding.
Execution: Added Malicious Binary Executed The detector looks for a binary being executed that was not part of the original container image, and was identified as malicious based on threat intelligence.
Execution: Modified Malicious Binary Executed The detector looks for a binary being executed that was originally included in the container image but modified during run time, and was identified as malicious based on threat intelligence.
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity Detects when an anomalous multistep delegated request is found for an administrative activity.
Breakglass Account Used: break_glass_account Detects the usage of an emergency access (breakglass) account
Configurable Bad Domain: APT29_Domains Detects a connection to a specified domain name
Unexpected Role Grant: Forbidden roles Detects when a specified role is granted to a user
Configurable Bad IP Detects a connection to a specified IP address
Unexpected Compute Engine instance type Detects the creation of Compute Engine instances that do not match a specified instance type or configuration.
Unexpected Compute Engine source image Detects the creation of a Compute Engine instance with an image or image family that does not match a specified list
Unexpected Compute Engine region Detects the creation of a Compute Engine instance in a region that is not in a specified list.
Custom role with prohibited permission Detects when a custom role with any of the specified IAM permissions is granted to a principal.
Unexpected Cloud API Call Detects when a specified principal calls a specified method against a specified resource. A finding is generated only if all regular expressions are matched in a single log entry.

Supported GCP_SECURITYCENTER_ERROR findings

You can find the UDM mapping in the Field mapping reference: ERROR table.

Finding name Description
VPC_SC_RESTRICTION Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter.
MISCONFIGURED_CLOUD_LOGGING_EXPORT The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging.
API_DISABLED A required API is disabled for the project. The disabled service can't send findings to Security Command Center.
KTD_IMAGE_PULL_FAILURE Container Threat Detection can't be enabled on the cluster because a required container image can't be pulled (downloaded) from gcr.io, the Container Registry image host. The image is needed to deploy the Container Threat Detection DaemonSet that Container Threat Detection requires.
KTD_BLOCKED_BY_ADMISSION_CONTROLLER Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires.

When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object.

KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled.
GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster.
SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS The Security Command Center service account is missing permissions required to function properly. No findings are produced.

Supported GCP_SECURITYCENTER_OBSERVATION findings

You can find the UDM mapping in the Field mapping reference: OBSERVATION table.

Finding name Description
Persistence: Project SSH Key Added A project-level SSH key was created in a project, for a project that is more than 10 days old.
Persistence: Add Sensitive Role A sensitive or highly-privileged organization-level IAM role was granted in an organization that is more than 10 days old.

Supported GCP_SECURITYCENTER_UNSPECIFIED findings

You can find the UDM mapping in the Field mapping reference: UNSPECIFIED table.

Finding name Description
OPEN_FIREWALL A firewall is configured to be open to public access.

Supported GCP_SECURITYCENTER_VULNERABILITY findings

You can find UDM mapping in the Field mapping reference: VULNERABILITY table.

Finding name Description
DISK_CSEK_DISABLED Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector.
ALPHA_CLUSTER_ENABLED Alpha cluster features are enabled for a GKE cluster.
AUTO_REPAIR_DISABLED A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.
AUTO_UPGRADE_DISABLED A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.
CLUSTER_SHIELDED_NODES_DISABLED Shielded GKE nodes are not enabled for a cluster
COS_NOT_USED Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely.
INTEGRITY_MONITORING_DISABLED Integrity monitoring is disabled for a GKE cluster.
IP_ALIAS_DISABLED A GKE cluster was created with alias IP ranges disabled.
LEGACY_METADATA_ENABLED Legacy metadata is enabled on GKE clusters.
RELEASE_CHANNEL_DISABLED A GKE cluster is not subscribed to a release channel.
DATAPROC_IMAGE_OUTDATED A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046).
PUBLIC_DATASET A dataset is configured to be open to public access.
DNSSEC_DISABLED DNSSEC is disabled for Cloud DNS zones.
RSASHA1_FOR_SIGNING RSASHA1 is used for key signing in Cloud DNS zones.
REDIS_ROLE_USED_ON_ORG A Redis IAM role is assigned at the organization or folder level.
KMS_PUBLIC_KEY A Cloud KMS cryptographic key is publicly accessible.
SQL_CONTAINED_DATABASE_AUTHENTICATION The contained database authentication database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_CROSS_DB_OWNERSHIP_CHAINING The cross_db_ownership_chaining database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_EXTERNAL_SCRIPTS_ENABLED The external scripts enabled database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_LOCAL_INFILE The local_infile database flag for a Cloud SQL for MySQL instance is not set to off.
SQL_LOG_ERROR_VERBOSITY The log_error_verbosity database flag for a Cloud SQL for PostgreSQL instance is not set to default or stricter.
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED The log_min_duration_statement database flag for a Cloud SQL for PostgreSQL instance is not set to "-1".
SQL_LOG_MIN_ERROR_STATEMENT The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance is not set appropriately.
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance does not have an appropriate severity level.
SQL_LOG_MIN_MESSAGES The log_min_messages database flag for a Cloud SQL for PostgreSQL instance is not set to warning.
SQL_LOG_EXECUTOR_STATS_ENABLED The log_executor_status database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_HOSTNAME_ENABLED The log_hostname database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_PARSER_STATS_ENABLED The log_parser_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_PLANNER_STATS_ENABLED The log_planner_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_STATEMENT_STATS_ENABLED The log_statement_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off.
SQL_LOG_TEMP_FILES The log_temp_files database flag for a Cloud SQL for PostgreSQL instance is not set to "0".
SQL_REMOTE_ACCESS_ENABLED The remote access database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_SKIP_SHOW_DATABASE_DISABLED The skip_show_database database flag for a Cloud SQL for MySQL instance is not set to on.
SQL_TRACE_FLAG_3625 The 3625 (trace flag) database flag for a Cloud SQL for SQL Server instance is not set to on.
SQL_USER_CONNECTIONS_CONFIGURED The user connections database flag for a Cloud SQL for SQL Server instance is configured.
SQL_USER_OPTIONS_CONFIGURED The user options database flag for a Cloud SQL for SQL Server instance is configured.
SQL_WEAK_ROOT_PASSWORD A Cloud SQL database has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
PUBLIC_LOG_BUCKET A storage bucket used as a log sink is publicly accessible.
ACCESSIBLE_GIT_REPOSITORY A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository.
ACCESSIBLE_SVN_REPOSITORY An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository.
CACHEABLE_PASSWORD_INPUT Passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage.
CLEAR_TEXT_PASSWORD Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network.
INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected root domain is part of the Origin header value before reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards, prepend the dot to the root domain—for example, .endsWith("".google.com"").
INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected domain fully matches the Origin header value before reflecting it in the Access-Control-Allow-Origin response header—for example, .equals("".google.com"").
INVALID_CONTENT_TYPE A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set X-Content-Type-Options HTTP header with the correct value.
INVALID_HEADER A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly.
MISMATCHING_SECURITY_HEADER_VALUES A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly.
MISSPELLED_SECURITY_HEADER_NAME A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly.
MIXED_CONTENT Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS.
OUTDATED_LIBRARY A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version.
SERVER_SIDE_REQUEST_FORGERY A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an allowlist to limit the domains and IP addresses that the web application can make requests to.
SESSION_ID_LEAK When making a cross-domain request, the web application includes the user's session identifier in its Referer request header. This vulnerability gives the receiving domain access to the session identifier, which can be used to impersonate or uniquely identify the user.
SQL_INJECTION A potential SQL injection vulnerability was detected. To resolve this finding, use parameterized queries to prevent user inputs from influencing the structure of the SQL query.
STRUTS_INSECURE_DESERIALIZATION The use of a vulnerable version of Apache Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version.
XSS A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data.
XSS_ANGULAR_CALLBACK A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework.
XSS_ERROR A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data.
XXE_REFLECTED_FILE_LEAKAGE An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to leak a file on the host. To resolve this finding, configure your XML parsers to disallow external entities.
BASIC_AUTHENTICATION_ENABLED IAM or client certificate authentication should be enabled on Kubernetes Clusters.
CLIENT_CERT_AUTHENTICATION_DISABLED Kubernetes Clusters should be created with Client Certificate enabled.
LABELS_NOT_USED Labels can be used to break down billing information.
PUBLIC_STORAGE_OBJECT Storage object ACL should not grant access to allUsers.
SQL_BROAD_ROOT_LOGIN Root access to a SQL database should be limited to allowlisted trusted IPs.
WEAK_CREDENTIALS This detector checks for weak credentials using ncrack brute force methods.

Supported services: SSH, RDP, FTP, WordPress, TELNET, POP3, IMAP, VCS, SMB, SMB2, VNC, SIP, REDIS, PSQL, MYSQL, MSSQL, MQTT, MONGODB, WINRM, DICOM

ELASTICSEARCH_API_EXPOSED The Elasticsearch API lets callers perform arbitrary queries, write and execute scripts, and add additional documents to the service.
EXPOSED_GRAFANA_ENDPOINT In Grafana 8.0.0 to 8.3.0, users can access without authentication an endpoint that has a directory traversal vulnerability that allows any user to read any file on the server without authentication. For more information, see CVE-2021-43798.
EXPOSED_METABASE Versions x.40.0 to x.40.4 of Metabase, an open source data analytics platform, contain a vulnerability in the custom GeoJSON map support and potential local file inclusion, including environment variables. URLs were not validated prior to being loaded. For more information, see CVE-2021-41277.
EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT This detector checks whether sensitive Actuator endpoints of Spring Boot applications are exposed. Some of the default endpoints, like /heapdump, might expose sensitive information. Other endpoints, like /env, might lead to remote code execution. Currently, only /heapdump is checked.
HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API This detector checks whether the Hadoop Yarn ResourceManager API, which controls the computation and storage resources of a Hadoop cluster, is exposed and allows unauthenticated code execution.
JAVA_JMX_RMI_EXPOSED The Java Management Extension (JMX) allows remote monitoring and diagnostics for Java applications. Running JMX with unprotected Remote Method Invocation endpoint allows any remote users to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs.
JUPYTER_NOTEBOOK_EXPOSED_UI This detector checks whether an unauthenticated Jupyter Notebook is exposed. Jupyter allows remote code execution by design on the host machine. An unauthenticated Jupyter Notebook puts the hosting VM at risk of remote code execution.
KUBERNETES_API_EXPOSED The Kubernetes API is exposed, and can be accessed by unauthenticated callers. This allows arbitrary code execution on the Kubernetes cluster.
UNFINISHED_WORDPRESS_INSTALLATION This detector checks whether a WordPress installation is unfinished. An unfinished WordPress installation exposes the /wp-admin/install.php page, which allows attacker to set the admin password and, possibly, compromise the system.
UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE This detector checks for an unauthenticated Jenkins instance by sending a probe ping to the /view/all/newJob endpoint as an anonymous visitor. An authenticated Jenkins instance shows the createItem form, which allows the creation of arbitrary jobs that could lead to remote code execution.
APACHE_HTTPD_RCE A flaw was found in Apache HTTP Server 2.4.49 that allows an attacker to use a path traversal attack to map URLs to files outside the expected document root and see the source of interpreted files, like CGI scripts. This issue is known to be exploited in the wild. This issue affects Apache 2.4.49 and 2.4.50 but not earlier versions. For more information about this vulnerability, see:

CVE record CVE-2021-41773

Apache HTTP Server 2.4 vulnerabilities

APACHE_HTTPD_SSRF Attackers can craft a URI to the Apache web server that causes mod_proxy to forward the request to an origin server that is chosen by the attacker. This issue affects Apache HTTP server 2.4.48 and earlier. For more information about this vulnerability, see:

CVE record CVE-2021-40438

Apache HTTP Server 2.4 vulnerabilities

CONSUL_RCE Attackers can execute arbitrary code on a Consul server because the Consul instance is configured with -enable-script-checks set to true and the Consul HTTP API is unsecured and accessible over the network. In Consul 0.9.0 and earlier, script checks are on by default. For more information, see Protecting Consul from RCE Risk in Specific Configurations. To check for this vulnerability, Rapid Vulnerability Detection registers a service on the Consul instance by using the /v1/health/service REST endpoint, which then executes one of the following: * A curl command to a remote server outside of the network. An attacker can use the curl command to exfiltrate data from the server. * A printf command. Rapid Vulnerability Detection then verifies the output of the command by using the /v1/health/service REST endpoint. * After the check, Rapid Vulnerability Detection cleans up and deregisters the service by using the /v1/agent/service/deregister/ REST endpoint.
DRUID_RCE Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. For more information, see CVE-2021-25646 Detail.
DRUPAL_RCE

Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are vulnerable to remote code execution on Form API AJAX requests.

Drupal versions 8.5.x before 8.5.11 and 8.6.x before 8.6.10 are vulnerable to remote code execution when either the RESTful Web Service module or the JSON:API is enabled. This vulnerability can be exploited by an unauthenticated attacker using a custom POST request.

FLINK_FILE_DISCLOSURE A vulnerability in Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 lets attackers read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.
GITLAB_RCE In GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 and later, GitLab does not properly validate image files that are passed to a file parser. An attacker can exploit this vulnerability for remote command execution.
GoCD_RCE In GoCD 21.2.0 and earlier, there is an endpoint that can be accessed without authentication. This endpoint has a directory traversal vulnerability that allows a user to read any file on the server without authentication.
JENKINS_RCE Jenkins versions 2.56 and earlier, and 2.46.1 LTS and earlier are vulnerable to remote code execution. This vulnerability can be triggered by an unauthenticated attacker using a malicious serialized Java object.
JOOMLA_RCE

Joomla versions 1.5.x, 2.x, and 3.x before 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered with a crafted header containing serialized PHP objects.

Joomla versions 3.0.0 through 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered by sending a POST request that contains a crafted serialized PHP object.

LOG4J_RCE In Apache Log4j2 2.14.1 and earlier, JNDI features that are used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. For more information, see CVE-2021-44228.
MANTISBT_PRIVILEGE_ESCALATION MantisBT through version 2.3.0 allows arbitrary password reset and unauthenticated admin access by supplying an empty confirm_hash value to verify.php.
OGNL_RCE Confluence Server and Data Center instances contain an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code. For more information, see CVE-2021-26084.
OPENAM_RCE OpenAM server 14.6.2 and earlier and ForgeRock AM server 6.5.3 and earlier have a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application. For more information, see CVE-2021-35464.
ORACLE_WEBLOGIC_RCE Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise an Oracle WebLogic Server. Successful attacks of this vulnerability can result in a takeover of Oracle WebLogic Server. For more information, see CVE-2020-14882.
PHPUNIT_RCE PHPUnitversions prior to 5.6.3 allow remote code execution with a single unauthenticated POST request.
PHP_CGI_RCE PHP versions before 5.3.12, and versions 5.4.x before 5.4.2, when configured as a CGI script, allow remote code execution. The vulnerable code does not properly handle query strings that lack an = (equals sign) character. This lets attackers add command line options that are executed on the server.
PORTAL_RCE Deserialization of untrusted data in Liferay Portal versions prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code through JSON web services.
REDIS_RCE If a Redis instance does not require authentication to execute admin commands, attackers might be able to execute arbitrary code.
SOLR_FILE_EXPOSED Authentication is not enabled in Apache Solr, an open source search server. When Apache Solr does not require authentication, an attacker can directly craft a request to enable a specific configuration, and eventually implement a server-side request forgery (SSRF) or read arbitrary files.
SOLR_RCE Apache Solr versions 5.0.0 through Apache Solr 8.3.1 are vulnerable to remote code execution through the VelocityResponseWriter if params.resource.loader.enabled is set to true. This allows attackers to create a parameter that contains a malicious Velocity template.
STRUTS_RCE
  • Apache Struts versions before 2.3.32 and 2.5.x before 2.5.10.1 are vulnerable to remote code execution. The vulnerability can be triggered by an unauthenticated attacker providing a crafted Content-Type header.
  • The REST plugin in Apache Struts versions 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 are vulnerable to remote code execution when deserializing crafted XML payloads.
  • Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are vulnerable to remote code execution when alwaysSelectFullNamespace is set to true and certain other action configurations exist.
TOMCAT_FILE_DISCLOSURE Apache Tomcat versions 9.x before 9.0.31, 8.x before 8.5.51, 7.x before 7.0.100, and all 6.x are vulnerable to source code and configuration disclosure through an exposed Apache JServ Protocol connector. In some cases, this is leveraged to perform remote code execution if file uploading is allowed.
VBULLETIN_RCE vBulletin servers running versions 5.0.0 up to 5.5.4 are vulnerable to remote code execution. This vulnerability can be exploited by an unauthenticated attacker using a query parameter in a routestring request.
VCENTER_RCE VMware vCenter Server versions 7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n are vulnerable to remote code execution. This vulnerability can be triggered by an attacker uploading a crafted Java Server Pages file to a web-accessible directory, then triggering execution of that file.
WEBLOGIC_RCE Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a remote code execution vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. This vulnerability is related to CVE-2020-14750, CVE-2020-14882, CVE-2020-14883. For more information, see CVE-2020-14883.
OS_VULNERABILITY VM Manager detected a vulnerability in the installed operating system (OS) package for a Compute Engine VM.
UNUSED_IAM_ROLE IAM recommender detected a user account that has an IAM role that has not been used in the last 90 days.
GKE_RUNTIME_OS_VULNERABILITY
GKE_SECURITY_BULLETIN
SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE IAM recommender detected that the original default IAM role granted to a service agent was replaced with one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and should not be granted to service agents.

Supported GCP_SECURITYCENTER_MISCONFIGURATION findings

You can find the UDM mapping in the Field mapping reference: MISCONFIGURATION table.

Finding name Description
API_KEY_APIS_UNRESTRICTED There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application.
API_KEY_APPS_UNRESTRICTED There are API keys being used in an unrestricted way, allowing use by any untrusted app
API_KEY_EXISTS A project is using API keys instead of standard authentication.
API_KEY_NOT_ROTATED The API key hasn't been rotated for more than 90 days
PUBLIC_COMPUTE_IMAGE A Compute Engine image is publicly accessible.
CONFIDENTIAL_COMPUTING_DISABLED Confidential Computing is disabled on a Compute Engine instance.
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED Project-wide SSH keys are used, allowing login to all instances in the project.
COMPUTE_SECURE_BOOT_DISABLED This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits.
DEFAULT_SERVICE_ACCOUNT_USED An instance is configured to use the default service account.
FULL_API_ACCESS An instance is configured to use the default service account with full access to all Google Cloud APIs.
OS_LOGIN_DISABLED OS Login is disabled on this instance.
PUBLIC_IP_ADDRESS An instance has a public IP address.
SHIELDED_VM_DISABLED Shielded VM is disabled on this instance.
COMPUTE_SERIAL_PORTS_ENABLED Serial ports are enabled for an instance, allowing connections to the instance's serial console.
DISK_CMEK_DISABLED Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
HTTP_LOAD_BALANCER An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.
IP_FORWARDING_ENABLED IP forwarding is enabled on instances.
WEAK_SSL_POLICY An instance has a weak SSL policy.
BINARY_AUTHORIZATION_DISABLED Binary Authorization is disabled on a GKE cluster.
CLUSTER_LOGGING_DISABLED Logging isn't enabled for a GKE cluster.
CLUSTER_MONITORING_DISABLED Monitoring is disabled on GKE clusters.
CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.
CLUSTER_SECRETS_ENCRYPTION_DISABLED Application-layer secrets encryption is disabled on a GKE cluster.
INTRANODE_VISIBILITY_DISABLED Intranode visibility is disabled for a GKE cluster.
MASTER_AUTHORIZED_NETWORKS_DISABLED Control Plane Authorized Networks is not enabled on GKE clusters.
NETWORK_POLICY_DISABLED Network policy is disabled on GKE clusters.
NODEPOOL_SECURE_BOOT_DISABLED Secure Boot is disabled for a GKE cluster.
OVER_PRIVILEGED_ACCOUNT A service account has overly broad project access in a cluster.
OVER_PRIVILEGED_SCOPES A node service account has broad access scopes.
POD_SECURITY_POLICY_DISABLED PodSecurityPolicy is disabled on a GKE cluster.
PRIVATE_CLUSTER_DISABLED A GKE cluster has a Private cluster disabled.
WORKLOAD_IDENTITY_DISABLED A GKE cluster is not subscribed to a release channel.
LEGACY_AUTHORIZATION_ENABLED Legacy Authorization is enabled on GKE clusters.
NODEPOOL_BOOT_CMEK_DISABLED Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
WEB_UI_ENABLED The GKE web UI (dashboard) is enabled.
AUTO_REPAIR_DISABLED A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.
AUTO_UPGRADE_DISABLED A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.
CLUSTER_SHIELDED_NODES_DISABLED Shielded GKE nodes are not enabled for a cluster
RELEASE_CHANNEL_DISABLED A GKE cluster is not subscribed to a release channel.
BIGQUERY_TABLE_CMEK_DISABLED A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable.
DATASET_CMEK_DISABLED A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable.
EGRESS_DENY_RULE_NOT_SET An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic.
FIREWALL_RULE_LOGGING_DISABLED Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access.
OPEN_CASSANDRA_PORT A firewall is configured to have an open Cassandra port that allows generic access.
OPEN_SMTP_PORT A firewall is configured to have an open SMTP port that allows generic access.
OPEN_REDIS_PORT A firewall is configured to have an open REDIS port that allows generic access.
OPEN_POSTGRESQL_PORT A firewall is configured to have an open PostgreSQL port that allows generic access.
OPEN_POP3_PORT A firewall is configured to have an open POP3 port that allows generic access.
OPEN_ORACLEDB_PORT A firewall is configured to have an open NETBIOS port that allows generic access.
OPEN_NETBIOS_PORT A firewall is configured to have an open NETBIOS port that allows generic access.
OPEN_MYSQL_PORT A firewall is configured to have an open MYSQL port that allows generic access.
OPEN_MONGODB_PORT A firewall is configured to have an open MONGODB port that allows generic access.
OPEN_MEMCACHED_PORT A firewall is configured to have an open MEMCACHED port that allows generic access.
OPEN_LDAP_PORT A firewall is configured to have an open LDAP port that allows generic access.
OPEN_FTP_PORT A firewall is configured to have an open FTP port that allows generic access.
OPEN_ELASTICSEARCH_PORT A firewall is configured to have an open ELASTICSEARCH port that allows generic access.
OPEN_DNS_PORT A firewall is configured to have an open DNS port that allows generic access.
OPEN_HTTP_PORT A firewall is configured to have an open HTTP port that allows generic access.
OPEN_DIRECTORY_SERVICES_PORT A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access.
OPEN_CISCOSECURE_WEBSM_PORT A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access.
OPEN_RDP_PORT A firewall is configured to have an open RDP port that allows generic access.
OPEN_TELNET_PORT A firewall is configured to have an open TELNET port that allows generic access.
OPEN_FIREWALL A firewall is configured to be open to public access.
OPEN_SSH_PORT A firewall is configured to have an open SSH port that allows generic access.
SERVICE_ACCOUNT_ROLE_SEPARATION A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle.
NON_ORG_IAM_MEMBER There is a user who isn't using organizational credentials. As per CIS Google Cloud Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector.
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account.
ADMIN_SERVICE_ACCOUNT A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts.
SERVICE_ACCOUNT_KEY_NOT_ROTATED A service account key hasn't been rotated for more than 90 days.
USER_MANAGED_SERVICE_ACCOUNT_KEY A user manages a service account key.
PRIMITIVE_ROLES_USED A user has the basic role, Owner, Writer, or Reader. These roles are too permissive and shouldn't be used.
KMS_ROLE_SEPARATION Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter.
OPEN_GROUP_IAM_MEMBER A Google Groups account that can be joined without approval is used as an IAM allow policy principal.
KMS_KEY_NOT_ROTATED Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days.
KMS_PROJECT_HAS_OWNER A user has Owner permissions on a project that has cryptographic keys.
TOO_MANY_KMS_USERS There are more than three users of cryptographic keys.
OBJECT_VERSIONING_DISABLED Object versioning isn't enabled on a storage bucket where sinks are configured.
LOCKED_RETENTION_POLICY_NOT_SET A locked retention policy is not set for logs.
BUCKET_LOGGING_DISABLED There is a storage bucket without logging enabled.
LOG_NOT_EXPORTED There is a resource that doesn't have an appropriate log sink configured.
AUDIT_LOGGING_DISABLED Audit logging has been disabled for this resource.
MFA_NOT_ENFORCED There are users who aren't using 2-step verification.
ROUTE_NOT_MONITORED Log metrics and alerts aren't configured to monitor VPC network route changes.
OWNER_NOT_MONITORED Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes.
AUDIT_CONFIG_NOT_MONITORED Log metrics and alerts aren't configured to monitor Audit Configuration changes.
BUCKET_IAM_NOT_MONITORED Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes.
CUSTOM_ROLE_NOT_MONITORED Log metrics and alerts aren't configured to monitor Custom Role changes.
FIREWALL_NOT_MONITORED Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes.
NETWORK_NOT_MONITORED Log metrics and alerts aren't configured to monitor VPC network changes.
SQL_INSTANCE_NOT_MONITORED Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes.
DEFAULT_NETWORK The default network exists in a project.
DNS_LOGGING_DISABLED DNS logging on a VPC network is not enabled.
PUBSUB_CMEK_DISABLED A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
PUBLIC_SQL_INSTANCE A Cloud SQL database instance accepts connections from all IP addresses.
SSL_NOT_ENFORCED A Cloud SQL database instance doesn't require all incoming connections to use SSL.
AUTO_BACKUP_DISABLED A Cloud SQL database doesn't have automatic backups enabled.
SQL_CMEK_DISABLED A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
SQL_LOG_CHECKPOINTS_DISABLED The log_checkpoints database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_CONNECTIONS_DISABLED The log_connections database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_DISCONNECTIONS_DISABLED The log_disconnections database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_DURATION_DISABLED The log_duration database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_LOCK_WAITS_DISABLED The log_lock_waits database flag for a Cloud SQL for PostgreSQL instance is not set to on.
SQL_LOG_STATEMENT The log_statement database flag for a Cloud SQL for PostgreSQL instance is not set to Ddl (all data definition statements).
SQL_NO_ROOT_PASSWORD A Cloud SQL database doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
SQL_PUBLIC_IP A Cloud SQL database has a public IP address.
SQL_CONTAINED_DATABASE_AUTHENTICATION The contained database authentication database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_CROSS_DB_OWNERSHIP_CHAINING The cross_db_ownership_chaining database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_LOCAL_INFILE The local_infile database flag for a Cloud SQL for MySQL instance is not set to off.
SQL_LOG_MIN_ERROR_STATEMENT The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance is not set appropriately.
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance does not have an appropriate severity level.
SQL_LOG_TEMP_FILES The log_temp_files database flag for a Cloud SQL for PostgreSQL instance is not set to "0".
SQL_REMOTE_ACCESS_ENABLED The remote access database flag for a Cloud SQL for SQL Server instance is not set to off.
SQL_SKIP_SHOW_DATABASE_DISABLED The skip_show_database database flag for a Cloud SQL for MySQL instance is not set to on.
SQL_TRACE_FLAG_3625 The 3625 (trace flag) database flag for a Cloud SQL for SQL Server instance is not set to on.
SQL_USER_CONNECTIONS_CONFIGURED The user connections database flag for a Cloud SQL for SQL Server instance is configured.
SQL_USER_OPTIONS_CONFIGURED The user options database flag for a Cloud SQL for SQL Server instance is configured.
PUBLIC_BUCKET_ACL A Cloud Storage bucket is publicly accessible.
BUCKET_POLICY_ONLY_DISABLED Uniform bucket-level access, previously called Bucket Policy Only, isn't configured.
BUCKET_CMEK_DISABLED A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors.
FLOW_LOGS_DISABLED There is a VPC subnetwork that has flow logs disabled.
PRIVATE_GOOGLE_ACCESS_DISABLED There are private subnetworks without access to Google public APIs.
kms_key_region_europe Due to company policy, all encryption keys should remain stored in Europe.
kms_non_euro_region Due to company policy, all encryption keys should remain stored in Europe.
LEGACY_NETWORK A legacy network exists in a project.
LOAD_BALANCER_LOGGING_DISABLED Logging is disabled for the load balancer.

Supported GCP_SECURITYCENTER_POSTURE_VIOLATION findings

You can find the UDM mapping in the Field mapping reference: POSTURE VIOLATION table.

Finding name Description
SECURITY_POSTURE_DRIFT Drift from the defined policies within security posture. This is detected by the security posture service.
SECURITY_POSTURE_POLICY_DRIFT The security posture service detected a change to an organization policy that occurred outside of a posture update.
SECURITY_POSTURE_POLICY_DELETE The security posture service detected that an organization policy was deleted. This deletion occurred outside of a posture update.
SECURITY_POSTURE_DETECTOR_DRIFT The security posture service detected a change to a Security Health Analytics detector that occurred outside of a posture update.
SECURITY_POSTURE_DETECTOR_DELETE The security posture service detected that a Security Health Analytics custom module was deleted. This deletion occurred outside of a posture update.

Field mapping reference

This section explains how the Google Security Operations parser maps Security Command Center log fields to Google Security Operations Unified Data Model (UDM) fields for the data sets.

Field mapping reference: raw log fields to UDM fields

The following table lists the log fields and corresponding UDM mappings for the Security Command Center Event Threat Detection findings.

RawLog field UDM mapping Logic
compliances.ids about.labels [compliance_ids] (deprecated)
compliances.ids additional.fields [compliance_ids]
compliances.version about.labels [compliance_version] (deprecated)
compliances.version additional.fields [compliance_version]
compliances.standard about.labels [compliances_standard] (deprecated)
compliances.standard additional.fields [compliances_standard]
connections.destinationIp about.labels [connections_destination_ip] (deprecated) If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp, then the connections.destinationIp log field is mapped to the about.labels.value UDM field.
connections.destinationIp additional.fields [connections_destination_ip] If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp, then the connections.destinationIp log field is mapped to the additional.fields.value.string_value UDM field.
connections.destinationPort about.labels [connections_destination_port] (deprecated)
connections.destinationPort additional.fields [connections_destination_port]
connections.protocol about.labels [connections_protocol] (deprecated)
connections.protocol additional.fields [connections_protocol]
connections.sourceIp about.labels [connections_source_ip] (deprecated)
connections.sourceIp additional.fields [connections_source_ip]
connections.sourcePort about.labels [connections_source_port] (deprecated)
connections.sourcePort additional.fields [connections_source_port]
kubernetes.pods.ns target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_ns]
kubernetes.pods.name target.resource_ancestors.name
kubernetes.nodes.name target.resource_ancestors.name
kubernetes.nodePools.name target.resource_ancestors.name
target.resource_ancestors.resource_type If the message log field value matches the regular expression pattern kubernetes, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
Else, If message log field value matches the regular expression kubernetes.*?pods, then the target.resource_ancestors.resource_type UDM field is set to POD.
about.resource.attribute.cloud.environment The about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
externalSystems.assignees about.resource.attribute.labels.key/value [externalSystems_assignees]
externalSystems.status about.resource.attribute.labels.key/value [externalSystems_status]
kubernetes.nodePools.nodes.name target.resource.attribute.labels.key/value [kubernetes_nodePools_nodes_name]
kubernetes.pods.containers.uri target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_containers_uri]
kubernetes.pods.containers.createTime target.resource_ancestors.attribute.labels[kubernetes_pods_containers_createTime]
kubernetes.roles.kind target.resource.attribute.labels.key/value [kubernetes_roles_kind]
kubernetes.roles.name target.resource.attribute.labels.key/value [kubernetes_roles_name]
kubernetes.roles.ns target.resource.attribute.labels.key/value [kubernetes_roles_ns]
kubernetes.pods.containers.labels.name/value target.resource.attribute.labels.key/value [kubernetes.pods.containers.labels.name/value]
kubernetes.pods.labels.name/value target.resource.attribute.labels.key/value [kubernetes.pods.labels.name/value]
externalSystems.externalSystemUpdateTime about.resource.attribute.last_update_time
externalSystems.name about.resource.name
externalSystems.externalUid about.resource.product_object_id
indicator.uris about.url
extension.auth.type If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Two Step Verification Disabled or Persistence: SSO Enablement Toggle, then the extension.auth.type UDM field is set to SSO.
extension.mechanism If the category log field value is equal to Brute Force: SSH, then the extension.mechanism UDM field is set to USERNAME_PASSWORD.
extensions.auth.type If the principal.user.user_authentication_status log field value is equal to ACTIVE, then the extensions.auth.type UDM field is set to SSO.
vulnerability.cve.references.uri extensions.vulns.vulnerabilities.about.labels [vulnerability.cve.references.uri] (deprecated)
vulnerability.cve.references.uri additional.fields [vulnerability.cve.references.uri]
vulnerability.cve.cvssv3.attackComplexity extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_attackComplexity] (deprecated)
vulnerability.cve.cvssv3.attackComplexity additional.fields [vulnerability_cve_cvssv3_attackComplexity]
vulnerability.cve.cvssv3.availabilityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_availabilityImpact] (deprecated)
vulnerability.cve.cvssv3.availabilityImpact additional.fields [vulnerability_cve_cvssv3_availabilityImpact]
vulnerability.cve.cvssv3.confidentialityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_confidentialityImpact] (deprecated)
vulnerability.cve.cvssv3.confidentialityImpact additional.fields [vulnerability_cve_cvssv3_confidentialityImpact]
vulnerability.cve.cvssv3.integrityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_integrityImpact] (deprecated)
vulnerability.cve.cvssv3.integrityImpact additional.fields [vulnerability_cve_cvssv3_integrityImpact]
vulnerability.cve.cvssv3.privilegesRequired extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_privilegesRequired] (deprecated)
vulnerability.cve.cvssv3.privilegesRequired additional.fields [vulnerability_cve_cvssv3_privilegesRequired]
vulnerability.cve.cvssv3.scope extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_scope] (deprecated)
vulnerability.cve.cvssv3.scope additional.fields [vulnerability_cve_cvssv3_scope]
vulnerability.cve.cvssv3.userInteraction extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_userInteraction] (deprecated)
vulnerability.cve.cvssv3.userInteraction additional.fields [vulnerability_cve_cvssv3_userInteraction]
vulnerability.cve.references.source extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_references_source] (deprecated)
vulnerability.cve.references.source additional.fields [vulnerability_cve_references_source]
vulnerability.cve.upstreamFixAvailable extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_upstreamFixAvailable] (deprecated)
vulnerability.cve.upstreamFixAvailable additional.fields [vulnerability_cve_upstreamFixAvailable]
vulnerability.cve.id extensions.vulns.vulnerabilities.cve_id
vulnerability.cve.cvssv3.baseScore extensions.vulns.vulnerabilities.cvss_base_score
vulnerability.cve.cvssv3.attackVector extensions.vulns.vulnerabilities.cvss_vector
sourceProperties.properties.loadBalancerName intermediary.resource.name If the category log field value is equal to Initial Access: Log4j Compromise Attempt, then the sourceProperties.properties.loadBalancerName log field is mapped to the intermediary.resource.name UDM field.
intermediary.resource.resource_type If the category log field value is equal to Initial Access: Log4j Compromise Attempt, then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE.
parentDisplayName metadata.description
eventTime metadata.event_timestamp
category metadata.product_event_type
sourceProperties.evidence.sourceLogId.insertId metadata.product_log_id If the canonicalName log field value is not empty, then the finding_id is extracted from the canonicalName log field using a Grok pattern.

If the finding_id log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.

If the canonicalName log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.
metadata.product_name The metadata.product_name UDM field is set to Security Command Center.
sourceProperties.contextUris.cloudLoggingQueryUri.url security_result.detection_fields.key/value[sourceProperties_contextUris_cloudLoggingQueryUri_url]
metadata.vendor_name The metadata.vendor_name UDM field is set to Google.
network.application_protocol If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the network.application_protocol UDM field is set to DNS.
sourceProperties.properties.indicatorContext.asn network.asn If the category log field value is equal to Malware: Cryptomining Bad IP, then the sourceProperties.properties.indicatorContext.asn log field is mapped to the network.asn UDM field.
sourceProperties.properties.indicatorContext.carrierName network.carrier_name If the category log field value is equal to Malware: Cryptomining Bad IP, then the sourceProperties.properties.indicatorContext.carrierName log field is mapped to the network.carrier_name UDM field.
sourceProperties.properties.indicatorContext.reverseDnsDomain network.dns_domain If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.indicatorContext.reverseDnsDomain log field is mapped to the network.dns_domain UDM field.
sourceProperties.properties.dnsContexts.responseData.responseClass network.dns.answers.class If the category log field value is equal to Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.responseClass log field is mapped to the network.dns.answers.class UDM field.
sourceProperties.properties.dnsContexts.responseData.responseValue network.dns.answers.data If the category log field value matches the regular expression Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.responseValue log field is mapped to the network.dns.answers.data UDM field.
sourceProperties.properties.dnsContexts.responseData.domainName network.dns.answers.name If the category log field value is equal to Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.domainName log field is mapped to the network.dns.answers.name UDM field.
sourceProperties.properties.dnsContexts.responseData.ttl network.dns.answers.ttl If the category log field value is equal to Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.ttl log field is mapped to the network.dns.answers.ttl UDM field.
sourceProperties.properties.dnsContexts.responseData.responseType network.dns.answers.type If the category log field value is equal to Malware: Bad Domain, then the sourceProperties.properties.dnsContexts.responseData.responseType log field is mapped to the network.dns.answers.type UDM field.
sourceProperties.properties.dnsContexts.authAnswer network.dns.authoritative If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.authAnswer log field is mapped to the network.dns.authoritative UDM field.
sourceProperties.properties.dnsContexts.queryName network.dns.questions.name If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.queryName log field is mapped to the network.dns.questions.name UDM field.
sourceProperties.properties.dnsContexts.queryType network.dns.questions.type If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.queryType log field is mapped to the network.dns.questions.type UDM field.
sourceProperties.properties.dnsContexts.responseCode network.dns.response_code If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.responseCode log field is mapped to the network.dns.response_code UDM field.
sourceProperties.properties.anomalousSoftware.callerUserAgent network.http.user_agent If the category log field value is equal to Persistence: New User Agent, then the sourceProperties.properties.anomalousSoftware.callerUserAgent log field is mapped to the network.http.user_agent UDM field.
sourceProperties.properties.callerUserAgent network.http.user_agent If the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.callerUserAgent log field is mapped to the network.http.user_agent UDM field.
access.userAgentFamily network.http.user_agent
finding.access.userAgent network.http.user_agent
sourceProperties.properties.serviceAccountGetsOwnIamPolicy.rawUserAgent network.http.user_agent If the category log field value is equal to Discovery: Service Account Self-Investigation, then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.rawUserAgent log field is mapped to the network.http.user_agent UDM field.
sourceProperties.properties.ipConnection.protocol network.ip_protocol If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Outgoing DoS, then the network.ip_protocol UDM field is set to one of the following values:
  • ICMP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 1 or ICMP.
  • IGMP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 2 or IGMP.
  • TCP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 6 or TCP.
  • UDP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 17 or UDP.
  • IP6IN4 when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 41 or IP6IN4.
  • GRE when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 47 or GRE.
  • ESP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 50 or ESP.
  • EIGRP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 88 or EIGRP.
  • ETHERIP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 97 or ETHERIP.
  • PIM when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 103 or PIM.
  • VRRP when the following condition are met:
    • The sourceProperties.properties.ipConnection.protocol log field value is equal to 112 or VRRP.
  • UNKNOWN_IP_PROTOCOL if the sourceProperties.properties.ipConnection.protocol log field value is equal to any other value.
    sourceProperties.properties.indicatorContext.organizationName network.organization_name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.indicatorContext.organizationName log field is mapped to the network.organization_name UDM field.
    sourceProperties.properties.anomalousSoftware.behaviorPeriod network.session_duration If the category log field value is equal to Persistence: New User Agent, then the sourceProperties.properties.anomalousSoftware.behaviorPeriod log field is mapped to the network.session_duration UDM field.
    sourceProperties.properties.sourceIp principal.ip If the category log field value matches the regular expression Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.sourceIp log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.attempts.sourceIp principal.ip If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.sourceIp log field is mapped to the principal.ip UDM field.
    access.callerIp principal.ip If the category log field value is equal to Defense Evasion: Modify VPC Service Control or access.callerIp or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Persistence: New Geography or Persistence: IAM Anomalous Grant, then the access.callerIp log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerIp principal.ip If the category log field value is equal to Discovery: Service Account Self-Investigation, then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerIp log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.changeFromBadIp.ip principal.ip If the category log field value is equal to Evasion: Access from Anonymizing Proxy, then the sourceProperties.properties.changeFromBadIp.ip log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.dnsContexts.sourceIp principal.ip If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain, then the sourceProperties.properties.dnsContexts.sourceIp log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.ipConnection.srcIp principal.ip If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Outgoing DoS, then the sourceProperties.properties.ipConnection.srcIp log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.callerIp sourceProperties.properties.indicatorContext.ipAddress principal.ip If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then if the sourceProperties.properties.ipConnection.srcIp log field value is not equal to the sourceProperties.properties.indicatorContext.ipAddress, then the sourceProperties.properties.indicatorContext.ipAddress log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.anomalousLocation.callerIp principal.ip If the category log field value is equal to Persistence: New Geography, then the sourceProperties.properties.anomalousLocation.callerIp log field is mapped to the principal.ip UDM field.
    sourceProperties.properties.scannerDomain principal.labels [sourceProperties_properties_scannerDomain] (deprecated) If the category log field value matches the regular expression Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.scannerDomain log field is mapped to the principal.labels.key/value UDM field.
    sourceProperties.properties.scannerDomain additional.fields [sourceProperties_properties_scannerDomain] If the category log field value matches the regular expression Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.scannerDomain log field is mapped to the additional.fields.value.string_value UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.jobState principal.labels [sourceProperties.properties.dataExfiltrationAttempt.jobState] (deprecated) If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.jobState log field is mapped to the principal.labels.key/value and UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.jobState additional.fields [sourceProperties.properties.dataExfiltrationAttempt.jobState] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.jobState log field is mapped to the additional.fields.value.string_value UDM field.
    access.callerIpGeo.regionCode principal.location.country_or_region
    sourceProperties.properties.indicatorContext.countryCode principal.location.country_or_region If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.indicatorContext.countryCode log field is mapped to the principal.location.country_or_region UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.job.location principal.location.country_or_region If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.job.location log field is mapped to the principal.location.country_or_region UDM field.
    sourceProperties.properties.extractionAttempt.job.location principal.location.country_or_region If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.job.location log field is mapped to the principal.location.country_or_region UDM field.
    sourceProperties.properties.anomalousLocation.typicalGeolocations.country.identifier principal.location.country_or_region If the category log field value is equal to Persistence: New Geography or Persistence: IAM Anomalous Grant, then the sourceProperties.properties.anomalousLocation.typicalGeolocations.country.identifier log field is mapped to the principal.location.country_or_region UDM field.
    sourceProperties.properties.anomalousLocation.anomalousLocation principal.location.name If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.anomalousLocation.anomalousLocation log field is mapped to the principal.location.name UDM field.
    sourceProperties.properties.ipConnection.srcPort principal.port If the category log field value is equal to Malware: Bad IP or Malware: Outgoing DoS, then the sourceProperties.properties.ipConnection.srcPort log field is mapped to the principal.port UDM field.
    sourceProperties.properties.extractionAttempt.jobLink principal.process.file.full_path If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.jobLink log field is mapped to the principal.process.file.full_path UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.jobLink principal.process.file.full_path If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.jobLink log field is mapped to the principal.process.file.full_path UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.job.jobId principal.process.pid If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.job.jobId log field is mapped to the principal.process.pid UDM field.
    sourceProperties.properties.extractionAttempt.job.jobId principal.process.pid If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.job.jobId log field is mapped to the principal.process.pid UDM field.
    sourceProperties.properties.srcVpc.subnetworkName principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_subnetworkName] If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.srcVpc.subnetworkName log field is mapped to the principal.resource_ancestors.attribute.labels.value UDM field.
    principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_srcVpc_projectId] principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_srcVpc_projectId] If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.srcVpc.projectId log field is mapped to the principal.resource_ancestors.attribute.labels.value UDM field.
    sourceProperties.properties.srcVpc.vpcName principal.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the principal.resource_ancestors.name UDM field and the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    sourceProperties.sourceId.customerOrganizationNumber principal.resource.attribute.labels.key/value [sourceProperties_sourceId_customerOrganizationNumber] If the message log field value matches the regular expression sourceProperties.sourceId.*?customerOrganizationNumber, then the sourceProperties.sourceId.customerOrganizationNumber log field is mapped to the principal.resource.attribute.labels.key/value UDM field.
    resource.projectName principal.resource.name
    sourceProperties.properties.projectId principal.resource.name If the sourceProperties.properties.projectId log field value is not empty, then the sourceProperties.properties.projectId log field is mapped to the principal.resource.name UDM field.
    sourceProperties.properties.serviceAccountGetsOwnIamPolicy.projectId principal.resource.name If the category log field value is equal to Discovery: Service Account Self-Investigation, then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.projectId log field is mapped to the principal.resource.name UDM field.
    sourceProperties.properties.sourceInstanceDetails principal.resource.name If the category log field value is equal to Malware: Outgoing DoS, then the sourceProperties.properties.sourceInstanceDetails log field is mapped to the principal.resource.name UDM field.
    principal.user.account_type If the access.principalSubject log field value matches the regular expression serviceAccount, then the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE.

    Else if, the access.principalSubject log field value matches the regular expression user, then the principal.user.account_type UDM field is set to CLOUD_ACCOUNT_TYPE.
    access.principalSubject principal.user.attribute.labels.key/value [access_principalSubject]
    access.serviceAccountDelegationInfo.principalSubject principal.user.attribute.labels.key/value [access_serviceAccountDelegationInfo_principalSubject]
    access.serviceAccountKeyName principal.user.attribute.labels.key/value [access_serviceAccountKeyName]
    sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerUserAgent principal.user.attribute.labels.key/value [sourceProperties_properties_serviceAccountGetsOwnIamPolicy_callerUserAgent] If the category log field value is equal to Discovery: Service Account Self-Investigation, then the principal.user.attribute.labels.key UDM field is set to rawUserAgent and the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerUserAgent log field is mapped to the principal.user.attribute.labels.value UDM field.
    sourceProperties.properties.serviceAccountGetsOwnIamPolicy.principalEmail principal.user.email_addresses If the category log field value is equal to Discovery: Service Account Self-Investigation, then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.changeFromBadIp.principalEmail principal.user.email_addresses If the category log field value is equal to Evasion: Access from Anonymizing Proxy, then the sourceProperties.properties.changeFromBadIp.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.userEmail principal.user.email_addresses If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.userEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.principalEmail principal.user.email_addresses If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive or Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Impair Defenses: Strong Authentication Disabled or Impair Defenses: Two Step Verification Disabled or Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the sourceProperties.properties.principalEmail log field is mapped to the principal.user.email_addresses UDM field.

    If the category log field value is equal to Initial Access: Suspicious Login Blocked, then the sourceProperties.properties.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    access.principalEmail principal.user.email_addresses If the category log field value is equal to Defense Evasion: Modify VPC Service Control or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Persistence: New Geography, then the access.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.sensitiveRoleGrant.principalEmail principal.user.email_addresses If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.sensitiveRoleGrant.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.anomalousSoftware.principalEmail principal.user.email_addresses If the category log field value is equal to Persistence: New User Agent, then the sourceProperties.properties.anomalousSoftware.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.exportToGcs.principalEmail principal.user.email_addresses
    sourceProperties.properties.restoreToExternalInstance.principalEmail principal.user.email_addresses If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    access.serviceAccountDelegationInfo.principalEmail principal.user.email_addresses
    sourceProperties.properties.customRoleSensitivePermissions.principalEmail principal.user.email_addresses If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.customRoleSensitivePermissions.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.anomalousLocation.principalEmail principal.user.email_addresses If the category log field value is equal to Persistence: New Geography, then the sourceProperties.properties.anomalousLocation.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.externalMemberAddedToPrivilegedGroup.principalEmail principal.user.email_addresses If the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.principalEmail principal.user.email_addresses If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.principalEmail principal.user.email_addresses If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.vpcViolation.userEmail principal.user.email_addresses If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.vpcViolation.userEmail log field is mapped to the principal.user.email_addresses UDM field.
    sourceProperties.properties.ssoState principal.user.user_authentication_status If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Two Step Verification Disabled or Persistence: SSO Enablement Toggle, then the sourceProperties.properties.ssoState log field is mapped to the principal.user.user_authentication_status UDM field.
    database.userName principal.user.userid If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.userName log field is mapped to the principal.user.userid UDM field.
    sourceProperties.properties.threatIntelligenceSource security_result.about.application If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.threatIntelligenceSource log field is mapped to the security_result.about.application UDM field.
    workflowState security_result.about.investigation.status
    sourceProperties.properties.attempts.sourceIp security_result.about.ip If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.sourceIp log field is mapped to the security_result.about.ip UDM field.
    sourceProperties.findingId metadata.product_log_id
    kubernetes.accessReviews.group target.resource.attribute.labels.key/value [kubernetes_accessReviews_group]
    kubernetes.accessReviews.name target.resource.attribute.labels.key/value [kubernetes_accessReviews_name]
    kubernetes.accessReviews.ns target.resource.attribute.labels.key/value [kubernetes_accessReviews_ns]
    kubernetes.accessReviews.resource target.resource.attribute.labels.key/value [kubernetes_accessReviews_resource]
    kubernetes.accessReviews.subresource target.resource.attribute.labels.key/value [kubernetes_accessReviews_subresource]
    kubernetes.accessReviews.verb target.resource.attribute.labels.key/value [kubernetes_accessReviews_verb]
    kubernetes.accessReviews.version target.resource.attribute.labels.key/value [kubernetes_accessReviews_version]
    kubernetes.bindings.name target.resource.attribute.labels.key/value [kubernetes_bindings_name]
    kubernetes.bindings.ns target.resource.attribute.labels.key/value [kubernetes_bindings_ns]
    kubernetes.bindings.role.kind target.resource.attribute.labels.key/value [kubernetes_bindings_role_kind]
    kubernetes.bindings.role.ns target.resource.attribute.labels.key/value [kubernetes_bindings_role_ns]
    kubernetes.bindings.subjects.kind target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_kind]
    kubernetes.bindings.subjects.name target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_name]
    kubernetes.bindings.subjects.ns target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_ns]
    kubernetes.bindings.role.name target.resource.attribute.roles.name
    sourceProperties.properties.delta.restrictedResources.resourceName security_result.about.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the Restricted Resource: sourceProperties.properties.delta.restrictedResources.resourceName log field is mapped to the security_result.about.resource.name UDM field.

    If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.delta.restrictedResources.resourceName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to CLOUD_PROJECT.
    sourceProperties.properties.delta.allowedServices.serviceName security_result.about.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.delta.allowedServices.serviceName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to BACKEND_SERVICE.
    sourceProperties.properties.delta.restrictedServices.serviceName security_result.about.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.delta.restrictedServices.serviceName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to BACKEND_SERVICE.
    sourceProperties.properties.delta.accessLevels.policyName security_result.about.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.delta.accessLevels.policyName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to ACCESS_POLICY.
    security_result.about.user.attribute.roles.name If the message log field value matches the regular expression contacts.?security, then the security_result.about.user.attribute.roles.name UDM field is set to security.

    If the message log field value matches the regular expression contacts.?technical, then the security_result.about.user.attribute.roles.name UDM field is set to Technical.
    contacts.security.contacts.email security_result.about.user.email_addresses
    contacts.technical.contacts.email security_result.about.user.email_addresses
    security_result.action If the category log field value is equal to Initial Access: Suspicious Login Blocked, then the security_result.action UDM field is set to BLOCK.

    If the category log field value is equal to Brute Force: SSH, then if the sourceProperties.properties.attempts.authResult log field value is equal to SUCCESS, then the security_result.action UDM field is set to BLOCK.

    Else, the security_result.action UDM field is set to BLOCK.
    sourceProperties.properties.delta.restrictedResources.action security_result.action_details If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.delta.restrictedResources.action log field is mapped to the security_result.action_details UDM field.
    sourceProperties.properties.delta.restrictedServices.action security_result.action_details If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.delta.restrictedServices.action log field is mapped to the security_result.action_details UDM field.
    sourceProperties.properties.delta.allowedServices.action security_result.action_details If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.delta.allowedServices.action log field is mapped to the security_result.action_details UDM field.
    sourceProperties.properties.delta.accessLevels.action security_result.action_details If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.delta.accessLevels.action log field is mapped to the security_result.action_details UDM field.
    security_result.alert_state If the state log field value is equal to ACTIVE, then the security_result.alert_state UDM field is set to ALERTING.

    Else, the security_result.alert_state UDM field is set to NOT_ALERTING.
    findingClass security_result.catgory_details The findingClass - category log field is mapped to the security_result.catgory_details UDM field.
    category security_result.catgory_details The findingClass - category log field is mapped to the security_result.catgory_details UDM field.
    description security_result.description
    indicator.signatures.memoryHashSignature.binaryFamily security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_binaryFamily]
    indicator.signatures.memoryHashSignature.detections.binary security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_binary]
    indicator.signatures.memoryHashSignature.detections.percentPagesMatched security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_percentPagesMatched]
    indicator.signatures.yaraRuleSignature.yararule security_result.detection_fields.key/value [indicator_signatures_yaraRuleSignature_yararule]
    mitreAttack.additionalTactics security_result.detection_fields.key/value [mitreAttack_additionalTactics]
    mitreAttack.additionalTechniques security_result.detection_fields.key/value [mitreAttack_additionalTechniques]
    mitreAttack.primaryTactic security_result.detection_fields.key/value [mitreAttack_primaryTactic]
    mitreAttack.primaryTechniques.0 security_result.detection_fields.key/value [mitreAttack_primaryTechniques]
    mitreAttack.version security_result.detection_fields.key/value [mitreAttack_version]
    muteInitiator security_result.detection_fields.key/value [mute_initiator] If the mute log field value is equal to MUTED or UNMUTED, then the muteInitiator log field is mapped to the security_result.detection_fields.value UDM field.
    muteUpdateTime security_result.detection_fields.key/value [mute_update_time] If the mute log field value is equal to MUTED or UNMUTED, then the muteUpdateTimer log field is mapped to the security_result.detection_fields.value UDM field.
    mute security_result.detection_fields.key/value [mute]
    securityMarks.canonicalName security_result.detection_fields.key/value [securityMarks_cannonicleName]
    securityMarks.marks security_result.detection_fields.key/value [securityMarks_marks]
    securityMarks.name security_result.detection_fields.key/value [securityMarks_name]
    sourceProperties.detectionCategory.indicator security_result.detection_fields.key/value [sourceProperties_detectionCategory_indicator]
    sourceProperties.detectionCategory.technique security_result.detection_fields.key/value [sourceProperties_detectionCategory_technique]
    sourceProperties.properties.anomalousSoftware.anomalousSoftwareClassification security_result.detection_fields.key/value [sourceProperties_properties_anomalousSoftware_anomalousSoftwareClassification] If the category log field value is equal to Persistence: New User Agent, then the sourceProperties.properties.anomalousSoftware.anomalousSoftwareClassification log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.attempts.authResult security_result.detection_fields.key/value [sourceProperties_properties_attempts_authResult] If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.authResult log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.indicator.indicatorType security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_indicatorType] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.indicator.indicatorType log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.indicator.lastSeenTsGlobal security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_lastSeenTsGlobal] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.indicator.lastSeenTsGlobal log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.indicator.summaryGenerationTs security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_summaryGenerationTs] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.indicator.summaryGenerationTs log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.customer_industry security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_customer_industry] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.customer_industry log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.customer_name security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_customer_name] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.customer_name log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.lasthit security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_lasthit] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.lasthit log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.myVote security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_myVote] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.source security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_source] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.myVote log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.support_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_support_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.support_id log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.tag_class_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_class_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_class_id log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.tag_definition_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_id log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_scope_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.tag_definition_status_id security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_status_id] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_status_id log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.tag_name security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_name] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.tag_name log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.upVotes security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_upVotes] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.upVotes log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.downVotes security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tagsdownVotes] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.downVotes log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.contextUris.mitreUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.mitreUri.url/displayName]
    sourceProperties.contextUris.relatedFindingUri.url/displayName metadata.url_back_to_product If the category log field value is equal to Active Scan: Log4j Vulnerable to RCE or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Over-Privileged Grant or Exfiltration: CloudSQL Restore Backup to External Organization or Initial Access: Log4j Compromise Attempt or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP or Persistence: IAM Anomalous Grant, then the security_result.detection_fields.key UDM field is set to sourceProperties_contextUris_relatedFindingUri_url and the sourceProperties.contextUris.relatedFindingUri.url log field is mapped to the metadata.url_back_to_product UDM field.
    sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName] If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP, then the sourceProperties.contextUris.virustotalIndicatorQueryUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.virustotalIndicatorQueryUri.url log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.contextUris.workspacesUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.workspacesUri.url/displayName] If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Strong Authentication Disabled or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.contextUris.workspacesUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.workspacesUri.url log field is mapped to the security_result.detection_fields.key/value UDM field.
    sourceProperties.properties.autofocusContextCards.tags.public_tag_name security_result.detection_fields.key/value [sourceProperties.properties.autofocusContextCards.tags.public_tag_name/description] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.public_tag_name log field is mapped to the intermediary.labels.key UDM field.
    sourceProperties.properties.autofocusContextCards.tags.description security_result.detection_fields.key/value [sourceProperties.properties.autofocusContextCards.tags.public_tag_name/description] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.tags.description log field is mapped to the intermediary.labels.value UDM field.
    sourceProperties.properties.autofocusContextCards.indicator.firstSeenTsGlobal security_result.detection_fields.key/value [sourcePropertiesproperties_autofocusContextCards_indicator_firstSeenTsGlobal] If the category log field value is equal to Malware: Bad IP, then the sourceProperties.properties.autofocusContextCards.indicator.firstSeenTsGlobal log field is mapped to the security_result.detection_fields.value UDM field.
    createTime security_result.detection_fields.key/value[create_time]
    nextSteps security_result.outcomes.key/value [next_steps]
    sourceProperties.detectionPriority security_result.priority If the sourceProperties.detectionPriority log field value is equal to HIGH, then the security_result.priority UDM field is set to HIGH_PRIORITY.

    Else if, the sourceProperties.detectionPriority log field value is equal to MEDIUM, then the security_result.priority UDM field is set to MEDIUM_PRIORITY.

    Else if, the sourceProperties.detectionPriority log field value is equal to LOW, then the security_result.priority UDM field is set to LOW_PRIORITY.
    sourceProperties.detectionPriority security_result.priority_details
    sourceProperties.detectionCategory.subRuleName security_result.rule_labels.key/value [sourceProperties_detectionCategory_subRuleName]
    sourceProperties.detectionCategory.ruleName security_result.rule_name
    severity security_result.severity
    sourceProperties.properties.vpcViolation.violationReason security_result.summary If the category log field value is equal to Exfiltration: BigQuery Exfiltration, then the sourceProperties.properties.vpcViolation.violationReason log field is mapped to the security_result.summary UDM field.
    name security_result.url_back_to_product
    database.query src.process.command_line If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.query log field is mapped to the src.process.command_line UDM field.
    resource.folders.resourceFolderDisplayName src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.folders.resourceFolderDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
    resource.parentDisplayName src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.parentDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
    resource.parentName src.resource_ancestors.attribute.labels.key/value [resource_parentName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.parentName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
    resource.projectDisplayName src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.projectDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.sourceTables.datasetId src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_datasetId] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.datasetId log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.sourceTables.projectId src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_projectId] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.projectId log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.sourceTables.resourceUri src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_resourceUri] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.resourceUri log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.
    parent src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the parent log field is mapped to the src.resource_ancestors.name UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.sourceTables.tableId src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.tableId log field is mapped to the src.resource_ancestors.name UDM field and the src.resource_ancestors.resource_type UDM field is set to TABLE.
    resourceName src.resource_ancestors.name If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the resourceName log field is mapped to the src.resource_ancestors.name UDM field.
    resource.folders.resourceFolder src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.folders.resourceFolder log field is mapped to the src.resource_ancestors.name UDM field.
    sourceProperties.sourceId.customerOrganizationNumber src.resource_ancestors.product_object_id If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.sourceId.customerOrganizationNumber log field is mapped to the src.resource_ancestors.product_object_id UDM field.
    sourceProperties.sourceId.projectNumber src.resource_ancestors.product_object_id If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.sourceId.projectNumber log field is mapped to the src.resource_ancestors.product_object_id UDM field.
    sourceProperties.sourceId.organizationNumber src.resource_ancestors.product_object_id If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.sourceId.organizationNumber log field is mapped to the src.resource_ancestors.product_object_id UDM field.
    resource.type src.resource_ancestors.resource_subtype If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.type log field is mapped to the src.resource_ancestors.resource_subtype UDM field.
    database.displayName src.resource.attribute.labels.key/value [database_displayName] If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.
    database.grantees src.resource.attribute.labels.key/value [database_grantees] If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the src.resource.attribute.labels.key UDM field is set to grantees and the database.grantees log field is mapped to the src.resource.attribute.labels.value UDM field.
    resource.displayName src.resource.attribute.labels.key/value [resource_displayName] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.
    resource.displayName principal.hostname If the resource.type log field value matches the regular expression pattern (?i)google.compute.Instance or google.container.Cluster, then the resource.displayName log field is mapped to the principal.hostname UDM field.
    resource.display_name src.resource.attribute.labels.key/value [resource_display_name] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.display_name log field is mapped to the src.resource.attribute.labels.value UDM field.
    sourceProperties.properties.extractionAttempt.sourceTable.datasetId src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_datasetId] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.sourceTable.datasetId log field is mapped to the src.resource.attribute.labels.value UDM field.
    sourceProperties.properties.extractionAttempt.sourceTable.projectId src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_projectId] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.sourceTable.projectId log field is mapped to the src.resource.attribute.labels.value UDM field.
    sourceProperties.properties.extractionAttempt.sourceTable.resourceUri src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_resourceUri] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.sourceTable.resourceUri log field is mapped to the src.resource.attribute.labels.value UDM field.
    sourceProperties.properties.restoreToExternalInstance.backupId src.resource.attribute.labels.key/value [sourceProperties_properties_restoreToExternalInstance_backupId] If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.backupId log field is mapped to the src.resource.attribute.labels.value UDM field.
    exfiltration.sources.components src.resource.attribute.labels.key/value[exfiltration_sources_components] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction, then the src.resource.attribute.labels.key/value log field is mapped to the src.resource.attribute.labels.value UDM field.
    resourceName src.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the exfiltration.sources.name log field is mapped to the src.resource.name UDM field and the resourceName log field is mapped to the src.resource_ancestors.name UDM field.
    sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource src.resource.name If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource log field is mapped to the src.resource.name UDM field and the src.resource.resource_subtype UDM field is set to CloudSQL.
    sourceProperties.properties.exportToGcs.cloudsqlInstanceResource src.resource.name If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource log field is mapped to the src.resource.name UDM field and the src.resource.resource_subtype UDM field is set to CloudSQL.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.cloudsqlInstanceResource log field is mapped to the src.resource.name UDM field and the src.resource.resource_subtype UDM field is set to CloudSQL.
    database.name src.resource.name
    exfiltration.sources.name src.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the exfiltration.sources.name log field is mapped to the src.resource.name UDM field and the resourceName log field is mapped to the src.resource_ancestors.name UDM field.
    sourceProperties.properties.extractionAttempt.sourceTable.tableId src.resource.product_object_id If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.sourceTable.tableId log field is mapped to the src.resource.product_object_id UDM field.
    access.serviceName target.application If the category log field value is equal to Defense Evasion: Modify VPC Service Control or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Exfiltration: CloudSQL Over-Privileged Grant or Persistence: New Geography or Persistence: IAM Anomalous Grant, then the access.serviceName log field is mapped to the target.application UDM field.
    sourceProperties.properties.serviceName target.application If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Strong Authentication Disabled or Impair Defenses: Two Step Verification Disabled or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.properties.serviceName log field is mapped to the target.application UDM field.
    sourceProperties.properties.domainName target.domain.name If the category log field value is equal to Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.properties.domainName log field is mapped to the target.domain.name UDM field.
    sourceProperties.properties.domains.0 target.domain.name If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.domains.0 log field is mapped to the target.domain.name UDM field.
    sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.action target.group.attribute.labels.key/value [sourceProperties_properties_sensitiveRoleGrant_bindingDeltas_action] If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.action log field is mapped to the target.group.attribute.labels.key/value UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.action target.group.attribute.labels.key/value [sourceProperties_properties_sensitiveRoleToHybridGroup_bindingDeltas_action] If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.action log field is mapped to the target.group.attribute.labels.key/value UDM field.
    sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.member target.group.attribute.labels.key/value[sourceProperties_properties_sensitiveRoleGrant_bindingDeltas_member] If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.member log field is mapped to the target.group.attribute.labels.key/value UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.member target.group.attribute.labels.key/value[sourceProperties_properties_sensitiveRoleToHybridGroup] If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.member log field is mapped to the target.group.attribute.labels.key/value UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.whoCanJoin target.group.attribute.permissions.name If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.whoCanJoin log field is mapped to the target.group.attribute.permissions.name UDM field.
    sourceProperties.properties.customRoleSensitivePermissions.permissions target.group.attribute.permissions.name If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.customRoleSensitivePermissions.permissions log field is mapped to the target.group.attribute.permissions.name UDM field.
    sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.roleName target.group.attribute.roles.name If the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.roleName log field is mapped to the target.group.attribute.roles.name UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.role target.group.attribute.roles.name If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.role log field is mapped to the target.group.attribute.roles.name UDM field.
    sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.role target.group.attribute.roles.name If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.role log field is mapped to the target.group.attribute.roles.name UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.roleName target.group.attribute.roles.name If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.roleName log field is mapped to the target.group.attribute.roles.name UDM field.
    sourceProperties.properties.customRoleSensitivePermissions.roleName target.group.attribute.roles.name If the category log field value is equal to Persistence: IAM Anomalous Grant, then the sourceProperties.properties.customRoleSensitivePermissions.roleName log field is mapped to the target.group.attribute.roles.name UDM field.
    sourceProperties.properties.externalMemberAddedToPrivilegedGroup.groupName target.group.group_display_name If the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.groupName log field is mapped to the target.group.group_display_name UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.groupName target.group.group_display_name If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.groupName log field is mapped to the target.group.group_display_name UDM field.
    sourceProperties.properties.sensitiveRoleToHybridGroup.groupName target.group.group_display_name If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group, then the sourceProperties.properties.sensitiveRoleToHybridGroup.groupName log field is mapped to the target.group.group_display_name UDM field.
    sourceProperties.properties.ipConnection.destIp target.ip If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Outgoing DoS, then the sourceProperties.properties.ipConnection.destIp log field is mapped to the target.ip UDM field.
    access.methodName target.labels [access_methodName] (deprecated)
    access.methodName additional.fields [access_methodName]
    processes.argumentsTruncated target.labels [processes_argumentsTruncated] (deprecated)
    processes.argumentsTruncated additional.fields [processes_argumentsTruncated]
    processes.binary.contents target.labels [processes_binary_contents] (deprecated)
    processes.binary.contents additional.fields [processes_binary_contents]
    processes.binary.hashedSize target.labels [processes_binary_hashedSize] (deprecated)
    processes.binary.hashedSize additional.fields [processes_binary_hashedSize]
    processes.binary.partiallyHashed target.labels [processes_binary_partiallyHashed] (deprecated)
    processes.binary.partiallyHashed additional.fields [processes_binary_partiallyHashed]
    processes.envVariables.name target.labels [processes_envVariables_name] (deprecated)
    processes.envVariables.name additional.fields [processes_envVariables_name]
    processes.envVariables.val target.labels [processes_envVariables_val] (deprecated)
    processes.envVariables.val additional.fields [processes_envVariables_val]
    processes.envVariablesTruncated target.labels [processes_envVariablesTruncated] (deprecated)
    processes.envVariablesTruncated additional.fields [processes_envVariablesTruncated]
    processes.libraries.contents target.labels [processes_libraries_contents] (deprecated)
    processes.libraries.contents additional.fields [processes_libraries_contents]
    processes.libraries.hashedSize target.labels [processes_libraries_hashedSize] (deprecated)
    processes.libraries.hashedSize additional.fields [processes_libraries_hashedSize]
    processes.libraries.partiallyHashed target.labels [processes_libraries_partiallyHashed] (deprecated)
    processes.libraries.partiallyHashed additional.fields [processes_libraries_partiallyHashed]
    processes.script.contents target.labels [processes_script_contents] (deprecated)
    processes.script.contents additional.fields [processes_script_contents]
    processes.script.hashedSize target.labels [processes_script_hashedSize] (deprecated)
    processes.script.hashedSize additional.fields [processes_script_hashedSize]
    processes.script.partiallyHashed target.labels [processes_script_partiallyHashed] (deprecated)
    processes.script.partiallyHashed additional.fields [processes_script_partiallyHashed]
    sourceProperties.properties.methodName target.labels [sourceProperties_properties_methodName] (deprecated) If the category log field value is equal to Impair Defenses: Strong Authentication Disabled or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.properties.methodName log field is mapped to the target.labels.value UDM field.
    sourceProperties.properties.methodName additional.fields [sourceProperties_properties_methodName] If the category log field value is equal to Impair Defenses: Strong Authentication Disabled or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.properties.methodName log field is mapped to the additional.fields.value.string_value UDM field.
    sourceProperties.properties.network.location target.location.name If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.network.location log field is mapped to the target.location.name UDM field.
    processes.parentPid target.parent_process.pid
    sourceProperties.properties.ipConnection.destPort target.port If the category log field value is equal to Malware: Bad IP or Malware: Outgoing DoS, then the sourceProperties.properties.ipConnection.destPort log field is mapped to the target.port UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.query target.process.command_line If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.query log field is mapped to the target.process.command_line UDM field.
    processes.args target.process.command_line_history [processes.args]
    processes.name target.process.file.full_path
    processes.binary.path target.process.file.full_path
    processes.libraries.path target.process.file.full_path
    processes.script.path target.process.file.full_path
    processes.binary.sha256 target.process.file.sha256
    processes.libraries.sha256 target.process.file.sha256
    processes.script.sha256 target.process.file.sha256
    processes.binary.size target.process.file.size
    processes.libraries.size target.process.file.size
    processes.script.size target.process.file.size
    processes.pid target.process.pid
    containers.uri target.resource_ancestors.attribute.labels.key/value [containers_uri]
    containers.labels.name/value target.resource_ancestors.attribute.labels.key/value [containers.labels.name/value] The containers.labels.name log field is mapped to the target.resource_ancestors.attribute.labels.key UDM field and the containers.labels.value log field is mapped to the target.resource_ancestors.attribute.labels.value UDM field.
    sourceProperties.properties.destVpc.projectId target.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_projectId] If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.destVpc.projectId log field is mapped to the target.resource_ancestors.attribute.labels.value UDM field.
    sourceProperties.properties.destVpc.subnetworkName target.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_subnetworkName] If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP, then the sourceProperties.properties.destVpc.subnetworkName log field is mapped to the target.resource_ancestors.attribute.labels.value UDM field.
    sourceProperties.properties.network.subnetworkName target.resource_ancestors.key/value [sourceProperties_properties_network_subnetworkName] If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP, then the sourceProperties.properties.network.subnetworkName log field is mapped to the target.resource_ancestors.value UDM field.
    sourceProperties.properties.network.subnetworkId target.resource_ancestors.labels.key/value [sourceProperties_properties_network_subnetworkId] If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP, then the sourceProperties.properties.network.subnetworkId log field is mapped to the target.resource_ancestors.value UDM field.
    sourceProperties.affectedResources.gcpResourceName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.destVpc.vpcName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.vpcName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    resourceName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.projectId target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.vpc.vpcName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    parent target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.affectedResources.gcpResourceName target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    containers.name target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.resource target.resource_ancestors.name If the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.resource log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.resource target.resource_ancestors.name If the category log field value is equal to Credential Access: Privileged Group Opened To Public, then the sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.resource log field is mapped to the target.resource_ancestors.name UDM field.
    kubernetes.pods.containers.name target.resource_ancestors.name If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE, then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.properties.gceInstanceId target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the sourceProperties.properties.gceInstanceId log field is mapped to the target.resource_ancestors.product_object_id UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    sourceProperties.sourceId.projectNumber target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    sourceProperties.sourceId.customerOrganizationNumber target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    sourceProperties.sourceId.organizationNumber target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    containers.imageId target.resource_ancestors.product_object_id If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    sourceProperties.properties.zone target.resource.attribute.cloud.availability_zone If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field.
    canonicalName metadata.product_log_id The finding_id is extracted from the canonicalName log field using a Grok pattern.

    If the finding_id log field value is not empty, then the finding_id log field is mapped to the metadata.product_log_id UDM field.
    canonicalName src.resource.attribute.labels.key/value [finding_id] If the finding_id log field value is not empty, then the finding_id log field is mapped to the src.resource.attribute.labels.key/value [finding_id] UDM field.

    If the category log field value is equal to one of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName src.resource.product_object_id If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.product_object_id UDM field.

    If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName src.resource.attribute.labels.key/value [source_id] If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.attribute.labels.key/value [source_id] UDM field.

    If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName target.resource.attribute.labels.key/value [finding_id] If the finding_id log field value is not empty, then the finding_id log field is mapped to the target.resource.attribute.labels.key/value [finding_id] UDM field.

    If the category log field value is not equal to any of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName target.resource.product_object_id If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.product_object_id UDM field.

    If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName target.resource.attribute.labels.key/value [source_id] If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.attribute.labels.key/value [source_id] UDM field.

    If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    sourceProperties.properties.dataExfiltrationAttempt.destinationTables.datasetId target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_datasetId] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.datasetId log field is mapped to the target.resource.attribute.labels.value UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.destinationTables.projectId target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_projectId] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.projectId log field is mapped to the target.resource.attribute.labels.value UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.destinationTables.resourceUri target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_resourceUri] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.resourceUri log field is mapped to the target.resource.attribute.labels.value UDM field.
    sourceProperties.properties.exportToGcs.exportScope target.resource.attribute.labels.key/value [sourceProperties_properties_exportToGcs_exportScope] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the target.resource.attribute.labels.key UDM field is set to exportScope and the sourceProperties.properties.exportToGcs.exportScope log field is mapped to the target.resource.attribute.labels.value UDM field.
    sourceProperties.properties.extractionAttempt.destinations.objectName target.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_destinations_objectName] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.objectName log field is mapped to the target.resource.attribute.labels.value UDM field.
    sourceProperties.properties.extractionAttempt.destinations.originalUri target.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_destinations_originalUri] If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.originalUri log field is mapped to the target.resource.attribute.labels.value UDM field.
    sourceProperties.properties.metadataKeyOperation target.resource.attribute.labels.key/value [sourceProperties_properties_metadataKeyOperation] If the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.metadataKeyOperation log field is mapped to the target.resource.attribute.labels.key/value UDM field.
    exfiltration.targets.components target.resource.attribute.labels.key/value[exfiltration_targets_components] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction, then the exfiltration.targets.components log field is mapped to the target.resource.attribute.labels.key/value UDM field.
    sourceProperties.properties.exportToGcs.bucketAccess target.resource.attribute.permissions.name If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketAccess log field is mapped to the target.resource.attribute.permissions.name UDM field.
    sourceProperties.properties.name target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    sourceProperties.properties.exportToGcs.bucketResource target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    resourceName target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    sourceProperties.properties.attempts.vmName target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    sourceProperties.properties.instanceDetails target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    sourceProperties.properties.extractionAttempt.destinations.collectionName target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    exfiltration.targets.name target.resource.name If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization, then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain, then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    sourceProperties.properties.instanceId target.resource.product_object_id If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.instanceId log field is mapped to the target.resource.product_object_id UDM field.
    kubernetes.pods.containers.imageId target.resource_ancestors.attribute.labels[kubernetes_pods_containers_imageId]
    sourceProperties.properties.extractionAttempt.destinations.collectionType target.resource.resource_subtype If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.resource_subtype UDM field.

    Else if, the category log field value is equal to Credential Access: External Member Added To Privileged Group, then the target.resource.resource_subtype UDM field is set to Privileged Group.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the target.resource.resource_subtype UDM field is set to BigQuery.
    target.resource.resource_type If the sourceProperties.properties.extractionAttempt.destinations.collectionType log field value matches the regular expression BUCKET, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.

    Else if, the category log field value is equal to Brute Force: SSH, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the target.resource.resource_type UDM field is set to TABLE.
    sourceProperties.properties.extractionAttempt.jobLink target.url If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the sourceProperties.properties.extractionAttempt.jobLink log field is mapped to the target.url UDM field.

    If the category log field value is equal to Exfiltration: BigQuery Data Extraction, then the sourceProperties.properties.extractionAttempt.jobLink log field is mapped to the target.url UDM field.
    sourceProperties.properties.exportToGcs.gcsUri target.url If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration, then the sourceProperties.properties.exportToGcs.gcsUri log field is mapped to the target.url UDM field.
    sourceProperties.properties.requestUrl target.url If the category log field value is equal to Initial Access: Log4j Compromise Attempt, then the sourceProperties.properties.requestUrl log field is mapped to the target.url UDM field.
    sourceProperties.properties.policyLink target.url If the category log field value is equal to Defense Evasion: Modify VPC Service Control, then the sourceProperties.properties.policyLink log field is mapped to the target.url UDM field.
    sourceProperties.properties.anomalousLocation.notSeenInLast target.user.attribute.labels.key/value [sourceProperties_properties_anomalousLocation_notSeenInLast] If the category log field value is equal to Persistence: New Geography, then the sourceProperties.properties.anomalousLocation.notSeenInLast log field is mapped to the target.user.attribute.labels.value UDM field.
    sourceProperties.properties.attempts.username target.user.userid If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.attempts.username log field is mapped to the target.user.userid UDM field.

    If the category log field value is equal to Initial Access: Suspicious Login Blocked, then the userid log field is mapped to the target.user.userid UDM field.
    sourceProperties.properties.principalEmail target.user.userid If the category log field value is equal to Initial Access: Suspicious Login Blocked, then the userid log field is mapped to the target.user.userid UDM field.
    sourceProperties.Added_Binary_Kind target.resource.attribute.labels[sourceProperties_Added_Binary_Kind]
    sourceProperties.Container_Creation_Timestamp.nanos target.resource.attribute.labels[sourceProperties_Container_Creation_Timestamp_nanos]
    sourceProperties.Container_Creation_Timestamp.seconds target.resource.attribute.labels[sourceProperties_Container_Creation_Timestamp_seconds]
    sourceProperties.Container_Image_Id target.resource_ancestors.product_object_id
    sourceProperties.Container_Image_Uri target.resource.attribute.labels[sourceProperties_Container_Image_Uri]
    sourceProperties.Container_Name target.resource_ancestors.name
    sourceProperties.Environment_Variables target.labels [Environment_Variables_name] (deprecated)
    sourceProperties.Environment_Variables additional.fields [Environment_Variables_name]
    target.labels [Environment_Variables_val] (deprecated)
    additional.fields [Environment_Variables_val]
    sourceProperties.Kubernetes_Labels target.resource.attribute.labels.key/value [sourceProperties_Kubernetes_Labels.name/value]
    sourceProperties.Parent_Pid target.process.parent_process.pid
    sourceProperties.Pid target.process.pid
    sourceProperties.Pod_Name target.resource_ancestors.name
    sourceProperties.Pod_Namespace target.resource_ancestors.attribute.labels.key/value [sourceProperties_Pod_Namespace]
    sourceProperties.Process_Arguments target.process.command_line
    sourceProperties.Process_Binary_Fullpath target.process.file.full_path
    sourceProperties.Process_Creation_Timestamp.nanos target.labels [sourceProperties_Process_Creation_Timestamp_nanos] (deprecated)
    sourceProperties.Process_Creation_Timestamp.nanos additional.fields [sourceProperties_Process_Creation_Timestamp_nanos]
    sourceProperties.Process_Creation_Timestamp.seconds target.labels [sourceProperties_Process_Creation_Timestamp_seconds] (deprecated)
    sourceProperties.Process_Creation_Timestamp.seconds additional.fields [sourceProperties_Process_Creation_Timestamp_seconds]
    sourceProperties.VM_Instance_Name target.resource_ancestors.name If the category log field value is equal to Added Binary Executed or Added Library Loaded, then the sourceProperties.VM_Instance_Name log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.
    target.resource_ancestors.resource_type
    resource.parent target.resource_ancestors.attribute.labels.key/value [resource_project]
    resource.project target.resource_ancestors.attribute.labels.key/value [resource_parent]
    sourceProperties.Added_Library_Fullpath target.process.file.full_path
    sourceProperties.Added_Library_Kind target.resource.attribute.labels[sourceProperties_Added_Library_Kind
    sourceProperties.affectedResources.gcpResourceName target.resource_ancestors.name
    sourceProperties.Backend_Service target.resource.name If the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike or Application DDoS Attack Attempt, then the sourceProperties.Backend_Service log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    sourceProperties.Long_Term_Allowed_RPS target.resource.attribute.labels[sourceProperties_Long_Term_Allowed_RPS]
    sourceProperties.Long_Term_Denied_RPS target.resource.attribute.labels[sourceProperties_Long_Term_Denied_RPS]
    sourceProperties.Long_Term_Incoming_RPS target.resource.attribute.labels[sourceProperties_Long_Term_Incoming_RPS]
    sourceProperties.properties.customProperties.domain_category target.resource.attribute.labels[sourceProperties_properties_customProperties_domain_category]
    sourceProperties.Security_Policy target.resource.attribute.labels[sourceProperties_Security_Policy]
    sourceProperties.Short_Term_Allowed_RPS target.resource.attribute.labels[sourceProperties_Short_Term_Allowed_RPS]
    target.resource.resource_type If the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike or Application DDoS Attack Attempt, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

    If the category log field value is equal to Configurable Bad Domain, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.
    is_alert If the state log field value is equal to ACTIVE, then if the mute_is_not_present field value is not equal to true and (the mute log field value is equal to UNMUTED or the mute log field value is equal to UNDEFINED), then the is_alert UDM field is set to true else, the is_alert UDM field is set to false.
    is_significant If the state log field value is equal to ACTIVE, then if the mute_is_not_present field value is not equal to true and (the mute log field value is equal to UNMUTED or the mute log field value is equal to UNDEFINED), then the is_significant UDM field is set to true else, the is_significant UDM field is set to false.
    sourceProperties.properties.sensitiveRoleGrant.principalEmail principal.user.userid Grok : Extracted user_id from sourceProperties.properties.sensitiveRoleGrant.principalEmail log field, then the user_id field is mapped to the principal.user.userid UDM field.
    sourceProperties.properties.customRoleSensitivePermissions.principalEmail principal.user.userid Grok : Extracted user_id from sourceProperties.properties.customRoleSensitivePermissions.principalEmail log field, then the user_id field is mapped to the principal.user.userid UDM field.
    resourceName principal.asset.location.name If the parentDisplayName log field value is equal to Virtual Machine Threat Detection, then Grok : Extracted project_name, region, zone_suffix, asset_prod_obj_id from resourceName log field, then the region log field is mapped to the principal.asset.location.name UDM field.
    resourceName principal.asset.product_object_id If the parentDisplayName log field value is equal to Virtual Machine Threat Detection, then Grok : Extracted project_name, region, zone_suffix, asset_prod_obj_id from resourceName log field, then the asset_prod_obj_id log field is mapped to the principal.asset.product_object_id UDM field.
    resourceName principal.asset.attribute.cloud.availability_zone If the parentDisplayName log field value is equal to Virtual Machine Threat Detection, then Grok : Extracted project_name, region, zone_suffix, asset_prod_obj_id from resourceName log field, then the zone_suffix log field is mapped to the principal.asset.attribute.cloud.availability_zone UDM field.
    resourceName principal.asset.attribute.labels[project_name] If the parentDisplayName log field value is equal to Virtual Machine Threat Detection, then Grok : Extracted project_name, region, zone_suffix, asset_prod_obj_id from resourceName log field, then the project_name log field is mapped to the principal.asset.attribute.labels.value UDM field.
    sourceProperties.threats.memory_hash_detector.detections.binary_name security_result.detection_fields[binary_name]
    sourceProperties.threats.memory_hash_detector.detections.percent_pages_matched security_result.detection_fields[percent_pages_matched]
    sourceProperties.threats.memory_hash_detector.binary security_result.detection_fields[memory_hash_detector_binary]
    sourceProperties.threats.yara_rule_detector.yara_rule_name security_result.detection_fields[yara_rule_name]
    sourceProperties.Script_SHA256 target.resource.attribute.labels[script_sha256]
    sourceProperties.Script_Content target.resource.attribute.labels[script_content]
    state security_result.detection_fields[state]
    assetDisplayName target.asset.attribute.labels[asset_display_name]
    assetId target.asset.asset_id
    findingProviderId target.resource.attribute.labels[finding_provider_id]
    sourceDisplayName target.resource.attribute.labels[source_display_name]
    processes.name target.process.file.names
    target.labels[failedActions_methodName] sourceProperties.properties.failedActions.methodName If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.methodName log field is mapped to the target.labels UDM field.
    additional.fields[failedActions_methodName] sourceProperties.properties.failedActions.methodName If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.methodName log field is mapped to the additional.fields UDM field.
    target.labels[failedActions_serviceName] sourceProperties.properties.failedActions.serviceName If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.serviceName log field is mapped to the target.labels UDM field.
    additional.fields[failedActions_serviceName] sourceProperties.properties.failedActions.serviceName If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.serviceName log field is mapped to the additional.fields UDM field.
    target.labels[failedActions_attemptTimes] sourceProperties.properties.failedActions.attemptTimes If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.attemptTimes log field is mapped to the target.labels UDM field.
    additional.fields[failedActions_attemptTimes] sourceProperties.properties.failedActions.attemptTimes If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.attemptTimes log field is mapped to the additional.fields UDM field.
    target.labels[failedActions_lastOccurredTime] sourceProperties.properties.failedActions.lastOccurredTime If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.lastOccurredTime log field is mapped to the target.labels UDM field.
    additional.fields[failedActions_lastOccurredTime] sourceProperties.properties.failedActions.lastOccurredTime If the category log field value is equal to Initial Access: Excessive Permission Denied Actions, then the sourceProperties.properties.failedActions.lastOccurredTime log field. is mapped to the additional.fields UDM field.
    resource.resourcePathString src.resource.attribute.labels[resource_path_string] If the category log field value contain one of the following values, then the resource.resourcePathString log field is mapped to the src.resource.attribute.labels[resource_path_string] UDM field.
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    Else, the resource.resourcePathString log field is mapped to the target.resource.attribute.labels[resource_path_string] UDM field.

    Field mapping reference: event identifier to event type

    Event Identifier Event Type Security Category
    Active Scan: Log4j Vulnerable to RCE SCAN_UNCATEGORIZED
    Brute Force: SSH USER_LOGIN AUTH_VIOLATION
    Credential Access: External Member Added To Privileged Group GROUP_MODIFICATION
    Credential Access: Privileged Group Opened To Public GROUP_MODIFICATION
    Credential Access: Sensitive Role Granted To Hybrid Group GROUP_MODIFICATION
    Defense Evasion: Modify VPC Service Control SERVICE_MODIFICATION
    Discovery: Can get sensitive Kubernetes object checkPreview SCAN_UNCATEGORIZED
    Discovery: Service Account Self-Investigation USER_UNCATEGORIZED
    Evasion: Access from Anonymizing Proxy SERVICE_MODIFICATION
    Exfiltration: BigQuery Data Exfiltration USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: BigQuery Data Extraction USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: BigQuery Data to Google Drive USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: CloudSQL Data Exfiltration USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: CloudSQL Over-Privileged Grant USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Exfiltration: CloudSQL Restore Backup to External Organization USER_RESOURCE_ACCESS DATA_EXFILTRATION
    Impair Defenses: Strong Authentication Disabled USER_CHANGE_PERMISSIONS
    Impair Defenses: Two Step Verification Disabled USER_CHANGE_PERMISSIONS
    Initial Access: Account Disabled Hijacked SETTING_MODIFICATION
    Initial Access: Disabled Password Leak SETTING_MODIFICATION
    Initial Access: Government Based Attack USER_UNCATEGORIZED
    Initial Access: Log4j Compromise Attempt SCAN_UNCATEGORIZED EXPLOIT
    Initial Access: Suspicious Login Blocked USER_LOGIN ACL_VIOLATION
    Initial Access: Dormant Service Account Action SCAN_UNCATEGORIZED
    Log4j Malware: Bad Domain NETWORK_CONNECTION SOFTWARE_MALICIOUS
    Log4j Malware: Bad IP SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Malware: Bad Domain NETWORK_CONNECTION SOFTWARE_MALICIOUS
    Malware: Bad IP SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Malware: Cryptomining Bad Domain NETWORK_CONNECTION SOFTWARE_MALICIOUS
    Malware: Cryptomining Bad IP NETWORK_CONNECTION SOFTWARE_MALICIOUS
    Malware: Outgoing DoS NETWORK_CONNECTION NETWORK_DENIAL_OF_SERVICE
    Persistence: GCE Admin Added SSH Key SETTING_MODIFICATION
    Persistence: GCE Admin Added Startup Script SETTING_MODIFICATION
    Persistence: IAM Anomalous Grant USER_UNCATEGORIZED POLICY_VIOLATION
    Persistence: New API MethodPreview SCAN_UNCATEGORIZED
    Persistence: New Geography USER_RESOURCE_ACCESS NETWORK_SUSPICIOUS
    Persistence: New User Agent USER_RESOURCE_ACCESS
    Persistence: SSO Enablement Toggle SETTING_MODIFICATION
    Persistence: SSO Settings Changed SETTING_MODIFICATION
    Privilege Escalation: Changes to sensitive Kubernetes RBAC objectsPreview RESOURCE_PERMISSIONS_CHANGE
    Privilege Escalation: Create Kubernetes CSR for master certPreview RESOURCE_CREATION
    Privilege Escalation: Creation of sensitive Kubernetes bindingsPreview RESOURCE_CREATION
    Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentialsPreview USER_RESOURCE_ACCESS
    Privilege Escalation: Launch of privileged Kubernetes containerPreview RESOURCE_CREATION
    Added Binary Executed USER_RESOURCE_ACCESS
    Added Library Loaded USER_RESOURCE_ACCESS
    Allowed Traffic Spike USER_RESOURCE_ACCESS
    Increasing Deny Ratio USER_RESOURCE_UPDATE_CONTENT
    Configurable bad domain NETWORK_CONNECTION
    Execution: Cryptocurrency Mining Hash Match SCAN_UNCATEGORIZED
    Execution: Cryptocurrency Mining YARA Rule SCAN_UNCATEGORIZED
    Malicious Script Executed SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Malicious URL Observed SCAN_UNCATEGORIZED NETWORK_MALICIOUS
    Execution: Cryptocurrency Mining Combined Detection SCAN_UNCATEGORIZED
    Application DDoS Attack Attempt SCAN_NETWORK
    Defense Evasion: Unexpected ftrace handler SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected interrupt handler SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected kernel code modification USER_RESOURCE_UPDATE_CONTENT SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected kernel modules SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected kernel read-only data modification USER_RESOURCE_UPDATE_CONTENT SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected kprobe handler SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected processes in runqueue PROCESS_UNCATEGORIZED SOFTWARE_MALICIOUS
    Defense Evasion: Unexpected system call handler SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Reverse Shell SCAN_UNCATEGORIZED EXPLOIT
    account_has_leaked_credentials SCAN_UNCATEGORIZED DATA_AT_REST
    Initial Access: Dormant Service Account Key Created RESOURCE_CREATION
    Process Tree PROCESS_UNCATEGORIZED
    Unexpected Child Shell PROCESS_UNCATEGORIZED
    Execution: Added Malicious Binary Executed SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Execution: Modified Malicious Binary Executed SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
    Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity SCAN_UNCATEGORIZED
    Breakglass Account Used: break_glass_account SCAN_UNCATEGORIZED
    Configurable Bad Domain: APT29_Domains SCAN_UNCATEGORIZED
    Unexpected Role Grant: Forbidden roles SCAN_UNCATEGORIZED
    Configurable Bad IP SCAN_UNCATEGORIZED
    Unexpected Compute Engine instance type SCAN_UNCATEGORIZED
    Unexpected Compute Engine source image SCAN_UNCATEGORIZED
    Unexpected Compute Engine region SCAN_UNCATEGORIZED
    Custom role with prohibited permission SCAN_UNCATEGORIZED
    Unexpected Cloud API Call SCAN_UNCATEGORIZED



    The following tables contain UDM event types and UDM fields mapping for Security Command Center - VULNERABILITY, MISCONFIGURATION, OBSERVATION, ERROR, UNSPECIFIED, POSTURE_VIOLATION finding classes.

    VULNERABILITY category to UDM event type

    The following table lists the VULNERABILITY category and their corresponding UDM event types.

    Event Identifier Event Type Security Category
    DISK_CSEK_DISABLED SCAN_UNCATEGORIZED
    ALPHA_CLUSTER_ENABLED SCAN_UNCATEGORIZED
    AUTO_REPAIR_DISABLED SCAN_UNCATEGORIZED
    AUTO_UPGRADE_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_SHIELDED_NODES_DISABLED SCAN_UNCATEGORIZED
    COS_NOT_USED SCAN_UNCATEGORIZED
    INTEGRITY_MONITORING_DISABLED SCAN_UNCATEGORIZED
    IP_ALIAS_DISABLED SCAN_UNCATEGORIZED
    LEGACY_METADATA_ENABLED SCAN_UNCATEGORIZED
    RELEASE_CHANNEL_DISABLED SCAN_UNCATEGORIZED
    DATAPROC_IMAGE_OUTDATED SCAN_VULN_NETWORK
    PUBLIC_DATASET SCAN_UNCATEGORIZED
    DNSSEC_DISABLED SCAN_UNCATEGORIZED
    RSASHA1_FOR_SIGNING SCAN_UNCATEGORIZED
    REDIS_ROLE_USED_ON_ORG SCAN_UNCATEGORIZED
    KMS_PUBLIC_KEY SCAN_UNCATEGORIZED
    SQL_CONTAINED_DATABASE_AUTHENTICATION SCAN_UNCATEGORIZED
    SQL_CROSS_DB_OWNERSHIP_CHAINING SCAN_UNCATEGORIZED
    SQL_EXTERNAL_SCRIPTS_ENABLED SCAN_UNCATEGORIZED
    SQL_LOCAL_INFILE SCAN_UNCATEGORIZED
    SQL_LOG_ERROR_VERBOSITY SCAN_UNCATEGORIZED
    SQL_LOG_MIN_DURATION_STATEMENT_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_MIN_ERROR_STATEMENT SCAN_UNCATEGORIZED
    SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY SCAN_UNCATEGORIZED
    SQL_LOG_MIN_MESSAGES SCAN_UNCATEGORIZED
    SQL_LOG_EXECUTOR_STATS_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_HOSTNAME_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_PARSER_STATS_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_PLANNER_STATS_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_STATEMENT_STATS_ENABLED SCAN_UNCATEGORIZED
    SQL_LOG_TEMP_FILES SCAN_UNCATEGORIZED
    SQL_REMOTE_ACCESS_ENABLED SCAN_UNCATEGORIZED
    SQL_SKIP_SHOW_DATABASE_DISABLED SCAN_UNCATEGORIZED
    SQL_TRACE_FLAG_3625 SCAN_UNCATEGORIZED
    SQL_USER_CONNECTIONS_CONFIGURED SCAN_UNCATEGORIZED
    SQL_USER_OPTIONS_CONFIGURED SCAN_UNCATEGORIZED
    SQL_WEAK_ROOT_PASSWORD SCAN_UNCATEGORIZED
    PUBLIC_LOG_BUCKET SCAN_UNCATEGORIZED
    ACCESSIBLE_GIT_REPOSITORY SCAN_UNCATEGORIZED DATA_EXFILTRATION
    ACCESSIBLE_SVN_REPOSITORY SCAN_NETWORK DATA_EXFILTRATION
    CACHEABLE_PASSWORD_INPUT SCAN_NETWORK NETWORK_SUSPICIOUS
    CLEAR_TEXT_PASSWORD SCAN_NETWORK NETWORK_MALICIOUS
    INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION SCAN_UNCATEGORIZED
    INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION SCAN_UNCATEGORIZED
    INVALID_CONTENT_TYPE SCAN_UNCATEGORIZED
    INVALID_HEADER SCAN_UNCATEGORIZED
    MISMATCHING_SECURITY_HEADER_VALUES SCAN_UNCATEGORIZED
    MISSPELLED_SECURITY_HEADER_NAME SCAN_UNCATEGORIZED
    MIXED_CONTENT SCAN_UNCATEGORIZED
    OUTDATED_LIBRARY SCAN_VULN_HOST SOFTWARE_SUSPICIOUS
    SERVER_SIDE_REQUEST_FORGERY SCAN_NETWORK NETWORK_MALICIOUS
    SESSION_ID_LEAK SCAN_NETWORK DATA_EXFILTRATION
    SQL_INJECTION SCAN_NETWORK EXPLOIT
    STRUTS_INSECURE_DESERIALIZATION SCAN_VULN_HOST SOFTWARE_SUSPICIOUS
    XSS SCAN_NETWORK SOFTWARE_SUSPICIOUS
    XSS_ANGULAR_CALLBACK SCAN_NETWORK SOFTWARE_SUSPICIOUS
    XSS_ERROR SCAN_HOST SOFTWARE_SUSPICIOUS
    XXE_REFLECTED_FILE_LEAKAGE SCAN_HOST SOFTWARE_SUSPICIOUS
    BASIC_AUTHENTICATION_ENABLED SCAN_UNCATEGORIZED
    CLIENT_CERT_AUTHENTICATION_DISABLED SCAN_UNCATEGORIZED
    LABELS_NOT_USED SCAN_UNCATEGORIZED
    PUBLIC_STORAGE_OBJECT SCAN_UNCATEGORIZED
    SQL_BROAD_ROOT_LOGIN SCAN_UNCATEGORIZED
    WEAK_CREDENTIALS SCAN_VULN_NETWORK NETWORK_MALICIOUS
    ELASTICSEARCH_API_EXPOSED SCAN_VULN_NETWORK NETWORK_MALICIOUS
    EXPOSED_GRAFANA_ENDPOINT SCAN_VULN_NETWORK NETWORK_MALICIOUS
    EXPOSED_METABASE SCAN_VULN_NETWORK NETWORK_MALICIOUS
    EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT SCAN_VULN_NETWORK
    HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    JAVA_JMX_RMI_EXPOSED SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    JUPYTER_NOTEBOOK_EXPOSED_UI SCAN_VULN_NETWORK
    KUBERNETES_API_EXPOSED SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    UNFINISHED_WORDPRESS_INSTALLATION SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    APACHE_HTTPD_RCE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    APACHE_HTTPD_SSRF SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    CONSUL_RCE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    DRUID_RCE SCAN_VULN_NETWORK
    DRUPAL_RCE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    FLINK_FILE_DISCLOSURE SCAN_VULN_NETWORK NETWORK_SUSPICIOUS
    GITLAB_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    GoCD_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    JENKINS_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    JOOMLA_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    LOG4J_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    MANTISBT_PRIVILEGE_ESCALATION SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    OGNL_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    OPENAM_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    ORACLE_WEBLOGIC_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    PHPUNIT_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    PHP_CGI_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    PORTAL_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    REDIS_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    SOLR_FILE_EXPOSED SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    SOLR_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    STRUTS_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    TOMCAT_FILE_DISCLOSURE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    VBULLETIN_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    VCENTER_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    WEBLOGIC_RCE SCAN_VULN_NETWORK SOFTWARE_SUSPICIOUS
    OS_VULNERABILITY SCAN_VULN_HOST
    IAM_ROLE_HAS_EXCESSIVE_PERMISSIONS SCAN_UNCATEGORIZED SOFTWARE_SUSPICIOUS
    SERVICE_AGENT_GRANTED_BASIC_ROLE SCAN_UNCATEGORIZED SOFTWARE_SUSPICIOUS
    UNUSED_IAM_ROLE SCAN_UNCATEGORIZED
    SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE SCAN_UNCATEGORIZED SOFTWARE_SUSPICIOUS

    MISCONFIGURATION category to UDM event type

    The following table lists the MISCONFIGURATION category and their corresponding UDM event types.

    Event Identifier Event Type
    API_KEY_APIS_UNRESTRICTED SCAN_UNCATEGORIZED
    API_KEY_APPS_UNRESTRICTED SCAN_UNCATEGORIZED
    API_KEY_EXISTS SCAN_UNCATEGORIZED
    API_KEY_NOT_ROTATED SCAN_UNCATEGORIZED
    PUBLIC_COMPUTE_IMAGE SCAN_HOST
    CONFIDENTIAL_COMPUTING_DISABLED SCAN_HOST
    COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED SCAN_UNCATEGORIZED
    COMPUTE_SECURE_BOOT_DISABLED SCAN_HOST
    DEFAULT_SERVICE_ACCOUNT_USED SCAN_UNCATEGORIZED
    FULL_API_ACCESS SCAN_UNCATEGORIZED
    OS_LOGIN_DISABLED SCAN_UNCATEGORIZED
    PUBLIC_IP_ADDRESS SCAN_UNCATEGORIZED
    SHIELDED_VM_DISABLED SCAN_UNCATEGORIZED
    COMPUTE_SERIAL_PORTS_ENABLED SCAN_NETWORK
    DISK_CMEK_DISABLED SCAN_UNCATEGORIZED
    HTTP_LOAD_BALANCER SCAN_NETWORK
    IP_FORWARDING_ENABLED SCAN_UNCATEGORIZED
    WEAK_SSL_POLICY SCAN_NETWORK
    BINARY_AUTHORIZATION_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_LOGGING_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_MONITORING_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_SECRETS_ENCRYPTION_DISABLED SCAN_UNCATEGORIZED
    INTRANODE_VISIBILITY_DISABLED SCAN_UNCATEGORIZED
    MASTER_AUTHORIZED_NETWORKS_DISABLED SCAN_UNCATEGORIZED
    NETWORK_POLICY_DISABLED SCAN_UNCATEGORIZED
    NODEPOOL_SECURE_BOOT_DISABLED SCAN_UNCATEGORIZED
    OVER_PRIVILEGED_ACCOUNT SCAN_UNCATEGORIZED
    OVER_PRIVILEGED_SCOPES SCAN_UNCATEGORIZED
    POD_SECURITY_POLICY_DISABLED SCAN_UNCATEGORIZED
    PRIVATE_CLUSTER_DISABLED SCAN_UNCATEGORIZED
    WORKLOAD_IDENTITY_DISABLED SCAN_UNCATEGORIZED
    LEGACY_AUTHORIZATION_ENABLED SCAN_UNCATEGORIZED
    NODEPOOL_BOOT_CMEK_DISABLED SCAN_UNCATEGORIZED
    WEB_UI_ENABLED SCAN_UNCATEGORIZED
    AUTO_REPAIR_DISABLED SCAN_UNCATEGORIZED
    AUTO_UPGRADE_DISABLED SCAN_UNCATEGORIZED
    CLUSTER_SHIELDED_NODES_DISABLED SCAN_UNCATEGORIZED
    RELEASE_CHANNEL_DISABLED SCAN_UNCATEGORIZED
    BIGQUERY_TABLE_CMEK_DISABLED SCAN_UNCATEGORIZED
    DATASET_CMEK_DISABLED SCAN_UNCATEGORIZED
    EGRESS_DENY_RULE_NOT_SET SCAN_NETWORK
    FIREWALL_RULE_LOGGING_DISABLED SCAN_NETWORK
    OPEN_CASSANDRA_PORT SCAN_NETWORK
    OPEN_SMTP_PORT SCAN_NETWORK
    OPEN_REDIS_PORT SCAN_NETWORK
    OPEN_POSTGRESQL_PORT SCAN_NETWORK
    OPEN_POP3_PORT SCAN_NETWORK
    OPEN_ORACLEDB_PORT SCAN_NETWORK
    OPEN_NETBIOS_PORT SCAN_NETWORK
    OPEN_MYSQL_PORT SCAN_NETWORK
    OPEN_MONGODB_PORT SCAN_NETWORK
    OPEN_MEMCACHED_PORT SCAN_NETWORK
    OPEN_LDAP_PORT SCAN_NETWORK
    OPEN_FTP_PORT SCAN_NETWORK
    OPEN_ELASTICSEARCH_PORT SCAN_NETWORK
    OPEN_DNS_PORT SCAN_NETWORK
    OPEN_HTTP_PORT SCAN_NETWORK
    OPEN_DIRECTORY_SERVICES_PORT SCAN_NETWORK
    OPEN_CISCOSECURE_WEBSM_PORT SCAN_NETWORK
    OPEN_RDP_PORT SCAN_NETWORK
    OPEN_TELNET_PORT SCAN_NETWORK
    OPEN_FIREWALL SCAN_NETWORK
    OPEN_SSH_PORT SCAN_NETWORK
    SERVICE_ACCOUNT_ROLE_SEPARATION SCAN_UNCATEGORIZED
    NON_ORG_IAM_MEMBER SCAN_UNCATEGORIZED
    OVER_PRIVILEGED_SERVICE_ACCOUNT_USER SCAN_UNCATEGORIZED
    ADMIN_SERVICE_ACCOUNT SCAN_UNCATEGORIZED
    SERVICE_ACCOUNT_KEY_NOT_ROTATED SCAN_UNCATEGORIZED
    USER_MANAGED_SERVICE_ACCOUNT_KEY SCAN_UNCATEGORIZED
    PRIMITIVE_ROLES_USED SCAN_UNCATEGORIZED
    KMS_ROLE_SEPARATION SCAN_UNCATEGORIZED
    OPEN_GROUP_IAM_MEMBER SCAN_UNCATEGORIZED
    KMS_KEY_NOT_ROTATED SCAN_UNCATEGORIZED
    KMS_PROJECT_HAS_OWNER SCAN_UNCATEGORIZED
    TOO_MANY_KMS_USERS SCAN_UNCATEGORIZED
    OBJECT_VERSIONING_DISABLED SCAN_UNCATEGORIZED
    LOCKED_RETENTION_POLICY_NOT_SET SCAN_UNCATEGORIZED
    BUCKET_LOGGING_DISABLED SCAN_UNCATEGORIZED
    LOG_NOT_EXPORTED SCAN_UNCATEGORIZED
    AUDIT_LOGGING_DISABLED SCAN_UNCATEGORIZED
    MFA_NOT_ENFORCED SCAN_UNCATEGORIZED
    ROUTE_NOT_MONITORED SCAN_NETWORK
    OWNER_NOT_MONITORED SCAN_NETWORK
    AUDIT_CONFIG_NOT_MONITORED SCAN_UNCATEGORIZED
    BUCKET_IAM_NOT_MONITORED SCAN_UNCATEGORIZED
    CUSTOM_ROLE_NOT_MONITORED SCAN_UNCATEGORIZED
    FIREWALL_NOT_MONITORED SCAN_NETWORK
    NETWORK_NOT_MONITORED SCAN_NETWORK
    SQL_INSTANCE_NOT_MONITORED SCAN_UNCATEGORIZED
    DEFAULT_NETWORK SCAN_NETWORK
    DNS_LOGGING_DISABLED SCAN_NETWORK
    PUBSUB_CMEK_DISABLED SCAN_UNCATEGORIZED
    PUBLIC_SQL_INSTANCE SCAN_NETWORK
    SSL_NOT_ENFORCED SCAN_NETWORK
    AUTO_BACKUP_DISABLED SCAN_UNCATEGORIZED
    SQL_CMEK_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_CHECKPOINTS_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_CONNECTIONS_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_DISCONNECTIONS_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_DURATION_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_LOCK_WAITS_DISABLED SCAN_UNCATEGORIZED
    SQL_LOG_STATEMENT SCAN_UNCATEGORIZED
    SQL_NO_ROOT_PASSWORD SCAN_UNCATEGORIZED
    SQL_PUBLIC_IP SCAN_NETWORK
    SQL_CONTAINED_DATABASE_AUTHENTICATION SCAN_UNCATEGORIZED
    SQL_CROSS_DB_OWNERSHIP_CHAINING SCAN_UNCATEGORIZED
    SQL_LOCAL_INFILE SCAN_UNCATEGORIZED
    SQL_LOG_MIN_ERROR_STATEMENT SCAN_UNCATEGORIZED
    SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY SCAN_UNCATEGORIZED
    SQL_LOG_TEMP_FILES SCAN_UNCATEGORIZED
    SQL_REMOTE_ACCESS_ENABLED SCAN_UNCATEGORIZED
    SQL_SKIP_SHOW_DATABASE_DISABLED SCAN_UNCATEGORIZED
    SQL_TRACE_FLAG_3625 SCAN_UNCATEGORIZED
    SQL_USER_CONNECTIONS_CONFIGURED SCAN_UNCATEGORIZED
    SQL_USER_OPTIONS_CONFIGURED SCAN_UNCATEGORIZED
    PUBLIC_BUCKET_ACL SCAN_UNCATEGORIZED
    BUCKET_POLICY_ONLY_DISABLED SCAN_UNCATEGORIZED
    BUCKET_CMEK_DISABLED SCAN_UNCATEGORIZED
    FLOW_LOGS_DISABLED SCAN_NETWORK
    PRIVATE_GOOGLE_ACCESS_DISABLED SCAN_NETWORK
    kms_key_region_europe SCAN_UNCATEGORIZED
    kms_non_euro_region SCAN_UNCATEGORIZED
    LEGACY_NETWORK SCAN_NETWORK
    LOAD_BALANCER_LOGGING_DISABLED SCAN_NETWORK
    INSTANCE_OS_LOGIN_DISABLED SCAN_UNCATEGORIZED
    GKE_PRIVILEGE_ESCALATION SCAN_UNCATEGORIZED
    GKE_RUN_AS_NONROOT SCAN_UNCATEGORIZED
    GKE_HOST_PATH_VOLUMES SCAN_UNCATEGORIZED
    GKE_HOST_NAMESPACES SCAN_UNCATEGORIZED
    GKE_PRIVILEGED_CONTAINERS SCAN_UNCATEGORIZED
    GKE_HOST_PORTS SCAN_UNCATEGORIZED
    GKE_CAPABILITIES SCAN_UNCATEGORIZED

    OBSERVATION category to UDM event type

    The following table lists the OBSERVATION category and their corresponding UDM event types.

    Event Identifier Event Type
    Persistence: Project SSH Key Added SETTING_MODIFICATION
    Persistence: Add Sensitive Role RESOURCE_PERMISSIONS_CHANGE
    Impact: GPU Instance Created USER_RESOURCE_CREATION
    Impact: Many Instances Created USER_RESOURCE_CREATION

    ERROR category to UDM event type

    The following table lists the ERROR category and their corresponding UDM event types.

    Event Identifier Event Type
    VPC_SC_RESTRICTION SCAN_UNCATEGORIZED
    MISCONFIGURED_CLOUD_LOGGING_EXPORT SCAN_UNCATEGORIZED
    API_DISABLED SCAN_UNCATEGORIZED
    KTD_IMAGE_PULL_FAILURE SCAN_UNCATEGORIZED
    KTD_BLOCKED_BY_ADMISSION_CONTROLLER SCAN_UNCATEGORIZED
    KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS SCAN_UNCATEGORIZED
    GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS SCAN_UNCATEGORIZED
    SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS SCAN_UNCATEGORIZED

    UNSPECIFIED category to UDM event type

    The following table lists the UNSPECIFIED category and their corresponding UDM event types.

    Event Identifier Event Type Security Category
    OPEN_FIREWALL SCAN_VULN_HOST POLICY_VIOLATION

    POSTURE_VIOLATION category to UDM event type

    The following table lists the POSTURE_VIOLATION category and their corresponding UDM event types.

    Event Identifier Event Type
    SECURITY_POSTURE_DRIFT SERVICE_MODIFICATION
    SECURITY_POSTURE_POLICY_DRIFT SCAN_UNCATEGORIZED
    SECURITY_POSTURE_POLICY_DELETE SCAN_UNCATEGORIZED
    SECURITY_POSTURE_DETECTOR_DRIFT SCAN_UNCATEGORIZED
    SECURITY_POSTURE_DETECTOR_DELETE SCAN_UNCATEGORIZED

    Field mapping reference: VULNERABILITY

    The following table lists the log fields of the VULNERABILITY category and their corresponding UDM fields.

    RawLog field UDM mapping Logic
    assetDisplayName target.asset.attribute.labels.key/value [assetDisplayName]
    assetId target.asset.asset_id
    findingProviderId target.resource.attribute.labels.key/value [findings_findingProviderId]
    sourceDisplayName target.resource.attribute.labels.key/value [sourceDisplayName]
    sourceProperties.description extensions.vuln.vulnerabilities.description
    sourceProperties.finalUrl network.http.referral_url
    sourceProperties.form.fields target.resource.attribute.labels.key/value [sourceProperties_form_fields]
    sourceProperties.httpMethod network.http.method
    sourceProperties.name target.resource.attribute.labels.key/value [sourceProperties_name]
    sourceProperties.outdatedLibrary.learnMoreUrls target.resource.attribute.labels.key/value[sourceProperties_outdatedLibrary_learnMoreUrls]
    sourceProperties.outdatedLibrary.libraryName target.resource.attribute.labels.key/value[outdatedLibrary.libraryName]
    sourceProperties.outdatedLibrary.version target.resource.attribute.labels.key/value[sourceProperties_outdatedLibrary_libraryName]
    sourceProperties.ResourcePath target.resource.attribute.labels.key/value[sourceProperties_ResourcePath]
    externalUri about.url
    category extensions.vuln.vulnerabilities.name
    resourceName principal.asset.location.name Extracted region from resourceName using a Grok pattern, and mapped to the principal.asset.location.name UDM field.
    resourceName principal.asset.product_object_id Extracted asset_prod_obj_id from resourceName using a Grok pattern, and mapped to the principal.asset.product_object_id UDM field.
    resourceName principal.asset.attribute.cloud.availability_zone Extracted zone_suffix from resourceName using a Grok pattern, and mapped to the principal.asset.attribute.cloud.availability_zone UDM field.
    sourceProperties.RevokedIamPermissionsCount security_result.detection_fields.key/value[revoked_Iam_permissions_count]
    sourceProperties.TotalRecommendationsCount security_result.detection_fields.key/value[total_recommendations_count]
    sourceProperties.DeactivationReason security_result.detection_fields.key/value[deactivation_reason]
    iamBindings.role about.user.attribute.roles.name
    iamBindings.member about.user.email_addresses
    iamBindings.action about.user.attribute.labels.key/value[action]

    Field mapping reference: MISCONFIGURATION

    The following table lists the log fields of the MISCONFIGURATION category and their corresponding UDM fields.

    RawLog field UDM mapping
    assetDisplayName target.asset.attribute.labels.key/value [assetDisplayName]
    assetId target.asset.asset_id
    externalUri about.url
    findingProviderId target.resource.attribute.labels[findingProviderId]
    sourceDisplayName target.resource.attribute.labels[sourceDisplayName]
    sourceProperties.Recommendation security_result.detection_fields.key/value[sourceProperties_Recommendation]
    sourceProperties.ExceptionInstructions security_result.detection_fields.key/value[sourceProperties_ExceptionInstructions]
    sourceProperties.ScannerName principal.labels.key/value[sourceProperties_ScannerName]
    sourceProperties.ResourcePath target.resource.attribute.labels.key/value[sourceProperties_ResourcePath]
    sourceProperties.ReactivationCount target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount]
    sourceProperties.DeactivationReason target.resource.attribute.labels.key/value [DeactivationReason]
    sourceProperties.ActionRequiredOnProject target.resource.attribute.labels.key/value [sourceProperties_ActionRequiredOnProject]
    sourceProperties.VulnerableNetworkInterfaceNames target.resource.attribute.labels.key/value [sourceProperties_VulnerableNetworkInterfaceNames]
    sourceProperties.VulnerableNodePools target.resource.attribute.labels.key/value [sourceProperties_VulnerableNodePools]
    sourceProperties.VulnerableNodePoolsList target.resource.attribute.labels.key/value [sourceProperties_VulnerableNodePoolsList]
    sourceProperties.AllowedOauthScopes target.resource.attribute.permissions.name
    sourceProperties.ExposedService target.application
    sourceProperties.OpenPorts.TCP target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_TCP]
    sourceProperties.OffendingIamRolesList.member about.user.email_addresses
    sourceProperties.OffendingIamRolesList.roles about.user.attribute.roles.name
    sourceProperties.ActivationTrigger target.resource.attribute.labels.key/value [sourceProperties_ActivationTrigger]
    sourceProperties.MfaDetails.users target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_users]
    sourceProperties.MfaDetails.enrolled target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_enrolled]
    sourceProperties.MfaDetails.enforced target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_enforced]
    sourceProperties.MfaDetails.advancedProtection target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_advancedProtection]
    sourceProperties.cli_remediation target.process.command_line_history
    sourceProperties.OpenPorts.UDP target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_UDP]
    sourceProperties.HasAdminRoles target.resource.attribute.labels.key/value [sourceProperties_HasAdminRoles]
    sourceProperties.HasEditRoles target.resource.attribute.labels.key/value [sourceProperties_HasEditRoles]
    sourceProperties.AllowedIpRange target.resource.attribute.labels.key/value [sourceProperties_AllowedIpRange]
    sourceProperties.ExternalSourceRanges target.resource.attribute.labels.key/value [sourceProperties_ExternalSourceRanges]
    sourceProperties.ExternallyAccessibleProtocolsAndPorts.IPProtocol target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_IPProtocol]
    sourceProperties.OpenPorts.SCTP target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_SCTP]
    sourceProperties.RecommendedLogFilter target.resource.attribute.labels.key/value [sourceProperties_RecommendedLogFilter]
    sourceProperties.QualifiedLogMetricNames target.resource.attribute.labels.key/value [sourceProperties_QualifiedLogMetricNames]
    sourceProperties.HasDefaultPolicy target.resource.attribute.labels.key/value [sourceProperties_HasDefaultPolicy]
    sourceProperties.CompatibleFeatures target.resource.attribute.labels.key/value [sourceProperties_CompatibleFeatures]
    sourceProperties.TargetProxyUrl target.url
    sourceProperties.OffendingIamRolesList.description about.user.attribute.roles.description
    sourceProperties.DatabaseVersion target.resource.attribute.label[sourceProperties_DatabaseVersion]

    Field mapping reference: OBSERVATION

    The following table lists the log fields of the OBSERVATION category and their corresponding UDM fields.

    RawLog field UDM mapping
    findingProviderId target.resource.attribute.labels[findingProviderId]
    sourceDisplayName target.resource.attribute.labels.key/value [sourceDisplayName]
    assetDisplayName target.asset.attribute.labels.key/value [asset_display_name]
    assetId target.asset.asset_id

    Field mapping reference: ERROR

    The following table lists the log fields of the ERROR category and their corresponding UDM fields.

    RawLog field UDM mapping
    externalURI about.url
    sourceProperties.ReactivationCount target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount]
    findingProviderId target.resource.attribute.labels[findingProviderId]
    sourceDisplayName target.resource.attribute.labels.key/value [sourceDisplayName]

    Field mapping reference: UNSPECIFIED

    The following table lists the log fields of the UNSPECIFIED category and their corresponding UDM fields.

    RawLog field UDM mapping
    sourceProperties.ScannerName principal.labels.key/value [sourceProperties_ScannerName]
    sourceProperties.ResourcePath src.resource.attribute.labels.key/value [sourceProperties_ResourcePath]
    sourceProperties.ReactivationCount target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount]
    sourceProperties.AllowedIpRange target.resource.attribute.labels.key/value [sourceProperties_AllowedIpRange]
    sourceProperties.ExternallyAccessibleProtocolsAndPorts.IPProtocol target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_IPProtocol]
    sourceProperties.ExternallyAccessibleProtocolsAndPorts.ports target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_ports
    sourceDisplayName target.resource.attribute.labels.key/value [sourceDisplayName]

    Field mapping reference: POSTURE_VIOLATION

    The following table lists the log fields of the POSTURE_VIOLATION category and their corresponding UDM fields.

    Log field UDM mapping Logic
    finding.resourceName target.resource_ancestors.name If the finding.resourceName log field value is not empty, then the finding.resourceName log field is mapped to the target.resource.name UDM field.

    The project_name field is extracted from the finding.resourceName log field using the Grok pattern.

    If the project_name field value is not empty, then the project_name field is mapped to the target.resource_ancestors.name UDM field.
    resourceName target.resource_ancestors.name If the resourceName log field value is not empty, then the resourceName log field is mapped to the target.resource.name UDM field.

    The project_name field is extracted from the resourceName log field using the Grok pattern.

    If the project_name field value is not empty, then the project_name field is mapped to the target.resource_ancestors.name UDM field.
    finding.sourceProperties.posture_revision_id security_result.detection_fields[source_properties_posture_revision_id]
    sourceProperties.posture_revision_id security_result.detection_fields[source_properties_posture_revision_id]
    sourceProperties.revision_id security_result.detection_fields[source_properties_posture_revision_id]
    finding.sourceProperties.policy_drift_details.drift_details.expected_configuration security_result.rule_labels[policy_drift_details_expected_configuration]
    sourceProperties.policy_drift_details.drift_details.expected_configuration security_result.rule_labels[policy_drift_details_expected_configuration]
    finding.sourceProperties.policy_drift_details.drift_details.detected_configuration security_result.rule_labels[policy_drift_details_detected_configuration]
    sourceProperties.policy_drift_details.drift_details.detected_configuration security_result.rule_labels[policy_drift_details_detected_configuration]
    finding.sourceProperties.policy_drift_details.field_name security_result.rule_labels[policy_drift_details_field_name]
    sourceProperties.policy_drift_details.field_name security_result.rule_labels[policy_drift_details_field_name]
    finding.sourceProperties.changed_policy security_result.rule_name
    sourceProperties.changed_policy security_result.rule_name
    finding.sourceProperties.posture_deployment_resource security_result.detection_fields[source_properties_posture_deployment_resource]
    sourceProperties.posture_deployment_resource security_result.detection_fields[source_properties_posture_deployment_resource]
    finding.sourceProperties.posture_name target.application
    sourceProperties.posture_name target.application
    sourceProperties.name target.application
    finding.sourceProperties.posture_deployment_name security_result.detection_fields[source_properties_posture_deployment_name]
    sourceProperties.posture_deployment_name security_result.detection_fields[source_properties_posture_deployment_name]
    sourceProperties.posture_deployment security_result.detection_fields[source_properties_posture_deployment_name]
    finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.expected_configuration.primitiveDataType security_result.rule_labels[expected_configuration_primitive_data_type]
    propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.expected_configuration.primitiveDataType security_result.rule_labels[expected_configuration_primitive_data_type]
    finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.detected_configuration.primitiveDataType security_result.rule_labels[detected_configuration_primitive_data_type]
    propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.detected_configuration.primitiveDataType security_result.rule_labels[detected_configuration_primitive_data_type]
    finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.field_name.primitiveDataType security_result.rule_labels[field_name_primitive_data_type]
    propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.field_name.primitiveDataType security_result.rule_labels[field_name_primitive_data_type]
    finding.propertyDataTypes.changed_policy.primitiveDataType security_result.rule_labels[changed_policy_primitive_data_type]
    propertyDataTypes.changed_policy.primitiveDataType security_result.rule_labels[changed_policy_primitive_data_type]
    finding.propertyDataTypes.posture_revision_id.primitiveDataType security_result.detection_fields[posture_revision_id_primitiveDataType]
    propertyDataTypes.posture_revision_id.primitiveDataType security_result.detection_fields[posture_revision_id_primitiveDataType]
    finding.propertyDataTypes.posture_name.primitiveDataType security_result.detection_fields[posture_name_primitiveDataType]
    propertyDataTypes.posture_name.primitiveDataType security_result.detection_fields[posture_name_primitiveDataType]
    finding.propertyDataTypes.posture_deployment_name.primitiveDataType security_result.detection_fields[posture_deployment_name_primitiveDataType]
    propertyDataTypes.posture_deployment_name.primitiveDataType security_result.detection_fields[posture_deployment_name_primitiveDataType]
    finding.propertyDataTypes.posture_deployment_resource.primitiveDataType security_result.detection_fields[posture_deployment_resource_primitiveDataType]
    propertyDataTypes.posture_deployment_resource.primitiveDataType security_result.detection_fields[posture_deployment_resource_primitiveDataType]
    finding.originalProviderId target.resource.attribute.labels[original_provider_id]
    originalProviderId target.resource.attribute.labels[original_provider_id]
    finding.securityPosture.name security_result.detection_fields[security_posture_name]
    securityPosture.name security_result.detection_fields[security_posture_name]
    finding.securityPosture.revisionId security_result.detection_fields[security_posture_revision_id]
    securityPosture.revisionId security_result.detection_fields[security_posture_revision_id]
    finding.securityPosture.postureDeploymentResource security_result.detection_fields[posture_deployment_resource]
    securityPosture.postureDeploymentResource security_result.detection_fields[posture_deployment_resource]
    finding.securityPosture.postureDeployment security_result.detection_fields[posture_deployment]
    securityPosture.postureDeployment security_result.detection_fields[posture_deployment]
    finding.securityPosture.changedPolicy security_result.rule_labels[changed_policy]
    securityPosture.changedPolicy security_result.rule_labels[changed_policy]
    finding.cloudProvider about.resource.attribute.cloud.environment If the finding.cloudProvider log field value contains one of the following values, then the finding.cloudProvider log field is mapped to the about.resource.attribute.cloud.environment UDM field.
    • MICROSOFT_AZURE
    • GOOGLE_CLOUD_PLATFORM
    • AMAZON_WEB_SERVICES
    .
    cloudProvider about.resource.attribute.cloud.environment If the cloudProvider log field value contains one of the following values, then the cloudProvider log field is mapped to the about.resource.attribute.cloud.environment UDM field.
    • MICROSOFT_AZURE
    • GOOGLE_CLOUD_PLATFORM
    • AMAZON_WEB_SERVICES
    .
    resource.cloudProvider target.resource.attribute.cloud.environment If the resource.cloudProvider log field value contains one of the following values, then the resource.cloudProvider log field is mapped to the target.resource.attribute.cloud.environment UDM field.
    • MICROSOFT_AZURE
    • GOOGLE_CLOUD_PLATFORM
    • AMAZON_WEB_SERVICES
    .
    resource.organization target.resource.attribute.labels[resource_organization]
    resource.gcpMetadata.organization target.resource.attribute.labels[resource_organization]
    resource.service target.resource_ancestors.name
    resource.resourcePath.nodes.nodeType target.resource_ancestors.resource_subtype
    resource.resourcePath.nodes.id target.resource_ancestors.product_object_id
    resource.resourcePath.nodes.displayName target.resource_ancestors.name
    resource.resourcePathString target.resource.attribute.labels[resource_path_string]
    finding.risks.riskCategory security_result.detection_fields[risk_category]
    finding.securityPosture.policyDriftDetails.field security_result.rule_labels[policy_drift_details_field]
    finding.securityPosture.policyDriftDetails.expectedValue security_result.rule_labels[policy_drift_details_expected_value]
    finding.securityPosture.policyDriftDetails.detectedValue security_result.rule_labels[policy_drift_details_detected_value]
    finding.securityPosture.policySet security_result.rule_set
    sourceProperties.categories security_result.detection_fields[source_properties_categories]

    Common Fields: SECURITY COMMAND CENTER - VULNERABILITY, MISCONFIGURATION, OBSERVATION, ERROR, UNSPECIFIED, POSTURE_VIOLATION, TOXIC_COMBINATION

    The following table lists common fields of the SECURITY COMMAND CENTER - VULNERABILITY, MISCONFIGURATION, OBSERVATION, ERROR, UNSPECIFIED, POSTURE_VIOLATION, TOXIC_COMBINATION categories and their corresponding UDM fields.

    RawLog field UDM mapping Logic
    compliances.ids about.labels [compliance_ids] (deprecated)
    compliances.ids additional.fields [compliance_ids]
    compliances.version about.labels [compliance_version] (deprecated)
    compliances.version additional.fields [compliance_version]
    compliances.standard about.labels [compliances_standard] (deprecated)
    compliances.standard additional.fields [compliances_standard]
    connections.destinationIp about.labels [connections_destination_ip] (deprecated) If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp, then the connections.destinationIp log field is mapped to the about.labels.value UDM field.
    connections.destinationIp additional.fields [connections_destination_ip] If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp, then the connections.destinationIp log field is mapped to the additional.fields.value UDM field.
    connections.destinationPort about.labels [connections_destination_port] (deprecated)
    connections.destinationPort additional.fields [connections_destination_port]
    connections.protocol about.labels [connections_protocol] (deprecated)
    connections.protocol additional.fields [connections_protocol]
    connections.sourceIp about.labels [connections_source_ip] (deprecated)
    connections.sourceIp additional.fields [connections_source_ip]
    connections.sourcePort about.labels [connections_source_port] (deprecated)
    connections.sourcePort additional.fields [connections_source_port]
    kubernetes.pods.ns target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_ns]
    kubernetes.pods.name target.resource_ancestors.name
    kubernetes.nodes.name target.resource_ancestors.name
    kubernetes.nodePools.name target.resource_ancestors.name
    target.resource_ancestors.resource_type The target.resource_ancestors.resource_type UDM field is set to CLUSTER.
    about.resource.attribute.cloud.environment The about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.
    externalSystems.assignees about.resource.attribute.labels.key/value [externalSystems_assignees]
    externalSystems.status about.resource.attribute.labels.key/value [externalSystems_status]
    kubernetes.nodePools.nodes.name target.resource.attribute.labels.key/value [kubernetes_nodePools_nodes_name]
    kubernetes.pods.containers.uri target.resource.attribute.labels.key/value [kubernetes_pods_containers_uri]
    kubernetes.roles.kind target.resource.attribute.labels.key/value [kubernetes_roles_kind]
    kubernetes.roles.name target.resource.attribute.labels.key/value [kubernetes_roles_name]
    kubernetes.roles.ns target.resource.attribute.labels.key/value [kubernetes_roles_ns]
    kubernetes.pods.containers.labels.name/value target.resource.attribute.labels.key/value [kubernetes.pods.containers.labels.name/value]
    kubernetes.pods.labels.name/value target.resource.attribute.labels.key/value [kubernetes.pods.labels.name/value]
    externalSystems.externalSystemUpdateTime about.resource.attribute.last_update_time
    externalSystems.name about.resource.name
    externalSystems.externalUid about.resource.product_object_id
    indicator.uris about.url
    vulnerability.cve.references.uri extensions.vulns.vulnerabilities.about.labels [vulnerability.cve.references.uri] (deprecated)
    vulnerability.cve.references.uri additional.fields [vulnerability.cve.references.uri]
    vulnerability.cve.cvssv3.attackComplexity extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_attackComplexity] (deprecated)
    vulnerability.cve.cvssv3.attackComplexity additional.fields [vulnerability_cve_cvssv3_attackComplexity]
    vulnerability.cve.cvssv3.availabilityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_availabilityImpact] (deprecated)
    vulnerability.cve.cvssv3.availabilityImpact additional.fields [vulnerability_cve_cvssv3_availabilityImpact]
    vulnerability.cve.cvssv3.confidentialityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_confidentialityImpact] (deprecated)
    vulnerability.cve.cvssv3.confidentialityImpact additional.fields [vulnerability_cve_cvssv3_confidentialityImpact]
    vulnerability.cve.cvssv3.integrityImpact extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_integrityImpact] (deprecated)
    vulnerability.cve.cvssv3.integrityImpact additional.fields [vulnerability_cve_cvssv3_integrityImpact]
    vulnerability.cve.cvssv3.privilegesRequired extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_privilegesRequired] (deprecated)
    vulnerability.cve.cvssv3.privilegesRequired additional.fields [vulnerability_cve_cvssv3_privilegesRequired]
    vulnerability.cve.cvssv3.scope extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_scope] (deprecated)
    vulnerability.cve.cvssv3.scope additional.fields [vulnerability_cve_cvssv3_scope]
    vulnerability.cve.cvssv3.userInteraction extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_userInteraction] (deprecated)
    vulnerability.cve.cvssv3.userInteraction additional.fields [vulnerability_cve_cvssv3_userInteraction]
    vulnerability.cve.references.source extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_references_source] (deprecated)
    vulnerability.cve.references.source additional.fields [vulnerability_cve_references_source]
    vulnerability.cve.upstreamFixAvailable extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_upstreamFixAvailable] (deprecated)
    vulnerability.cve.upstreamFixAvailable additional.fields [vulnerability_cve_upstreamFixAvailable]
    vulnerability.cve.id extensions.vulns.vulnerabilities.cve_id
    vulnerability.cve.cvssv3.baseScore extensions.vulns.vulnerabilities.cvss_base_score
    vulnerability.cve.cvssv3.attackVector extensions.vulns.vulnerabilities.cvss_vector
    vulnerability.cve.impact extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_cve_impact]
    vulnerability.cve.exploitationActivity extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_cve_exploitation_activity]
    parentDisplayName metadata.description
    eventTime metadata.event_timestamp
    category metadata.product_event_type
    sourceProperties.evidence.sourceLogId.insertId metadata.product_log_id If the canonicalName log field value is not empty, then the finding_id is extracted from the canonicalName log field using a Grok pattern.

    If the finding_id log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.

    If the canonicalName log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.
    sourceProperties.contextUris.cloudLoggingQueryUri.url security_result.detection_fields.key/value[sourceProperties_contextUris_cloudLoggingQueryUri_url]
    sourceProperties.sourceId.customerOrganizationNumber principal.resource.attribute.labels.key/value [sourceProperties_sourceId_customerOrganizationNumber] If the message log field value matches the regular expression sourceProperties.sourceId.*?customerOrganizationNumber, then the sourceProperties.sourceId.customerOrganizationNumber log field is mapped to the principal.resource.attribute.labels.value UDM field.
    resource.projectName principal.resource.name
    resource.gcpMetadata.project principal.resource.name
    principal.user.account_type If the access.principalSubject log field value matches the regular expression serviceAccount, then the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE.

    Else if, the access.principalSubject log field value matches the regular expression user, then the principal.user.account_type UDM field is set to CLOUD_ACCOUNT_TYPE.
    access.principalSubject principal.user.attribute.labels.key/value [access_principalSubject]
    access.serviceAccountDelegationInfo.principalSubject principal.user.attribute.labels.key/value [access_serviceAccountDelegationInfo_principalSubject]
    access.serviceAccountKeyName principal.user.attribute.labels.key/value [access_serviceAccountKeyName]
    access.principalEmail principal.user.email_addresses If the access.principalEmail log field value is not empty and the access.principalEmail log field value matches the regular expression ^.+@.+$, then the access.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    access.principalEmail principal.user.userid If the access.principalEmail log field value is not empty and the access.principalEmail log field value does not match the regular expression ^.+@.+$, then the access.principalEmail log field is mapped to the principal.user.userid UDM field.
    database.userName principal.user.userid
    workflowState security_result.about.investigation.status
    sourceProperties.findingId metadata.product_log_id
    kubernetes.accessReviews.group target.resource.attribute.labels.key/value [kubernetes_accessReviews_group]
    kubernetes.accessReviews.name target.resource.attribute.labels.key/value [kubernetes_accessReviews_name]
    kubernetes.accessReviews.ns target.resource.attribute.labels.key/value [kubernetes_accessReviews_ns]
    kubernetes.accessReviews.resource target.resource.attribute.labels.key/value [kubernetes_accessReviews_resource]
    kubernetes.accessReviews.subresource target.resource.attribute.labels.key/value [kubernetes_accessReviews_subresource]
    kubernetes.accessReviews.verb target.resource.attribute.labels.key/value [kubernetes_accessReviews_verb]
    kubernetes.accessReviews.version target.resource.attribute.labels.key/value [kubernetes_accessReviews_version]
    kubernetes.bindings.name security_result.about.resource.attribute.labels.key/value [kubernetes_bindings_name]
    kubernetes.bindings.ns target.resource.attribute.labels.key/value [kubernetes_bindings_ns]
    kubernetes.bindings.role.kind target.resource.attribute.labels.key/value [kubernetes_bindings_role_kind]
    kubernetes.bindings.role.ns target.resource.attribute.labels.key/value [kubernetes_bindings_role_ns]
    kubernetes.bindings.subjects.kind target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_kind]
    kubernetes.bindings.subjects.name target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_name]
    kubernetes.bindings.subjects.ns target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_ns]
    kubernetes.bindings.role.name target.resource.attribute.roles.name
    security_result.about.user.attribute.roles.name If the message log field value matches the regular expression contacts.?security, then the security_result.about.user.attribute.roles.name UDM field is set to security.

    If the message log field value matches the regular expression contacts.?technical, then the security_result.about.user.attribute.roles.name UDM field is set to Technical.
    contacts.security.contacts.email security_result.about.user.email_addresses
    contacts.technical.contacts.email security_result.about.user.email_addresses
    security_result.alert_state If the state log field value is equal to ACTIVE, then the security_result.alert_state UDM field is set to ALERTING.

    Else, the security_result.alert_state UDM field is set to NOT_ALERTING.
    findingClass, category security_result.catgory_details The findingClass - category log field is mapped to the security_result.catgory_details UDM field.
    description security_result.description
    indicator.signatures.memoryHashSignature.binaryFamily security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_binaryFamily]
    indicator.signatures.memoryHashSignature.detections.binary security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_binary]
    indicator.signatures.memoryHashSignature.detections.percentPagesMatched security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_percentPagesMatched]
    indicator.signatures.yaraRuleSignature.yararule security_result.detection_fields.key/value [indicator_signatures_yaraRuleSignature_yararule]
    mitreAttack.additionalTactics security_result.detection_fields.key/value [mitreAttack_additionalTactics]
    mitreAttack.additionalTechniques security_result.detection_fields.key/value [mitreAttack_additionalTechniques]
    mitreAttack.primaryTactic security_result.detection_fields.key/value [mitreAttack_primaryTactic]
    mitreAttack.primaryTechniques.0 security_result.detection_fields.key/value [mitreAttack_primaryTechniques]
    mitreAttack.version security_result.detection_fields.key/value [mitreAttack_version]
    muteInitiator security_result.detection_fields.key/value [mute_initiator] If the mute log field value is equal to MUTED or UNMUTED, then the muteInitiator log field is mapped to the security_result.detection_fields.value UDM field.
    muteUpdateTime security_result.detection_fields.key/value [mute_update_time] If the mute log field value is equal to MUTED or UNMUTED, then the muteUpdateTimer log field is mapped to the security_result.detection_fields.value UDM field.
    mute security_result.detection_fields.key/value [mute]
    securityMarks.canonicalName security_result.detection_fields.key/value [securityMarks_cannonicleName]
    securityMarks.marks security_result.detection_fields.key/value [securityMarks_marks]
    securityMarks.name security_result.detection_fields.key/value [securityMarks_name]
    sourceProperties.detectionCategory.indicator security_result.detection_fields.key/value [sourceProperties_detectionCategory_indicator]
    sourceProperties.detectionCategory.technique security_result.detection_fields.key/value [sourceProperties_detectionCategory_technique]
    sourceProperties.contextUris.mitreUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.mitreUri.url/displayName]
    sourceProperties.contextUris.relatedFindingUri.url/displayName metadata.url_back_to_product If the category log field value is equal to Active Scan: Log4j Vulnerable to RCE or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Over-Privileged Grant or Exfiltration: CloudSQL Restore Backup to External Organization or Initial Access: Log4j Compromise Attempt or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP or Persistence: IAM Anomalous Grant, then the security_result.detection_fields.key UDM field is set to sourceProperties_contextUris_relatedFindingUri_url and the sourceProperties.contextUris.relatedFindingUri.url log field is mapped to the metadata.url_back_to_product UDM field.
    sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName] If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP, then the sourceProperties.contextUris.virustotalIndicatorQueryUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.virustotalIndicatorQueryUri.url log field is mapped to the security_result.detection_fields.value UDM field.
    sourceProperties.contextUris.workspacesUri.url/displayName security_result.detection_fields.key/value [sourceProperties.contextUris.workspacesUri.url/displayName] If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Strong Authentication Disabled or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed, then the sourceProperties.contextUris.workspacesUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.workspacesUri.url log field is mapped to the security_result.detection_fields.value UDM field.
    createTime security_result.detection_fields.key/value [create_time]
    nextSteps security_result.outcomes.key/value [next_steps]
    sourceProperties.detectionPriority security_result.priority If the sourceProperties.detectionPriority log field value is equal to HIGH, then the security_result.priority UDM field is set to HIGH_PRIORITY.

    Else if, the sourceProperties.detectionPriority log field value is equal to MEDIUM, then the security_result.priority UDM field is set to MEDIUM_PRIORITY.

    Else if, the sourceProperties.detectionPriority log field value is equal to LOW, then the security_result.priority UDM field is set to LOW_PRIORITY.
    sourceProperties.detectionCategory.subRuleName security_result.rule_labels.key/value [sourceProperties_detectionCategory_subRuleName]
    sourceProperties.detectionCategory.ruleName security_result.rule_name
    severity security_result.severity
    name security_result.url_back_to_product
    database.query src.process.command_line If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.query log field is mapped to the src.process.command_line UDM field.

    Else, the database.query log field is mapped to the target.process.command_line UDM field.
    resource.folders.resourceFolderDisplayName src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.folders.resourceFolderDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.

    Else, the resource.folders.resourceFolderDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.gcpMetadata.folders.resourceFolderDisplay src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.folders.resourceFolderDisplay log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.

    Else, the resource.gcpMetadata.folders.resourceFolderDisplay log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.gcpMetadata.folders.resourceFolder src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.folders.resourceFolder log field is mapped to the src.resource_ancestors.name UDM field.

    Else, the resource.gcpMetadata.folders.resourceFolder log field is mapped to the target.resource_ancestors.name UDM field.
    resource.organization src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.organization log field is mapped to the src.resource_ancestors.name UDM field.

    Else, the resource.organization log field is mapped to the target.resource_ancestors.name UDM field.
    resource.gcpMetadata.organization src.resource_ancestors.name If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.organization log field is mapped to the src.resource_ancestors.name UDM field.

    Else, the resource.gcpMetadata.organization log field is mapped to the target.resource_ancestors.name UDM field.
    resource.parentDisplayName src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.parentDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.parentDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.gcpMetadata.parentDisplayName src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.parentDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.gcpMetadata.parentDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.parentName src.resource_ancestors.attribute.labels.key/value [resource_parentName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.parentName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.parentName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.gcpMetadata.parent src.resource_ancestors.attribute.labels.key/value [resource_parentName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.parent log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.gcpMetadata.parent log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.projectDisplayName src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.projectDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.projectDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.gcpMetadata.projectDisplayName src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.gcpMetadata.projectDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.

    Else, the resource.gcpMetadata.projectDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.type src.resource_ancestors.resource_subtype If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.type log field is mapped to the src.resource_ancestors.resource_subtype UDM field.
    database.displayName src.resource.attribute.labels.key/value [database_displayName] If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the database.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.
    database.grantees src.resource.attribute.labels.key/value [database_grantees] If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant, then the src.resource.attribute.labels.key UDM field is set to grantees and the database.grantees log field is mapped to the src.resource.attribute.labels.value UDM field.
    resource.displayName src.resource.attribute.labels.key/value [resource_displayName] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.

    Else, the resource.displayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.display_name src.resource.attribute.labels.key/value [resource_display_name] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.display_name log field is mapped to the src.resource.attribute.labels.value UDM field.

    Else, the resource.display_name log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.type src.resource_ancestors.resource_subtype If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive, then the resource.type log field is mapped to the src.resource_ancestors.resource_subtype UDM field.
    database.displayName src.resource.attribute.labels.key/value [database_displayName]
    database.grantees src.resource.attribute.labels.key/value [database_grantees]
    resource.displayName target.resource.attribute.labels.key/value [resource_displayName] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.

    Else, the resource.displayName log field is mapped to the target.resource.attribute.labels.value UDM field.
    resource.display_name target.resource.attribute.labels.key/value [resource_display_name] If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive, then the resource.display_name log field is mapped to the src.resource.attribute.labels.value UDM field.

    Else, the resource.display_name log field is mapped to the target.resource.attribute.labels.value UDM field.
    exfiltration.sources.components src.resource.attribute.labels.key/value[exfiltration_sources_components] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction, then the exfiltration.sources.components log field is mapped to the src.resource.attribute.labels.value UDM field.
    resourceName src.resource.name If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration, then the resourceName log field is mapped to the src.resource.name UDM field.
    database.name src.resource.name
    exfiltration.sources.name src.resource.name
    access.serviceName target.application If the category log field value is equal to Defense Evasion: Modify VPC Service Control or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Exfiltration: CloudSQL Over-Privileged Grant or Persistence: New Geography or Persistence: IAM Anomalous Grant, then the access.serviceName log field is mapped to the target.application UDM field.
    access.methodName target.labels [access_methodName] (deprecated)
    access.methodName additional.fields [access_methodName]
    processes.argumentsTruncated target.labels [processes_argumentsTruncated] (deprecated)
    processes.argumentsTruncated additional.fields [processes_argumentsTruncated]
    processes.binary.contents target.labels [processes_binary_contents] (deprecated)
    processes.binary.contents additional.fields [processes_binary_contents]
    processes.binary.hashedSize target.labels [processes_binary_hashedSize] (deprecated)
    processes.binary.hashedSize additional.fields [processes_binary_hashedSize]
    processes.binary.partiallyHashed target.labels [processes_binary_partiallyHashed] (deprecated)
    processes.binary.partiallyHashed additional.fields [processes_binary_partiallyHashed]
    processes.envVariables.name target.labels [processes_envVariables_name] (deprecated)
    processes.envVariables.name additional.fields [processes_envVariables_name]
    processes.envVariables.val target.labels [processes_envVariables_val] (deprecated)
    processes.envVariables.val additional.fields [processes_envVariables_val]
    processes.envVariablesTruncated target.labels [processes_envVariablesTruncated] (deprecated)
    processes.envVariablesTruncated additional.fields [processes_envVariablesTruncated]
    processes.libraries.contents target.labels [processes_libraries_contents] (deprecated)
    processes.libraries.contents additional.fields [processes_libraries_contents]
    processes.libraries.hashedSize target.labels [processes_libraries_hashedSize] (deprecated)
    processes.libraries.hashedSize additional.fields [processes_libraries_hashedSize]
    processes.libraries.partiallyHashed target.labels [processes_libraries_partiallyHashed] (deprecated)
    processes.libraries.partiallyHashed additional.fields [processes_libraries_partiallyHashed]
    processes.script.contents target.labels [processes_script_contents] (deprecated)
    processes.script.contents additional.fields [processes_script_contents]
    processes.script.hashedSize target.labels [processes_script_hashedSize] (deprecated)
    processes.script.hashedSize additional.fields [processes_script_hashedSize]
    processes.script.partiallyHashed target.labels [processes_script_partiallyHashed] (deprecated)
    processes.script.partiallyHashed additional.fields [processes_script_partiallyHashed]
    processes.parentPid target.parent_process.pid
    processes.args target.process.command_line_history [processes.args]
    processes.name target.process.file.full_path
    processes.binary.path target.process.file.full_path
    processes.libraries.path target.process.file.full_path
    processes.script.path target.process.file.full_path
    processes.binary.sha256 target.process.file.sha256
    processes.libraries.sha256 target.process.file.sha256
    processes.script.sha256 target.process.file.sha256
    processes.binary.size target.process.file.size
    processes.libraries.size target.process.file.size
    processes.script.size target.process.file.size
    processes.pid target.process.pid
    containers.uri target.resource_ancestors.attribute.labels.key/value [containers_uri]
    containers.labels.name/value target.resource_ancestors.attribute.labels.key/value [containers.labels.name/value]
    resourceName target.resource_ancestors.name If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script, then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.
    parent target.resource_ancestors.name
    sourceProperties.affectedResources.gcpResourceName target.resource_ancestors.name
    containers.name target.resource_ancestors.name
    kubernetes.pods.containers.name target.resource_ancestors.name
    sourceProperties.sourceId.projectNumber target.resource_ancestors.product_object_id
    sourceProperties.sourceId.customerOrganizationNumber target.resource_ancestors.product_object_id
    sourceProperties.sourceId.organizationNumber target.resource_ancestors.product_object_id
    containers.imageId target.resource_ancestors.product_object_id
    sourceProperties.properties.zone target.resource.attribute.cloud.availability_zone If the category log field value is equal to Brute Force: SSH, then the sourceProperties.properties.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field.
    canonicalName metadata.product_log_id The finding_id is extracted from the canonicalName log field using a Grok pattern.

    If the finding_id log field value is not empty, then the finding_id log field is mapped to the metadata.product_log_id UDM field.
    canonicalName src.resource.attribute.labels.key/value [finding_id] If the finding_id log field value is not empty, then the finding_id log field is mapped to the src.resource.attribute.labels.key/value [finding_id] UDM field.

    If the category log field value is equal to one of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName src.resource.product_object_id If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.product_object_id UDM field.

    If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName src.resource.attribute.labels.key/value [source_id] If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.attribute.labels.key/value [source_id] UDM field.

    If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName target.resource.attribute.labels.key/value [finding_id] If the finding_id log field value is not empty, then the finding_id log field is mapped to the target.resource.attribute.labels.key/value [finding_id] UDM field.

    If the category log field value is not equal to any of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName target.resource.product_object_id If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.product_object_id UDM field.

    If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    canonicalName target.resource.attribute.labels.key/value [source_id] If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.attribute.labels.key/value [source_id] UDM field.

    If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
    • Exfiltration: BigQuery Data Extraction
    • Exfiltration: BigQuery Data to Google Drive
    • Exfiltration: BigQuery Data Exfiltration
    • Exfiltration: CloudSQL Restore Backup to External Organization
    exfiltration.targets.components target.resource.attribute.labels.key/value[exfiltration_targets_components] If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction, then the exfiltration.targets.components log field is mapped to the target.resource.attribute.labels.key/value UDM field.
    resourceName
    exfiltration.targets.name
    target.resource.name If the category log field value is equal to Brute Force: SSH, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.

    Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP, then the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration, then the exfiltration.target.name log field is mapped to the target.resource.name UDM field.

    Else, the resourceName log field is mapped to the target.resource.name UDM field.
    kubernetes.pods.containers.imageId target.resource_ancestors.product_object_id
    resource.project target.resource.attribute.labels.key/value [resource_project]
    resource.parent target.resource.attribute.labels.key/value [resource_parent]
    processes.name target.process.file.names
    sourceProperties.Header_Signature.significantValues.value principal.location.country_or_region If the sourceProperties.Header_Signature.name log field value is equal to RegionCode, then the sourceProperties.Header_Signature.significantValues.value log field is mapped to principal.location.country_or_region UDM field.
    sourceProperties.Header_Signature.significantValues.value principal.ip If the sourceProperties.Header_Signature.name log field value is equal to RemoteHost, then the sourceProperties.Header_Signature.significantValues.value log field is mapped to principal.ip UDM field.
    sourceProperties.Header_Signature.significantValues.value network.http.user_agent If the sourceProperties.Header_Signature.name log field value is equal to UserAgent, then the sourceProperties.Header_Signature.significantValues.value log field is mapped to network.http.user_agent UDM field.
    sourceProperties.Header_Signature.significantValues.value principal.url If the sourceProperties.Header_Signature.name log field value is equal to RequestUriPath, then the sourceProperties.Header_Signature.significantValues.value log field is mapped to principal.url UDM field.
    sourceProperties.Header_Signature.significantValues.proportionInAttack security_result.detection_fields [proportionInAttack]
    sourceProperties.Header_Signature.significantValues.attackLikelihood security_result.detection_fields [attackLikelihood]
    sourceProperties.Header_Signature.significantValues.matchType security_result.detection_fields [matchType]
    sourceProperties.Header_Signature.significantValues.proportionInBaseline security_result.detection_fields [proportionInBaseline]
    sourceProperties.compromised_account principal.user.userid If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.compromised_account log field is mapped to principal.user.userid UDM field and the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE.
    sourceProperties.project_identifier principal.resource.product_object_id If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.project_identifier log field is mapped to principal.resource.product_object_id UDM field.
    sourceProperties.private_key_identifier principal.user.attribute.labels.key/value [private_key_identifier] If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.private_key_identifier log field is mapped to principal.user.attribute.labels.value UDM field.
    sourceProperties.action_taken principal.labels [action_taken] (deprecated) If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.action_taken log field is mapped to principal.labels.value UDM field.
    sourceProperties.action_taken additional.fields [action_taken] If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.action_taken log field is mapped to additional.fields.value UDM field.
    sourceProperties.finding_type principal.labels [finding_type] (deprecated) If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.finding_type log field is mapped to principal.labels.value UDM field.
    sourceProperties.finding_type additional.fields [finding_type] If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.finding_type log field is mapped to additional.fields.value UDM field.
    sourceProperties.url principal.user.attribute.labels.key/value [key_file_path] If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.url log field is mapped to principal.user.attribute.labels.value UDM field.
    sourceProperties.security_result.summary security_result.summary If the category log field value is equal to account_has_leaked_credentials, then the sourceProperties.security_result.summary log field is mapped to security_result.summary UDM field.
    kubernetes.objects.kind target.resource.attribute.labels[kubernetes_objects_kind]
    kubernetes.objects.ns target.resource.attribute.labels[kubernetes_objects_ns]
    kubernetes.objects.name target.resource.attribute.labels[kubernetes_objects_name]
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageName] vulnerability.offendingPackage.packageName
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_cpeUri] vulnerability.offendingPackage.cpeUri
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageType] vulnerability.offendingPackage.packageType
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageVersion] vulnerability.offendingPackage.packageVersion
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageName] vulnerability.fixedPackage.packageName
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_cpeUri] vulnerability.fixedPackage.cpeUri
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageType] vulnerability.fixedPackage.packageType
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageVersion] vulnerability.fixedPackage.packageVersion
    extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_securityBulletin_bulletinId] vulnerability.securityBulletin.bulletinId
    security_result.detection_fields[vulnerability_securityBulletin_submissionTime] vulnerability.securityBulletin.submissionTime
    security_result.detection_fields[vulnerability_securityBulletin_suggestedUpgradeVersion] vulnerability.securityBulletin.suggestedUpgradeVersion
    target.location.name resource.location
    additional.fields[resource_service] resource.service
    target.resource_ancestors.attribute.labels[kubernetes_object_kind] kubernetes.objects.kind
    target.resource_ancestors.name kubernetes.objects.name
    kubernetes_res_ancestor.attribute.labels[kubernetes_objects_ns] kubernetes.objects.ns
    kubernetes_res_ancestor.attribute.labels[kubernetes_objects_group] kubernetes.objects.group

    What's next