Collect Security Command Center findings
This document describes how you can collect Security Command Center logs by configuring Security Command Center and ingesting findings to Google Security Operations. This document also lists the supported events.
For more information, see Data ingestion to Google Security Operations and Exporting Security Command Center findings to Google Security Operations. A typical deployment consists of Security Command Center and the Google Security Operations feed configured to send logs to Google Security Operations. Each customer deployment might differ and might be more complex.
The deployment contains the following components:
Google Cloud: The system to be monitored in which Security Command Center is installed.
Security Command Center Event Threat Detection Findings: Collects information from the data source and generates findings.
Google Security Operations: Retains and analyzes the logs from the Security Command Center.
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the Security Command Center parser with the following ingestion labels:
GCP_SECURITYCENTER_ERROR
GCP_SECURITYCENTER_MISCONFIGURATION
GCP_SECURITYCENTER_OBSERVATION
GCP_SECURITYCENTER_THREAT
GCP_SECURITYCENTER_UNSPECIFIED
GCP_SECURITYCENTER_VULNERABILITY
GCP_SECURITYCENTER_POSTURE_VIOLATION
GCP_SECURITYCENTER_TOXIC_COMBINATION
Configure Security Command Center and Google Cloud to send findings to Google Security Operations
Ensure that all systems in the deployment are configured in the UTC time zone.
Enable the ingestion of Security Command Center findings.
Supported Event Threat Detection findings
This section lists the supported Event Threat Detection findings. For information about the Security Command Center Event Threat Detection rules and findings, see Event Threat Detection rules.
Finding name | Description |
---|---|
Active Scan: Log4j Vulnerable to RCE | Detects active Log4j vulnerabilities by identifying DNS queries for unobfuscated domains that were initiated by supported Log4j vulnerability scanners. |
Brute Force: SSH | Detection of successful brute force of SSH on a host. |
Credential Access: External Member Added To Privileged Group | Detects when an external member is added to a privileged Google Group (a group granted sensitive roles or permissions). A finding is generated only if the group doesn't already contain other external members from the same organization as the newly added member. To learn more, see Unsafe Google Group changes. |
Credential Access: Privileged Group Opened To Public | Detects when a privileged Google Group (a group granted sensitive roles or permissions) is changed to be accessible to the general public. To learn more, see Unsafe Google Group changes. |
Credential Access: Sensitive Role Granted To Hybrid Group | Detects when sensitive roles are granted to a Google Group with external members. To learn more, see Unsafe Google Group changes. |
Defense Evasion: Modify VPC Service Control | Detects a change to an existing VPC Service Control perimeter that would lead to a reduction in the protection offered by that perimeter. |
Discovery: Can get sensitive Kubernetes object checkPreview | A malicious actor attempted to determine what sensitive objects in Google Kubernetes Engine (GKE) they can query for, by using the kubectl auth can-i get command. |
Discovery: Service Account Self-Investigation | Detection of an Identity and Access Management (IAM) service account credential that is used to investigate the roles and permissions associated with that same service account. |
Evasion: Access from Anonymizing Proxy | Detection of Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses. |
Exfiltration: BigQuery Data Exfiltration | Detects the following scenarios:
|
Exfiltration: BigQuery Data Extraction | Detects the following scenarios:
|
Exfiltration: BigQuery Data to Google Drive | Detects the following scenarios:
A BigQuery resource owned by the protected organization is saved, through extraction operations, to a Google Drive folder. |
Exfiltration: Cloud SQL Data Exfiltration | Detects the following scenarios:
|
Exfiltration: Cloud SQL Restore Backup to External Organization | Detects when a Cloud SQL instance's backup is restored to an instance outside of the organization. |
Exfiltration: Cloud SQL SQL Over-Privileged Grant | Detects when a Cloud SQL Postgres user or role has been granted all privileges to a database or to all tables, procedures, or functions in a schema. |
Impair Defenses: Strong Authentication Disabled | 2-step verification was disabled for the organization. |
Impair Defenses: Two Step Verification Disabled | A user disabled 2-step verification. |
Initial Access: Account Disabled Hijacked | A user's account was suspended due to suspicious activity. |
Initial Access: Disabled Password Leak | A user's account is disabled because a password leak was detected. |
Initial Access: Government Based Attack | Government-backed attackers might have tried to compromise a user account or computer. |
Initial Access: Log4j Compromise Attempt | Detects Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters. These lookups may indicate attempts at Log4Shell exploitation. These findings have low severity, because they only indicate a detection or exploit attempt, not a vulnerability or a compromise. |
Initial Access: Suspicious Login Blocked | A suspicious login to a user's account was detected and blocked. |
Log4j Malware: Bad Domain | Detection of Log4j exploit traffic based on a connection to, or a lookup of, a known domain used in Log4j attacks. |
Log4j Malware: Bad IP | Detection of Log4j exploit traffic based on a connection to a known IP address used in Log4j attacks. |
Malware: Bad Domain | Detection of malware based on a connection to, or a lookup of, a known bad domain. |
Malware: Bad IP | Detection of malware based on a connection to a known bad IP address. |
Malware: Cryptomining Bad Domain | Detection of cryptomining based on a connection to, or a lookup of, a known cryptocurrency mining domain. |
Malware: Cryptomining Bad IP | Detection of cryptocurrency mining based on a connection to a known mining IP address. |
Outgoing DoS | Detection of outgoing denial of service traffic. |
Persistence: Compute Engine Admin Added SSH Key | Detection of a modification to the Compute Engine instance metadata SSH key value on an established instance (older than 1 week). |
Persistence: Compute Engine Admin Added Startup Script | Detection of a modification to the Compute Engine instance metadata startup script value on an established instance (older than 1 week). |
Persistence: IAM Anomalous Grant | Detection of privileges granted to IAM users and service accounts that are not members of the organization. This detector uses an organization's existing IAM policies as context. If a sensitive IAM grant to an external member occurs, and there are less than three existing IAM policies that are similar to it, this detector generates a finding. |
Persistence: New API MethodPreview | Detection of anomalous usage of Google Cloud services by IAM service accounts. |
Persistence: New Geography | Detection of IAM user and service accounts accessing Google Cloud from anomalous locations, based on the geolocation of the requesting IP addresses. |
Persistence: New User Agent | Detection of IAM service accounts accessing Google Cloud from anomalous or suspicious user agents. |
Persistence: SSO Enablement Toggle | The Enable SSO (single sign-on) setting on the admin account was disabled. |
Persistence: SSO Settings Changed | The SSO settings for the admin account were changed. |
Privilege Escalation: Changes to sensitive Kubernetes RBAC objectsPreview | To escalate privilege, a malicious actor attempted to modify cluster-admin ClusterRole and ClusterRoleBinding objects by using a PUT or PATCH request. |
Privilege Escalation: Create Kubernetes CSR for master certPreview | A potentially malicious actor created a Kubernetes master certificate signing request (CSR), which gives them cluster-admin access. |
Privilege Escalation: Creation of sensitive Kubernetes bindingsPreview | A malicious actor attempted to create new cluster-admin RoleBinding or ClusterRoleBinding objects to escalate their privilege. |
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentialsPreview | A malicious actor queried for a certificate signing request (CSR), with the kubectl command, using compromised bootstrap credentials. |
Privilege Escalation: Launch of privileged Kubernetes containerPreview | A malicious actor created Pods containing privileged containers or containers with privilege escalation capabilities.
A privileged container has the privileged field set to true. A container with privilege escalation capabilities has the allowPrivilegeEscalation field set to true. |
Initial Access: Dormant Service Account Key Created | Detects events where a key is created for a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days. |
Process Tree | The detector checks the process tree of all running processes. If a process is a shell binary, the detector checks its parent process. If the parent process is a binary that should not spawn a shell process, the detector triggers a finding. |
Unexpected Child Shell | The detector checks the process tree of all running processes. If a process is a shell binary, the detector checks its parent process. If the parent process is a binary that should not spawn a shell process, the detector triggers a finding. |
Execution: Added Malicious Binary Executed | The detector looks for a binary being executed that was not part of the original container image, and was identified as malicious based on threat intelligence. |
Execution: Modified Malicious Binary Executed | The detector looks for a binary being executed that was originally included in the container image but modified during run time, and was identified as malicious based on threat intelligence. |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity | Detects when an anomalous multistep delegated request is found for an administrative activity. |
Breakglass Account Used: break_glass_account | Detects the usage of an emergency access (breakglass) account |
Configurable Bad Domain: APT29_Domains | Detects a connection to a specified domain name |
Unexpected Role Grant: Forbidden roles | Detects when a specified role is granted to a user |
Configurable Bad IP | Detects a connection to a specified IP address |
Unexpected Compute Engine instance type | Detects the creation of Compute Engine instances that do not match a specified instance type or configuration. |
Unexpected Compute Engine source image | Detects the creation of a Compute Engine instance with an image or image family that does not match a specified list |
Unexpected Compute Engine region | Detects the creation of a Compute Engine instance in a region that is not in a specified list. |
Custom role with prohibited permission | Detects when a custom role with any of the specified IAM permissions is granted to a principal. |
Unexpected Cloud API Call | Detects when a specified principal calls a specified method against a specified resource. A finding is generated only if all regular expressions are matched in a single log entry. |
Supported GCP_SECURITYCENTER_ERROR findings
You can find the UDM mapping in the Field mapping reference: ERROR table.
Finding name | Description |
---|---|
VPC_SC_RESTRICTION | Security Health Analytics can't produce certain findings for a project. The project is protected by a service perimeter, and the Security Command Center service account doesn't have access to the perimeter. |
MISCONFIGURED_CLOUD_LOGGING_EXPORT | The project configured for continuous export to Cloud Logging is unavailable. Security Command Center can't send findings to Logging. |
API_DISABLED | A required API is disabled for the project. The disabled service can't send findings to Security Command Center. |
KTD_IMAGE_PULL_FAILURE | Container Threat Detection can't be enabled on the cluster because a required container image can't be pulled (downloaded) from gcr.io, the Container Registry image host. The image is needed to deploy the Container Threat Detection DaemonSet that Container Threat Detection requires. |
KTD_BLOCKED_BY_ADMISSION_CONTROLLER | Container Threat Detection can't be enabled on a Kubernetes cluster. A third-party admission controller is preventing the deployment of a Kubernetes DaemonSet object that Container Threat Detection requires.
When viewed in the Google Cloud console, the finding details include the error message that was returned by Google Kubernetes Engine when Container Threat Detection attempted to deploy a Container Threat Detection DaemonSet Object. |
KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS | A service account is missing permissions that Container Threat Detection requires. Container Threat Detection could stop functioning properly because the detection instrumentation cannot be enabled, upgraded, or disabled. |
GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS | Container Threat Detection can't generate findings for a Google Kubernetes Engine cluster, because the GKE default service account on the cluster is missing permissions. This prevents Container Threat Detection from being successfully enabled on the cluster. |
SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS | The Security Command Center service account is missing permissions required to function properly. No findings are produced. |
Supported GCP_SECURITYCENTER_OBSERVATION findings
You can find the UDM mapping in the Field mapping reference: OBSERVATION table.
Finding name | Description |
---|---|
Persistence: Project SSH Key Added | A project-level SSH key was created in a project, for a project that is more than 10 days old. |
Persistence: Add Sensitive Role | A sensitive or highly-privileged organization-level IAM role was granted in an organization that is more than 10 days old. |
Supported GCP_SECURITYCENTER_UNSPECIFIED findings
You can find the UDM mapping in the Field mapping reference: UNSPECIFIED table.
Finding name | Description |
---|---|
OPEN_FIREWALL | A firewall is configured to be open to public access. |
Supported GCP_SECURITYCENTER_VULNERABILITY findings
You can find UDM mapping in the Field mapping reference: VULNERABILITY table.
Finding name | Description |
---|---|
DISK_CSEK_DISABLED | Disks on this VM are not encrypted with Customer Supplied Encryption Keys (CSEK). This detector requires additional configuration to enable. For instructions, see Special-case detector. |
ALPHA_CLUSTER_ENABLED | Alpha cluster features are enabled for a GKE cluster. |
AUTO_REPAIR_DISABLED | A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled. |
AUTO_UPGRADE_DISABLED | A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled. |
CLUSTER_SHIELDED_NODES_DISABLED | Shielded GKE nodes are not enabled for a cluster |
COS_NOT_USED | Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely. |
INTEGRITY_MONITORING_DISABLED | Integrity monitoring is disabled for a GKE cluster. |
IP_ALIAS_DISABLED | A GKE cluster was created with alias IP ranges disabled. |
LEGACY_METADATA_ENABLED | Legacy metadata is enabled on GKE clusters. |
RELEASE_CHANNEL_DISABLED | A GKE cluster is not subscribed to a release channel. |
DATAPROC_IMAGE_OUTDATED | A Dataproc cluster was created with a Dataproc image version that is impacted by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). |
PUBLIC_DATASET | A dataset is configured to be open to public access. |
DNSSEC_DISABLED | DNSSEC is disabled for Cloud DNS zones. |
RSASHA1_FOR_SIGNING | RSASHA1 is used for key signing in Cloud DNS zones. |
REDIS_ROLE_USED_ON_ORG | A Redis IAM role is assigned at the organization or folder level. |
KMS_PUBLIC_KEY | A Cloud KMS cryptographic key is publicly accessible. |
SQL_CONTAINED_DATABASE_AUTHENTICATION | The contained database authentication database flag for a Cloud SQL for SQL Server instance is not set to off. |
SQL_CROSS_DB_OWNERSHIP_CHAINING | The cross_db_ownership_chaining database flag for a Cloud SQL for SQL Server instance is not set to off. |
SQL_EXTERNAL_SCRIPTS_ENABLED | The external scripts enabled database flag for a Cloud SQL for SQL Server instance is not set to off. |
SQL_LOCAL_INFILE | The local_infile database flag for a Cloud SQL for MySQL instance is not set to off. |
SQL_LOG_ERROR_VERBOSITY | The log_error_verbosity database flag for a Cloud SQL for PostgreSQL instance is not set to default or stricter. |
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED | The log_min_duration_statement database flag for a Cloud SQL for PostgreSQL instance is not set to "-1". |
SQL_LOG_MIN_ERROR_STATEMENT | The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance is not set appropriately. |
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY | The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance does not have an appropriate severity level. |
SQL_LOG_MIN_MESSAGES | The log_min_messages database flag for a Cloud SQL for PostgreSQL instance is not set to warning. |
SQL_LOG_EXECUTOR_STATS_ENABLED | The log_executor_status database flag for a Cloud SQL for PostgreSQL instance is not set to off. |
SQL_LOG_HOSTNAME_ENABLED | The log_hostname database flag for a Cloud SQL for PostgreSQL instance is not set to off. |
SQL_LOG_PARSER_STATS_ENABLED | The log_parser_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off. |
SQL_LOG_PLANNER_STATS_ENABLED | The log_planner_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off. |
SQL_LOG_STATEMENT_STATS_ENABLED | The log_statement_stats database flag for a Cloud SQL for PostgreSQL instance is not set to off. |
SQL_LOG_TEMP_FILES | The log_temp_files database flag for a Cloud SQL for PostgreSQL instance is not set to "0". |
SQL_REMOTE_ACCESS_ENABLED | The remote access database flag for a Cloud SQL for SQL Server instance is not set to off. |
SQL_SKIP_SHOW_DATABASE_DISABLED | The skip_show_database database flag for a Cloud SQL for MySQL instance is not set to on. |
SQL_TRACE_FLAG_3625 | The 3625 (trace flag) database flag for a Cloud SQL for SQL Server instance is not set to on. |
SQL_USER_CONNECTIONS_CONFIGURED | The user connections database flag for a Cloud SQL for SQL Server instance is configured. |
SQL_USER_OPTIONS_CONFIGURED | The user options database flag for a Cloud SQL for SQL Server instance is configured. |
SQL_WEAK_ROOT_PASSWORD | A Cloud SQL database has a weak password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. |
PUBLIC_LOG_BUCKET | A storage bucket used as a log sink is publicly accessible. |
ACCESSIBLE_GIT_REPOSITORY | A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository. |
ACCESSIBLE_SVN_REPOSITORY | An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository. |
ACCESSIBLE_ENV_FILE | An ENV file is exposed publicly. To resolve this finding, remove public unintentional access to the ENV file. |
CACHEABLE_PASSWORD_INPUT | Passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage. |
CLEAR_TEXT_PASSWORD | Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network. |
INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION | A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected root domain is part of the Origin header value before reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards, prepend the dot to the root domain—for example, .endsWith("".google.com""). |
INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION | A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected domain fully matches the Origin header value before reflecting it in the Access-Control-Allow-Origin response header—for example, .equals("".google.com""). |
INVALID_CONTENT_TYPE | A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set X-Content-Type-Options HTTP header with the correct value. |
INVALID_HEADER | A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly. |
MISMATCHING_SECURITY_HEADER_VALUES | A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly. |
MISSPELLED_SECURITY_HEADER_NAME | A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly. |
MIXED_CONTENT | Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS. |
OUTDATED_LIBRARY | A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version. |
SERVER_SIDE_REQUEST_FORGERY | A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an allowlist to limit the domains and IP addresses that the web application can make requests to. |
SESSION_ID_LEAK | When making a cross-domain request, the web application includes the user's session identifier in its Referer request header. This vulnerability gives the receiving domain access to the session identifier, which can be used to impersonate or uniquely identify the user. |
SQL_INJECTION | A potential SQL injection vulnerability was detected. To resolve this finding, use parameterized queries to prevent user inputs from influencing the structure of the SQL query. |
STRUTS_INSECURE_DESERIALIZATION | The use of a vulnerable version of Apache Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version. |
XSS | A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data. |
XSS_ANGULAR_CALLBACK | A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework. |
XSS_ERROR | A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data. |
XXE_REFLECTED_FILE_LEAKAGE | An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to leak a file on the host. To resolve this finding, configure your XML parsers to disallow external entities. |
BASIC_AUTHENTICATION_ENABLED | IAM or client certificate authentication should be enabled on Kubernetes Clusters. |
CLIENT_CERT_AUTHENTICATION_DISABLED | Kubernetes Clusters should be created with Client Certificate enabled. |
LABELS_NOT_USED | Labels can be used to break down billing information. |
PUBLIC_STORAGE_OBJECT | Storage object ACL should not grant access to allUsers. |
SQL_BROAD_ROOT_LOGIN | Root access to a SQL database should be limited to allowlisted trusted IPs. |
WEAK_CREDENTIALS | This detector checks for weak credentials using ncrack brute force methods.
Supported services: SSH, RDP, FTP, WordPress, TELNET, POP3, IMAP, VCS, SMB, SMB2, VNC, SIP, REDIS, PSQL, MYSQL, MSSQL, MQTT, MONGODB, WINRM, DICOM |
ELASTICSEARCH_API_EXPOSED | The Elasticsearch API lets callers perform arbitrary queries, write and execute scripts, and add additional documents to the service. |
EXPOSED_GRAFANA_ENDPOINT | In Grafana 8.0.0 to 8.3.0, users can access without authentication an endpoint that has a directory traversal vulnerability that allows any user to read any file on the server without authentication. For more information, see CVE-2021-43798. |
EXPOSED_METABASE | Versions x.40.0 to x.40.4 of Metabase, an open source data analytics platform, contain a vulnerability in the custom GeoJSON map support and potential local file inclusion, including environment variables. URLs were not validated prior to being loaded. For more information, see CVE-2021-41277. |
EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT | This detector checks whether sensitive Actuator endpoints of Spring Boot applications are exposed. Some of the default endpoints, like /heapdump, might expose sensitive information. Other endpoints, like /env, might lead to remote code execution. Currently, only /heapdump is checked. |
HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API | This detector checks whether the Hadoop Yarn ResourceManager API, which controls the computation and storage resources of a Hadoop cluster, is exposed and allows unauthenticated code execution. |
JAVA_JMX_RMI_EXPOSED | The Java Management Extension (JMX) allows remote monitoring and diagnostics for Java applications. Running JMX with unprotected Remote Method Invocation endpoint allows any remote users to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs. |
JUPYTER_NOTEBOOK_EXPOSED_UI | This detector checks whether an unauthenticated Jupyter Notebook is exposed. Jupyter allows remote code execution by design on the host machine. An unauthenticated Jupyter Notebook puts the hosting VM at risk of remote code execution. |
KUBERNETES_API_EXPOSED | The Kubernetes API is exposed, and can be accessed by unauthenticated callers. This allows arbitrary code execution on the Kubernetes cluster. |
UNFINISHED_WORDPRESS_INSTALLATION | This detector checks whether a WordPress installation is unfinished. An unfinished WordPress installation exposes the /wp-admin/install.php page, which allows attacker to set the admin password and, possibly, compromise the system. |
UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE | This detector checks for an unauthenticated Jenkins instance by sending a probe ping to the /view/all/newJob endpoint as an anonymous visitor. An authenticated Jenkins instance shows the createItem form, which allows the creation of arbitrary jobs that could lead to remote code execution. |
APACHE_HTTPD_RCE | A flaw was found in Apache HTTP Server 2.4.49 that allows an attacker to use a path traversal attack to map URLs to files outside the expected document root and see the source of interpreted files, like CGI scripts. This issue is known to be exploited in the wild. This issue affects Apache 2.4.49 and 2.4.50 but not earlier versions. For more information about this vulnerability, see: |
APACHE_HTTPD_SSRF | Attackers can craft a URI to the Apache web server that causes mod_proxy to forward the request to an origin server that is chosen by the attacker. This issue affects Apache HTTP server 2.4.48 and earlier. For more information about this vulnerability, see: |
CONSUL_RCE | Attackers can execute arbitrary code on a Consul server because the Consul instance is configured with -enable-script-checks set to true and the Consul HTTP API is unsecured and accessible over the network. In Consul 0.9.0 and earlier, script checks are on by default. For more information, see Protecting Consul from RCE Risk in Specific Configurations. To check for this vulnerability, Rapid Vulnerability Detection registers a service on the Consul instance by using the /v1/health/service REST endpoint, which then executes one of the following: * A curl command to a remote server outside of the network. An attacker can use the curl command to exfiltrate data from the server. * A printf command. Rapid Vulnerability Detection then verifies the output of the command by using the /v1/health/service REST endpoint. * After the check, Rapid Vulnerability Detection cleans up and deregisters the service by using the /v1/agent/service/deregister/ REST endpoint. |
DRUID_RCE | Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. For more information, see CVE-2021-25646 Detail. |
DRUPAL_RCE | Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are vulnerable to remote code execution on Form API AJAX requests. Drupal versions 8.5.x before 8.5.11 and 8.6.x before 8.6.10 are vulnerable to remote code execution when either the RESTful Web Service module or the JSON:API is enabled. This vulnerability can be exploited by an unauthenticated attacker using a custom POST request. |
FLINK_FILE_DISCLOSURE | A vulnerability in Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 lets attackers read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. |
GITLAB_RCE | In GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 and later, GitLab does not properly validate image files that are passed to a file parser. An attacker can exploit this vulnerability for remote command execution. |
GoCD_RCE | In GoCD 21.2.0 and earlier, there is an endpoint that can be accessed without authentication. This endpoint has a directory traversal vulnerability that allows a user to read any file on the server without authentication. |
JENKINS_RCE | Jenkins versions 2.56 and earlier, and 2.46.1 LTS and earlier are vulnerable to remote code execution. This vulnerability can be triggered by an unauthenticated attacker using a malicious serialized Java object. |
JOOMLA_RCE | Joomla versions 1.5.x, 2.x, and 3.x before 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered with a crafted header containing serialized PHP objects. Joomla versions 3.0.0 through 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered by sending a POST request that contains a crafted serialized PHP object. |
LOG4J_RCE | In Apache Log4j2 2.14.1 and earlier, JNDI features that are used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. For more information, see CVE-2021-44228. |
MANTISBT_PRIVILEGE_ESCALATION | MantisBT through version 2.3.0 allows arbitrary password reset and unauthenticated admin access by supplying an empty confirm_hash value to verify.php. |
OGNL_RCE | Confluence Server and Data Center instances contain an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code. For more information, see CVE-2021-26084. |
OPENAM_RCE | OpenAM server 14.6.2 and earlier and ForgeRock AM server 6.5.3 and earlier have a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application. For more information, see CVE-2021-35464. |
ORACLE_WEBLOGIC_RCE | Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise an Oracle WebLogic Server. Successful attacks of this vulnerability can result in a takeover of Oracle WebLogic Server. For more information, see CVE-2020-14882. |
PHPUNIT_RCE | PHPUnitversions prior to 5.6.3 allow remote code execution with a single unauthenticated POST request. |
PHP_CGI_RCE | PHP versions before 5.3.12, and versions 5.4.x before 5.4.2, when configured as a CGI script, allow remote code execution. The vulnerable code does not properly handle query strings that lack an = (equals sign) character. This lets attackers add command line options that are executed on the server. |
PORTAL_RCE | Deserialization of untrusted data in Liferay Portal versions prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code through JSON web services. |
REDIS_RCE | If a Redis instance does not require authentication to execute admin commands, attackers might be able to execute arbitrary code. |
SOLR_FILE_EXPOSED | Authentication is not enabled in Apache Solr, an open source search server. When Apache Solr does not require authentication, an attacker can directly craft a request to enable a specific configuration, and eventually implement a server-side request forgery (SSRF) or read arbitrary files. |
SOLR_RCE | Apache Solr versions 5.0.0 through Apache Solr 8.3.1 are vulnerable to remote code execution through the VelocityResponseWriter if params.resource.loader.enabled is set to true. This allows attackers to create a parameter that contains a malicious Velocity template. |
STRUTS_RCE |
|
TOMCAT_FILE_DISCLOSURE | Apache Tomcat versions 9.x before 9.0.31, 8.x before 8.5.51, 7.x before 7.0.100, and all 6.x are vulnerable to source code and configuration disclosure through an exposed Apache JServ Protocol connector. In some cases, this is leveraged to perform remote code execution if file uploading is allowed. |
VBULLETIN_RCE | vBulletin servers running versions 5.0.0 up to 5.5.4 are vulnerable to remote code execution. This vulnerability can be exploited by an unauthenticated attacker using a query parameter in a routestring request. |
VCENTER_RCE | VMware vCenter Server versions 7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n are vulnerable to remote code execution. This vulnerability can be triggered by an attacker uploading a crafted Java Server Pages file to a web-accessible directory, then triggering execution of that file. |
WEBLOGIC_RCE | Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a remote code execution vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. This vulnerability is related to CVE-2020-14750, CVE-2020-14882, CVE-2020-14883. For more information, see CVE-2020-14883. |
OS_VULNERABILITY | VM Manager detected a vulnerability in the installed operating system (OS) package for a Compute Engine VM. |
UNUSED_IAM_ROLE | IAM recommender detected a user account that has an IAM role that has not been used in the last 90 days. |
GKE_RUNTIME_OS_VULNERABILITY | |
GKE_SECURITY_BULLETIN | |
SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE | IAM recommender detected that the original default IAM role granted to a service agent was replaced with one of the basic IAM roles: Owner, Editor, or Viewer. Basic roles are excessively permissive legacy roles and should not be granted to service agents. |
Supported GCP_SECURITYCENTER_MISCONFIGURATION findings
You can find the UDM mapping in the Field mapping reference: MISCONFIGURATION table.
Finding name | Description |
---|---|
API_KEY_APIS_UNRESTRICTED | There are API keys being used too broadly. To resolve this, limit API key usage to allow only the APIs needed by the application. |
API_KEY_APPS_UNRESTRICTED | There are API keys being used in an unrestricted way, allowing use by any untrusted app |
API_KEY_EXISTS | A project is using API keys instead of standard authentication. |
API_KEY_NOT_ROTATED | The API key hasn't been rotated for more than 90 days |
PUBLIC_COMPUTE_IMAGE | A Compute Engine image is publicly accessible. |
CONFIDENTIAL_COMPUTING_DISABLED | Confidential Computing is disabled on a Compute Engine instance. |
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED | Project-wide SSH keys are used, allowing login to all instances in the project. |
COMPUTE_SECURE_BOOT_DISABLED | This Shielded VM does not have Secure Boot enabled. Using Secure Boot helps protect virtual machine instances against advanced threats such as rootkits and bootkits. |
DEFAULT_SERVICE_ACCOUNT_USED | An instance is configured to use the default service account. |
FULL_API_ACCESS | An instance is configured to use the default service account with full access to all Google Cloud APIs. |
OS_LOGIN_DISABLED | OS Login is disabled on this instance. |
PUBLIC_IP_ADDRESS | An instance has a public IP address. |
SHIELDED_VM_DISABLED | Shielded VM is disabled on this instance. |
COMPUTE_SERIAL_PORTS_ENABLED | Serial ports are enabled for an instance, allowing connections to the instance's serial console. |
DISK_CMEK_DISABLED | Disks on this VM are not encrypted with customer- managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. |
HTTP_LOAD_BALANCER | An instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy. |
IP_FORWARDING_ENABLED | IP forwarding is enabled on instances. |
WEAK_SSL_POLICY | An instance has a weak SSL policy. |
BINARY_AUTHORIZATION_DISABLED | Binary Authorization is disabled on a GKE cluster. |
CLUSTER_LOGGING_DISABLED | Logging isn't enabled for a GKE cluster. |
CLUSTER_MONITORING_DISABLED | Monitoring is disabled on GKE clusters. |
CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED | Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs. |
CLUSTER_SECRETS_ENCRYPTION_DISABLED | Application-layer secrets encryption is disabled on a GKE cluster. |
INTRANODE_VISIBILITY_DISABLED | Intranode visibility is disabled for a GKE cluster. |
MASTER_AUTHORIZED_NETWORKS_DISABLED | Control Plane Authorized Networks is not enabled on GKE clusters. |
NETWORK_POLICY_DISABLED | Network policy is disabled on GKE clusters. |
NODEPOOL_SECURE_BOOT_DISABLED | Secure Boot is disabled for a GKE cluster. |
OVER_PRIVILEGED_ACCOUNT | A service account has overly broad project access in a cluster. |
OVER_PRIVILEGED_SCOPES | A node service account has broad access scopes. |
POD_SECURITY_POLICY_DISABLED | PodSecurityPolicy is disabled on a GKE cluster. |
PRIVATE_CLUSTER_DISABLED | A GKE cluster has a Private cluster disabled. |
WORKLOAD_IDENTITY_DISABLED | A GKE cluster is not subscribed to a release channel. |
LEGACY_AUTHORIZATION_ENABLED | Legacy Authorization is enabled on GKE clusters. |
NODEPOOL_BOOT_CMEK_DISABLED | Boot disks in this node pool are not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. |
WEB_UI_ENABLED | The GKE web UI (dashboard) is enabled. |
AUTO_REPAIR_DISABLED | A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled. |
AUTO_UPGRADE_DISABLED | A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled. |
CLUSTER_SHIELDED_NODES_DISABLED | Shielded GKE nodes are not enabled for a cluster |
RELEASE_CHANNEL_DISABLED | A GKE cluster is not subscribed to a release channel. |
BIGQUERY_TABLE_CMEK_DISABLED | A BigQuery table is not configured to use a customer-managed encryption key (CMEK). This detector requires additional configuration to enable. |
DATASET_CMEK_DISABLED | A BigQuery dataset is not configured to use a default CMEK. This detector requires additional configuration to enable. |
EGRESS_DENY_RULE_NOT_SET | An egress deny rule is not set on a firewall. Egress deny rules should be set to block unwanted outbound traffic. |
FIREWALL_RULE_LOGGING_DISABLED | Firewall rule logging is disabled. Firewall rule logging should be enabled so you can audit network access. |
OPEN_CASSANDRA_PORT | A firewall is configured to have an open Cassandra port that allows generic access. |
OPEN_SMTP_PORT | A firewall is configured to have an open SMTP port that allows generic access. |
OPEN_REDIS_PORT | A firewall is configured to have an open REDIS port that allows generic access. |
OPEN_POSTGRESQL_PORT | A firewall is configured to have an open PostgreSQL port that allows generic access. |
OPEN_POP3_PORT | A firewall is configured to have an open POP3 port that allows generic access. |
OPEN_ORACLEDB_PORT | A firewall is configured to have an open NETBIOS port that allows generic access. |
OPEN_NETBIOS_PORT | A firewall is configured to have an open NETBIOS port that allows generic access. |
OPEN_MYSQL_PORT | A firewall is configured to have an open MYSQL port that allows generic access. |
OPEN_MONGODB_PORT | A firewall is configured to have an open MONGODB port that allows generic access. |
OPEN_MEMCACHED_PORT | A firewall is configured to have an open MEMCACHED port that allows generic access. |
OPEN_LDAP_PORT | A firewall is configured to have an open LDAP port that allows generic access. |
OPEN_FTP_PORT | A firewall is configured to have an open FTP port that allows generic access. |
OPEN_ELASTICSEARCH_PORT | A firewall is configured to have an open ELASTICSEARCH port that allows generic access. |
OPEN_DNS_PORT | A firewall is configured to have an open DNS port that allows generic access. |
OPEN_HTTP_PORT | A firewall is configured to have an open HTTP port that allows generic access. |
OPEN_DIRECTORY_SERVICES_PORT | A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access. |
OPEN_CISCOSECURE_WEBSM_PORT | A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access. |
OPEN_RDP_PORT | A firewall is configured to have an open RDP port that allows generic access. |
OPEN_TELNET_PORT | A firewall is configured to have an open TELNET port that allows generic access. |
OPEN_FIREWALL | A firewall is configured to be open to public access. |
OPEN_SSH_PORT | A firewall is configured to have an open SSH port that allows generic access. |
SERVICE_ACCOUNT_ROLE_SEPARATION | A user has been assigned the Service Account Admin and Service Account User roles. This violates the "Separation of Duties" principle. |
NON_ORG_IAM_MEMBER | There is a user who isn't using organizational credentials. As per CIS Google Cloud Foundations 1.0, currently, only identities with @gmail.com email addresses trigger this detector. |
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER | A user has the Service Account User or Service Account Token Creator role at the project level, instead of for a specific service account. |
ADMIN_SERVICE_ACCOUNT | A service account has Admin, Owner, or Editor privileges. These roles shouldn't be assigned to user-created service accounts. |
SERVICE_ACCOUNT_KEY_NOT_ROTATED | A service account key hasn't been rotated for more than 90 days. |
USER_MANAGED_SERVICE_ACCOUNT_KEY | A user manages a service account key. |
PRIMITIVE_ROLES_USED | A user has the basic role, Owner, Writer, or Reader. These roles are too permissive and shouldn't be used. |
KMS_ROLE_SEPARATION | Separation of duties is not enforced, and a user exists who has any of the following Cloud Key Management Service (Cloud KMS) roles at the same time: CryptoKey Encrypter/Decrypter, Encrypter, or Decrypter. |
OPEN_GROUP_IAM_MEMBER | A Google Groups account that can be joined without approval is used as an IAM allow policy principal. |
KMS_KEY_NOT_ROTATED | Rotation isn't configured on a Cloud KMS encryption key. Keys should be rotated within a period of 90 days. |
KMS_PROJECT_HAS_OWNER | A user has Owner permissions on a project that has cryptographic keys. |
TOO_MANY_KMS_USERS | There are more than three users of cryptographic keys. |
OBJECT_VERSIONING_DISABLED | Object versioning isn't enabled on a storage bucket where sinks are configured. |
LOCKED_RETENTION_POLICY_NOT_SET | A locked retention policy is not set for logs. |
BUCKET_LOGGING_DISABLED | There is a storage bucket without logging enabled. |
LOG_NOT_EXPORTED | There is a resource that doesn't have an appropriate log sink configured. |
AUDIT_LOGGING_DISABLED | Audit logging has been disabled for this resource. |
MFA_NOT_ENFORCED | There are users who aren't using 2-step verification. |
ROUTE_NOT_MONITORED | Log metrics and alerts aren't configured to monitor VPC network route changes. |
OWNER_NOT_MONITORED | Log metrics and alerts aren't configured to monitor Project Ownership assignments or changes. |
AUDIT_CONFIG_NOT_MONITORED | Log metrics and alerts aren't configured to monitor Audit Configuration changes. |
BUCKET_IAM_NOT_MONITORED | Log metrics and alerts aren't configured to monitor Cloud Storage IAM permission changes. |
CUSTOM_ROLE_NOT_MONITORED | Log metrics and alerts aren't configured to monitor Custom Role changes. |
FIREWALL_NOT_MONITORED | Log metrics and alerts aren't configured to monitor Virtual Private Cloud (VPC) Network Firewall rule changes. |
NETWORK_NOT_MONITORED | Log metrics and alerts aren't configured to monitor VPC network changes. |
SQL_INSTANCE_NOT_MONITORED | Log metrics and alerts aren't configured to monitor Cloud SQL instance configuration changes. |
DEFAULT_NETWORK | The default network exists in a project. |
DNS_LOGGING_DISABLED | DNS logging on a VPC network is not enabled. |
PUBSUB_CMEK_DISABLED | A Pub/Sub topic is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. |
PUBLIC_SQL_INSTANCE | A Cloud SQL database instance accepts connections from all IP addresses. |
SSL_NOT_ENFORCED | A Cloud SQL database instance doesn't require all incoming connections to use SSL. |
AUTO_BACKUP_DISABLED | A Cloud SQL database doesn't have automatic backups enabled. |
SQL_CMEK_DISABLED | A SQL database instance is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. |
SQL_LOG_CHECKPOINTS_DISABLED | The log_checkpoints database flag for a Cloud SQL for PostgreSQL instance is not set to on. |
SQL_LOG_CONNECTIONS_DISABLED | The log_connections database flag for a Cloud SQL for PostgreSQL instance is not set to on. |
SQL_LOG_DISCONNECTIONS_DISABLED | The log_disconnections database flag for a Cloud SQL for PostgreSQL instance is not set to on. |
SQL_LOG_DURATION_DISABLED | The log_duration database flag for a Cloud SQL for PostgreSQL instance is not set to on. |
SQL_LOG_LOCK_WAITS_DISABLED | The log_lock_waits database flag for a Cloud SQL for PostgreSQL instance is not set to on. |
SQL_LOG_STATEMENT | The log_statement database flag for a Cloud SQL for PostgreSQL instance is not set to Ddl (all data definition statements). |
SQL_NO_ROOT_PASSWORD | A Cloud SQL database doesn't have a password configured for the root account. This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. |
SQL_PUBLIC_IP | A Cloud SQL database has a public IP address. |
SQL_CONTAINED_DATABASE_AUTHENTICATION | The contained database authentication database flag for a Cloud SQL for SQL Server instance is not set to off. |
SQL_CROSS_DB_OWNERSHIP_CHAINING | The cross_db_ownership_chaining database flag for a Cloud SQL for SQL Server instance is not set to off. |
SQL_LOCAL_INFILE | The local_infile database flag for a Cloud SQL for MySQL instance is not set to off. |
SQL_LOG_MIN_ERROR_STATEMENT | The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance is not set appropriately. |
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY | The log_min_error_statement database flag for a Cloud SQL for PostgreSQL instance does not have an appropriate severity level. |
SQL_LOG_TEMP_FILES | The log_temp_files database flag for a Cloud SQL for PostgreSQL instance is not set to "0". |
SQL_REMOTE_ACCESS_ENABLED | The remote access database flag for a Cloud SQL for SQL Server instance is not set to off. |
SQL_SKIP_SHOW_DATABASE_DISABLED | The skip_show_database database flag for a Cloud SQL for MySQL instance is not set to on. |
SQL_TRACE_FLAG_3625 | The 3625 (trace flag) database flag for a Cloud SQL for SQL Server instance is not set to on. |
SQL_USER_CONNECTIONS_CONFIGURED | The user connections database flag for a Cloud SQL for SQL Server instance is configured. |
SQL_USER_OPTIONS_CONFIGURED | The user options database flag for a Cloud SQL for SQL Server instance is configured. |
PUBLIC_BUCKET_ACL | A Cloud Storage bucket is publicly accessible. |
BUCKET_POLICY_ONLY_DISABLED | Uniform bucket-level access, previously called Bucket Policy Only, isn't configured. |
BUCKET_CMEK_DISABLED | A bucket is not encrypted with customer-managed encryption keys (CMEK). This detector requires additional configuration to enable. For instructions, see Enable and disable detectors. |
FLOW_LOGS_DISABLED | There is a VPC subnetwork that has flow logs disabled. |
PRIVATE_GOOGLE_ACCESS_DISABLED | There are private subnetworks without access to Google public APIs. |
kms_key_region_europe | Due to company policy, all encryption keys should remain stored in Europe. |
kms_non_euro_region | Due to company policy, all encryption keys should remain stored in Europe. |
LEGACY_NETWORK | A legacy network exists in a project. |
LOAD_BALANCER_LOGGING_DISABLED | Logging is disabled for the load balancer. |
Supported GCP_SECURITYCENTER_POSTURE_VIOLATION findings
You can find the UDM mapping in the Field mapping reference: POSTURE VIOLATION table.
Finding name | Description |
---|---|
SECURITY_POSTURE_DRIFT | Drift from the defined policies within security posture. This is detected by the security posture service. |
SECURITY_POSTURE_POLICY_DRIFT | The security posture service detected a change to an organization policy that occurred outside of a posture update. |
SECURITY_POSTURE_POLICY_DELETE | The security posture service detected that an organization policy was deleted. This deletion occurred outside of a posture update. |
SECURITY_POSTURE_DETECTOR_DRIFT | The security posture service detected a change to a Security Health Analytics detector that occurred outside of a posture update. |
SECURITY_POSTURE_DETECTOR_DELETE | The security posture service detected that a Security Health Analytics custom module was deleted. This deletion occurred outside of a posture update. |
Field mapping reference
This section explains how the Google Security Operations parser maps Security Command Center log fields to Google Security Operations Unified Data Model (UDM) fields for the data sets.
Field mapping reference: raw log fields to UDM fields
The following table lists the log fields and corresponding UDM mappings for the Security Command Center Event Threat Detection findings.
RawLog field | UDM mapping | Logic |
---|---|---|
compliances.ids |
about.labels [compliance_ids] (deprecated) |
|
compliances.ids |
additional.fields [compliance_ids] |
|
compliances.version |
about.labels [compliance_version] (deprecated) |
|
compliances.version |
additional.fields [compliance_version] |
|
compliances.standard |
about.labels [compliances_standard] (deprecated) |
|
compliances.standard |
additional.fields [compliances_standard] |
|
connections.destinationIp |
about.labels [connections_destination_ip] (deprecated) |
If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp , then the connections.destinationIp log field is mapped to the about.labels.value UDM field. |
connections.destinationIp |
additional.fields [connections_destination_ip] |
If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp , then the connections.destinationIp log field is mapped to the additional.fields.value.string_value UDM field. |
connections.destinationPort |
about.labels [connections_destination_port] (deprecated) |
|
connections.destinationPort |
additional.fields [connections_destination_port] |
|
connections.protocol |
about.labels [connections_protocol] (deprecated) |
|
connections.protocol |
additional.fields [connections_protocol] |
|
connections.sourceIp |
about.labels [connections_source_ip] (deprecated) |
|
connections.sourceIp |
additional.fields [connections_source_ip] |
|
connections.sourcePort |
about.labels [connections_source_port] (deprecated) |
|
connections.sourcePort |
additional.fields [connections_source_port] |
|
kubernetes.pods.ns |
target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_ns] |
|
kubernetes.pods.name |
target.resource_ancestors.name |
|
kubernetes.nodes.name |
target.resource_ancestors.name |
|
kubernetes.nodePools.name |
target.resource_ancestors.name |
|
|
target.resource_ancestors.resource_type |
If the message log field value matches the regular expression pattern kubernetes , then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.Else, If message log field value matches the regular expression kubernetes.*?pods , then the target.resource_ancestors.resource_type UDM field is set to POD. |
|
about.resource.attribute.cloud.environment |
The about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM . |
externalSystems.assignees |
about.resource.attribute.labels.key/value [externalSystems_assignees] |
|
externalSystems.status |
about.resource.attribute.labels.key/value [externalSystems_status] |
|
kubernetes.nodePools.nodes.name |
target.resource.attribute.labels.key/value [kubernetes_nodePools_nodes_name] |
|
kubernetes.pods.containers.uri |
target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_containers_uri] |
|
kubernetes.pods.containers.createTime |
target.resource_ancestors.attribute.labels[kubernetes_pods_containers_createTime] |
|
kubernetes.roles.kind |
target.resource.attribute.labels.key/value [kubernetes_roles_kind] |
|
kubernetes.roles.name |
target.resource.attribute.labels.key/value [kubernetes_roles_name] |
|
kubernetes.roles.ns |
target.resource.attribute.labels.key/value [kubernetes_roles_ns] |
|
kubernetes.pods.containers.labels.name/value |
target.resource.attribute.labels.key/value [kubernetes.pods.containers.labels.name/value] |
|
kubernetes.pods.labels.name/value |
target.resource.attribute.labels.key/value [kubernetes.pods.labels.name/value] |
|
externalSystems.externalSystemUpdateTime |
about.resource.attribute.last_update_time |
|
externalSystems.name |
about.resource.name |
|
externalSystems.externalUid |
about.resource.product_object_id |
|
indicator.uris |
about.url |
|
|
extension.auth.type |
If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Two Step Verification Disabled or Persistence: SSO Enablement Toggle , then the extension.auth.type UDM field is set to SSO . |
|
extension.mechanism |
If the category log field value is equal to Brute Force: SSH , then the extension.mechanism UDM field is set to USERNAME_PASSWORD . |
|
extensions.auth.type |
If the principal.user.user_authentication_status log field value is equal to ACTIVE , then the extensions.auth.type UDM field is set to SSO . |
vulnerability.cve.references.uri |
extensions.vulns.vulnerabilities.about.labels [vulnerability.cve.references.uri] (deprecated) |
|
vulnerability.cve.references.uri |
additional.fields [vulnerability.cve.references.uri] |
|
vulnerability.cve.cvssv3.attackComplexity |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_attackComplexity] (deprecated) |
|
vulnerability.cve.cvssv3.attackComplexity |
additional.fields [vulnerability_cve_cvssv3_attackComplexity] |
|
vulnerability.cve.cvssv3.availabilityImpact |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_availabilityImpact] (deprecated) |
|
vulnerability.cve.cvssv3.availabilityImpact |
additional.fields [vulnerability_cve_cvssv3_availabilityImpact] |
|
vulnerability.cve.cvssv3.confidentialityImpact |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_confidentialityImpact] (deprecated) |
|
vulnerability.cve.cvssv3.confidentialityImpact |
additional.fields [vulnerability_cve_cvssv3_confidentialityImpact] |
|
vulnerability.cve.cvssv3.integrityImpact |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_integrityImpact] (deprecated) |
|
vulnerability.cve.cvssv3.integrityImpact |
additional.fields [vulnerability_cve_cvssv3_integrityImpact] |
|
vulnerability.cve.cvssv3.privilegesRequired |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_privilegesRequired] (deprecated) |
|
vulnerability.cve.cvssv3.privilegesRequired |
additional.fields [vulnerability_cve_cvssv3_privilegesRequired] |
|
vulnerability.cve.cvssv3.scope |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_scope] (deprecated) |
|
vulnerability.cve.cvssv3.scope |
additional.fields [vulnerability_cve_cvssv3_scope] |
|
vulnerability.cve.cvssv3.userInteraction |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_userInteraction] (deprecated) |
|
vulnerability.cve.cvssv3.userInteraction |
additional.fields [vulnerability_cve_cvssv3_userInteraction] |
|
vulnerability.cve.references.source |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_references_source] (deprecated) |
|
vulnerability.cve.references.source |
additional.fields [vulnerability_cve_references_source] |
|
vulnerability.cve.upstreamFixAvailable |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_upstreamFixAvailable] (deprecated) |
|
vulnerability.cve.upstreamFixAvailable |
additional.fields [vulnerability_cve_upstreamFixAvailable] |
|
vulnerability.cve.id |
extensions.vulns.vulnerabilities.cve_id |
|
vulnerability.cve.cvssv3.baseScore |
extensions.vulns.vulnerabilities.cvss_base_score |
|
vulnerability.cve.cvssv3.attackVector |
extensions.vulns.vulnerabilities.cvss_vector |
|
sourceProperties.properties.loadBalancerName |
intermediary.resource.name |
If the category log field value is equal to Initial Access: Log4j Compromise Attempt , then the sourceProperties.properties.loadBalancerName log field is mapped to the intermediary.resource.name UDM field. |
|
intermediary.resource.resource_type |
If the category log field value is equal to Initial Access: Log4j Compromise Attempt , then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE . |
parentDisplayName |
metadata.description |
|
eventTime |
metadata.event_timestamp |
|
category |
metadata.product_event_type |
|
sourceProperties.evidence.sourceLogId.insertId |
metadata.product_log_id |
If the canonicalName log field value is not empty, then the finding_id is extracted from the canonicalName log field using a Grok pattern.If the finding_id log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.If the canonicalName log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field. |
|
metadata.product_name |
The metadata.product_name UDM field is set to Security Command Center . |
sourceProperties.contextUris.cloudLoggingQueryUri.url |
security_result.detection_fields.key/value[sourceProperties_contextUris_cloudLoggingQueryUri_url] |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google . |
|
network.application_protocol |
If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain , then the network.application_protocol UDM field is set to DNS . |
sourceProperties.properties.indicatorContext.asn |
network.asn |
If the category log field value is equal to Malware: Cryptomining Bad IP , then the sourceProperties.properties.indicatorContext.asn log field is mapped to the network.asn UDM field. |
sourceProperties.properties.indicatorContext.carrierName |
network.carrier_name |
If the category log field value is equal to Malware: Cryptomining Bad IP , then the sourceProperties.properties.indicatorContext.carrierName log field is mapped to the network.carrier_name UDM field. |
sourceProperties.properties.indicatorContext.reverseDnsDomain |
network.dns_domain |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP , then the sourceProperties.properties.indicatorContext.reverseDnsDomain log field is mapped to the network.dns_domain UDM field. |
sourceProperties.properties.dnsContexts.responseData.responseClass |
network.dns.answers.class |
If the category log field value is equal to Malware: Bad Domain , then the sourceProperties.properties.dnsContexts.responseData.responseClass log field is mapped to the network.dns.answers.class UDM field. |
sourceProperties.properties.dnsContexts.responseData.responseValue |
network.dns.answers.data |
If the category log field value matches the regular expression Malware: Bad Domain , then the sourceProperties.properties.dnsContexts.responseData.responseValue log field is mapped to the network.dns.answers.data UDM field. |
sourceProperties.properties.dnsContexts.responseData.domainName |
network.dns.answers.name |
If the category log field value is equal to Malware: Bad Domain , then the sourceProperties.properties.dnsContexts.responseData.domainName log field is mapped to the network.dns.answers.name UDM field. |
sourceProperties.properties.dnsContexts.responseData.ttl |
network.dns.answers.ttl |
If the category log field value is equal to Malware: Bad Domain , then the sourceProperties.properties.dnsContexts.responseData.ttl log field is mapped to the network.dns.answers.ttl UDM field. |
sourceProperties.properties.dnsContexts.responseData.responseType |
network.dns.answers.type |
If the category log field value is equal to Malware: Bad Domain , then the sourceProperties.properties.dnsContexts.responseData.responseType log field is mapped to the network.dns.answers.type UDM field. |
sourceProperties.properties.dnsContexts.authAnswer |
network.dns.authoritative |
If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain , then the sourceProperties.properties.dnsContexts.authAnswer log field is mapped to the network.dns.authoritative UDM field. |
sourceProperties.properties.dnsContexts.queryName |
network.dns.questions.name |
If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain , then the sourceProperties.properties.dnsContexts.queryName log field is mapped to the network.dns.questions.name UDM field. |
sourceProperties.properties.dnsContexts.queryType |
network.dns.questions.type |
If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain , then the sourceProperties.properties.dnsContexts.queryType log field is mapped to the network.dns.questions.type UDM field. |
sourceProperties.properties.dnsContexts.responseCode |
network.dns.response_code |
If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain , then the sourceProperties.properties.dnsContexts.responseCode log field is mapped to the network.dns.response_code UDM field. |
sourceProperties.properties.anomalousSoftware.callerUserAgent |
network.http.user_agent |
If the category log field value is equal to Persistence: New User Agent , then the sourceProperties.properties.anomalousSoftware.callerUserAgent log field is mapped to the network.http.user_agent UDM field. |
sourceProperties.properties.callerUserAgent |
network.http.user_agent |
If the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.callerUserAgent log field is mapped to the network.http.user_agent UDM field. |
access.userAgentFamily |
network.http.user_agent |
|
finding.access.userAgent |
network.http.user_agent |
|
sourceProperties.properties.serviceAccountGetsOwnIamPolicy.rawUserAgent |
network.http.user_agent |
If the category log field value is equal to Discovery: Service Account Self-Investigation , then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.rawUserAgent log field is mapped to the network.http.user_agent UDM field. |
sourceProperties.properties.ipConnection.protocol | network.ip_protocol | If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Outgoing DoS , then the network.ip_protocol UDM field is set to one of the following values:
|
sourceProperties.properties.indicatorContext.organizationName |
network.organization_name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP , then the sourceProperties.properties.indicatorContext.organizationName log field is mapped to the network.organization_name UDM field. |
sourceProperties.properties.anomalousSoftware.behaviorPeriod |
network.session_duration |
If the category log field value is equal to Persistence: New User Agent , then the sourceProperties.properties.anomalousSoftware.behaviorPeriod log field is mapped to the network.session_duration UDM field. |
sourceProperties.properties.sourceIp |
principal.ip |
If the category log field value matches the regular expression Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.sourceIp log field is mapped to the principal.ip UDM field. |
sourceProperties.properties.attempts.sourceIp |
principal.ip |
If the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.sourceIp log field is mapped to the principal.ip UDM field. |
access.callerIp |
principal.ip |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control or access.callerIp or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Persistence: New Geography or Persistence: IAM Anomalous Grant , then the access.callerIp log field is mapped to the principal.ip UDM field. |
sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerIp |
principal.ip |
If the category log field value is equal to Discovery: Service Account Self-Investigation , then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerIp log field is mapped to the principal.ip UDM field. |
sourceProperties.properties.changeFromBadIp.ip |
principal.ip |
If the category log field value is equal to Evasion: Access from Anonymizing Proxy , then the sourceProperties.properties.changeFromBadIp.ip log field is mapped to the principal.ip UDM field. |
sourceProperties.properties.dnsContexts.sourceIp |
principal.ip |
If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain , then the sourceProperties.properties.dnsContexts.sourceIp log field is mapped to the principal.ip UDM field. |
sourceProperties.properties.ipConnection.srcIp |
principal.ip |
If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Outgoing DoS , then the sourceProperties.properties.ipConnection.srcIp log field is mapped to the principal.ip UDM field. |
sourceProperties.properties.callerIp sourceProperties.properties.indicatorContext.ipAddress |
principal.ip |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP , then if the sourceProperties.properties.ipConnection.srcIp log field value is not equal to the sourceProperties.properties.indicatorContext.ipAddress , then the sourceProperties.properties.indicatorContext.ipAddress log field is mapped to the principal.ip UDM field. |
sourceProperties.properties.anomalousLocation.callerIp |
principal.ip |
If the category log field value is equal to Persistence: New Geography , then the sourceProperties.properties.anomalousLocation.callerIp log field is mapped to the principal.ip UDM field. |
sourceProperties.properties.scannerDomain |
principal.labels [sourceProperties_properties_scannerDomain] (deprecated) |
If the category log field value matches the regular expression Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.scannerDomain log field is mapped to the principal.labels.key/value UDM field. |
sourceProperties.properties.scannerDomain |
additional.fields [sourceProperties_properties_scannerDomain] |
If the category log field value matches the regular expression Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.scannerDomain log field is mapped to the additional.fields.value.string_value UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.jobState |
principal.labels [sourceProperties.properties.dataExfiltrationAttempt.jobState] (deprecated) |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.jobState log field is mapped to the principal.labels.key/value and UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.jobState |
additional.fields [sourceProperties.properties.dataExfiltrationAttempt.jobState] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.jobState log field is mapped to the additional.fields.value.string_value UDM field. |
access.callerIpGeo.regionCode |
principal.location.country_or_region |
|
sourceProperties.properties.indicatorContext.countryCode |
principal.location.country_or_region |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP , then the sourceProperties.properties.indicatorContext.countryCode log field is mapped to the principal.location.country_or_region UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.job.location |
principal.location.country_or_region |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.job.location log field is mapped to the principal.location.country_or_region UDM field. |
sourceProperties.properties.extractionAttempt.job.location |
principal.location.country_or_region |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.job.location log field is mapped to the principal.location.country_or_region UDM field. |
sourceProperties.properties.anomalousLocation.typicalGeolocations.country.identifier |
principal.location.country_or_region |
If the category log field value is equal to Persistence: New Geography or Persistence: IAM Anomalous Grant , then the sourceProperties.properties.anomalousLocation.typicalGeolocations.country.identifier log field is mapped to the principal.location.country_or_region UDM field. |
sourceProperties.properties.anomalousLocation.anomalousLocation |
principal.location.name |
If the category log field value is equal to Persistence: IAM Anomalous Grant , then the sourceProperties.properties.anomalousLocation.anomalousLocation log field is mapped to the principal.location.name UDM field. |
sourceProperties.properties.ipConnection.srcPort |
principal.port |
If the category log field value is equal to Malware: Bad IP or Malware: Outgoing DoS , then the sourceProperties.properties.ipConnection.srcPort log field is mapped to the principal.port UDM field. |
sourceProperties.properties.extractionAttempt.jobLink |
principal.process.file.full_path |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.jobLink log field is mapped to the principal.process.file.full_path UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.jobLink |
principal.process.file.full_path |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.jobLink log field is mapped to the principal.process.file.full_path UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.job.jobId |
principal.process.pid |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.job.jobId log field is mapped to the principal.process.pid UDM field. |
sourceProperties.properties.extractionAttempt.job.jobId |
principal.process.pid |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.job.jobId log field is mapped to the principal.process.pid UDM field. |
sourceProperties.properties.srcVpc.subnetworkName |
principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_subnetworkName] |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP , then the sourceProperties.properties.srcVpc.subnetworkName log field is mapped to the principal.resource_ancestors.attribute.labels.value UDM field. |
principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_srcVpc_projectId] |
principal.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_srcVpc_projectId] |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP , then the sourceProperties.properties.srcVpc.projectId log field is mapped to the principal.resource_ancestors.attribute.labels.value UDM field. |
sourceProperties.properties.srcVpc.vpcName |
principal.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the principal.resource_ancestors.name UDM field and the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE . |
sourceProperties.sourceId.customerOrganizationNumber |
principal.resource.attribute.labels.key/value [sourceProperties_sourceId_customerOrganizationNumber] |
If the message log field value matches the regular expression sourceProperties.sourceId.*?customerOrganizationNumber , then the sourceProperties.sourceId.customerOrganizationNumber log field is mapped to the principal.resource.attribute.labels.key/value UDM field. |
resource.projectName |
principal.resource.name |
|
sourceProperties.properties.projectId |
principal.resource.name |
If the sourceProperties.properties.projectId log field value is not empty, then the sourceProperties.properties.projectId log field is mapped to the principal.resource.name UDM field. |
sourceProperties.properties.serviceAccountGetsOwnIamPolicy.projectId |
principal.resource.name |
If the category log field value is equal to Discovery: Service Account Self-Investigation , then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.projectId log field is mapped to the principal.resource.name UDM field. |
sourceProperties.properties.sourceInstanceDetails |
principal.resource.name |
If the category log field value is equal to Malware: Outgoing DoS , then the sourceProperties.properties.sourceInstanceDetails log field is mapped to the principal.resource.name UDM field. |
|
principal.user.account_type |
If the access.principalSubject log field value matches the regular expression serviceAccount , then the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE .Else if, the access.principalSubject log field value matches the regular expression user , then the principal.user.account_type UDM field is set to CLOUD_ACCOUNT_TYPE . |
access.principalSubject |
principal.user.attribute.labels.key/value [access_principalSubject] |
|
access.serviceAccountDelegationInfo.principalSubject |
principal.user.attribute.labels.key/value [access_serviceAccountDelegationInfo_principalSubject] |
|
access.serviceAccountKeyName |
principal.user.attribute.labels.key/value [access_serviceAccountKeyName] |
|
sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerUserAgent |
principal.user.attribute.labels.key/value [sourceProperties_properties_serviceAccountGetsOwnIamPolicy_callerUserAgent] |
If the category log field value is equal to Discovery: Service Account Self-Investigation , then the principal.user.attribute.labels.key UDM field is set to rawUserAgent and the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.callerUserAgent log field is mapped to the principal.user.attribute.labels.value UDM field. |
sourceProperties.properties.serviceAccountGetsOwnIamPolicy.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Discovery: Service Account Self-Investigation , then the sourceProperties.properties.serviceAccountGetsOwnIamPolicy.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.changeFromBadIp.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Evasion: Access from Anonymizing Proxy , then the sourceProperties.properties.changeFromBadIp.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.userEmail |
principal.user.email_addresses |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.userEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive or Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Impair Defenses: Strong Authentication Disabled or Impair Defenses: Two Step Verification Disabled or Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key , then the sourceProperties.properties.principalEmail log field is mapped to the principal.user.email_addresses UDM field.If the category log field value is equal to Initial Access: Suspicious Login Blocked , then the sourceProperties.properties.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
access.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Persistence: New Geography , then the access.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.sensitiveRoleGrant.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Persistence: IAM Anomalous Grant , then the sourceProperties.properties.sensitiveRoleGrant.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.anomalousSoftware.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Persistence: New User Agent , then the sourceProperties.properties.anomalousSoftware.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.exportToGcs.principalEmail |
principal.user.email_addresses |
|
sourceProperties.properties.restoreToExternalInstance.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
access.serviceAccountDelegationInfo.principalEmail |
principal.user.email_addresses |
|
sourceProperties.properties.customRoleSensitivePermissions.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Persistence: IAM Anomalous Grant , then the sourceProperties.properties.customRoleSensitivePermissions.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.anomalousLocation.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Persistence: New Geography , then the sourceProperties.properties.anomalousLocation.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.externalMemberAddedToPrivilegedGroup.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Credential Access: External Member Added To Privileged Group , then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.privilegedGroupOpenedToPublic.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Credential Access: Privileged Group Opened To Public , then the sourceProperties.properties.privilegedGroupOpenedToPublic.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.sensitiveRoleToHybridGroup.principalEmail |
principal.user.email_addresses |
If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group , then the sourceProperties.properties.sensitiveRoleToHybridGroup.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.vpcViolation.userEmail |
principal.user.email_addresses |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.vpcViolation.userEmail log field is mapped to the principal.user.email_addresses UDM field. |
sourceProperties.properties.ssoState |
principal.user.user_authentication_status |
If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Two Step Verification Disabled or Persistence: SSO Enablement Toggle , then the sourceProperties.properties.ssoState log field is mapped to the principal.user.user_authentication_status UDM field. |
database.userName |
principal.user.userid |
If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant , then the database.userName log field is mapped to the principal.user.userid UDM field. |
sourceProperties.properties.threatIntelligenceSource |
security_result.about.application |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.threatIntelligenceSource log field is mapped to the security_result.about.application UDM field. |
workflowState |
security_result.about.investigation.status |
|
sourceProperties.properties.attempts.sourceIp |
security_result.about.ip |
If the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.sourceIp log field is mapped to the security_result.about.ip UDM field. |
sourceProperties.findingId |
metadata.product_log_id |
|
kubernetes.accessReviews.group |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_group] |
|
kubernetes.accessReviews.name |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_name] |
|
kubernetes.accessReviews.ns |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_ns] |
|
kubernetes.accessReviews.resource |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_resource] |
|
kubernetes.accessReviews.subresource |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_subresource] |
|
kubernetes.accessReviews.verb |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_verb] |
|
kubernetes.accessReviews.version |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_version] |
|
kubernetes.bindings.name |
target.resource.attribute.labels.key/value [kubernetes_bindings_name] |
|
kubernetes.bindings.ns |
target.resource.attribute.labels.key/value [kubernetes_bindings_ns] |
|
kubernetes.bindings.role.kind |
target.resource.attribute.labels.key/value [kubernetes_bindings_role_kind] |
|
kubernetes.bindings.role.ns |
target.resource.attribute.labels.key/value [kubernetes_bindings_role_ns] |
|
kubernetes.bindings.subjects.kind |
target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_kind] |
|
kubernetes.bindings.subjects.name |
target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_name] |
|
kubernetes.bindings.subjects.ns |
target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_ns] |
|
kubernetes.bindings.role.name |
target.resource.attribute.roles.name |
|
sourceProperties.properties.delta.restrictedResources.resourceName |
security_result.about.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the Restricted Resource: sourceProperties.properties.delta.restrictedResources.resourceName log field is mapped to the security_result.about.resource.name UDM field.If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.delta.restrictedResources.resourceName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to CLOUD_PROJECT . |
sourceProperties.properties.delta.allowedServices.serviceName |
security_result.about.resource.name |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.delta.allowedServices.serviceName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to BACKEND_SERVICE . |
sourceProperties.properties.delta.restrictedServices.serviceName |
security_result.about.resource.name |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.delta.restrictedServices.serviceName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to BACKEND_SERVICE . |
sourceProperties.properties.delta.accessLevels.policyName |
security_result.about.resource.name |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.delta.accessLevels.policyName log field is mapped to the security_result.about.resource.name UDM field and the security_result.about.resource_type UDM field is set to ACCESS_POLICY . |
|
security_result.about.user.attribute.roles.name |
If the message log field value matches the regular expression contacts.?security , then the security_result.about.user.attribute.roles.name UDM field is set to security .If the message log field value matches the regular expression contacts.?technical , then the security_result.about.user.attribute.roles.name UDM field is set to Technical . |
contacts.security.contacts.email |
security_result.about.user.email_addresses |
|
contacts.technical.contacts.email |
security_result.about.user.email_addresses |
|
|
security_result.action |
If the category log field value is equal to Initial Access: Suspicious Login Blocked , then the security_result.action UDM field is set to BLOCK .If the category log field value is equal to Brute Force: SSH , then if the sourceProperties.properties.attempts.authResult log field value is equal to SUCCESS , then the security_result.action UDM field is set to BLOCK .Else, the security_result.action UDM field is set to BLOCK . |
sourceProperties.properties.delta.restrictedResources.action |
security_result.action_details |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.delta.restrictedResources.action log field is mapped to the security_result.action_details UDM field. |
sourceProperties.properties.delta.restrictedServices.action |
security_result.action_details |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.delta.restrictedServices.action log field is mapped to the security_result.action_details UDM field. |
sourceProperties.properties.delta.allowedServices.action |
security_result.action_details |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.delta.allowedServices.action log field is mapped to the security_result.action_details UDM field. |
sourceProperties.properties.delta.accessLevels.action |
security_result.action_details |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.delta.accessLevels.action log field is mapped to the security_result.action_details UDM field. |
|
security_result.alert_state |
If the state log field value is equal to ACTIVE , then the security_result.alert_state UDM field is set to ALERTING .Else, the security_result.alert_state UDM field is set to NOT_ALERTING . |
findingClass |
security_result.catgory_details |
The findingClass - category log field is mapped to the security_result.catgory_details UDM field. |
category |
security_result.catgory_details |
The findingClass - category log field is mapped to the security_result.catgory_details UDM field. |
description |
security_result.description |
|
indicator.signatures.memoryHashSignature.binaryFamily |
security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_binaryFamily] |
|
indicator.signatures.memoryHashSignature.detections.binary |
security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_binary] |
|
indicator.signatures.memoryHashSignature.detections.percentPagesMatched |
security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_percentPagesMatched] |
|
indicator.signatures.yaraRuleSignature.yararule |
security_result.detection_fields.key/value [indicator_signatures_yaraRuleSignature_yararule] |
|
mitreAttack.additionalTactics |
security_result.detection_fields.key/value [mitreAttack_additionalTactics] |
|
mitreAttack.additionalTechniques |
security_result.detection_fields.key/value [mitreAttack_additionalTechniques] |
|
mitreAttack.primaryTactic |
security_result.detection_fields.key/value [mitreAttack_primaryTactic] |
|
mitreAttack.primaryTechniques.0 |
security_result.detection_fields.key/value [mitreAttack_primaryTechniques] |
|
mitreAttack.version |
security_result.detection_fields.key/value [mitreAttack_version] |
|
muteInitiator |
security_result.detection_fields.key/value [mute_initiator] |
If the mute log field value is equal to MUTED or UNMUTED , then the muteInitiator log field is mapped to the security_result.detection_fields.value UDM field. |
muteUpdateTime |
security_result.detection_fields.key/value [mute_update_time] |
If the mute log field value is equal to MUTED or UNMUTED , then the muteUpdateTimer log field is mapped to the security_result.detection_fields.value UDM field. |
mute |
security_result.detection_fields.key/value [mute] |
|
securityMarks.canonicalName |
security_result.detection_fields.key/value [securityMarks_cannonicleName] |
|
securityMarks.marks |
security_result.detection_fields.key/value [securityMarks_marks] |
|
securityMarks.name |
security_result.detection_fields.key/value [securityMarks_name] |
|
sourceProperties.detectionCategory.indicator |
security_result.detection_fields.key/value [sourceProperties_detectionCategory_indicator] |
|
sourceProperties.detectionCategory.technique |
security_result.detection_fields.key/value [sourceProperties_detectionCategory_technique] |
|
sourceProperties.properties.anomalousSoftware.anomalousSoftwareClassification |
security_result.detection_fields.key/value [sourceProperties_properties_anomalousSoftware_anomalousSoftwareClassification] |
If the category log field value is equal to Persistence: New User Agent , then the sourceProperties.properties.anomalousSoftware.anomalousSoftwareClassification log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.attempts.authResult |
security_result.detection_fields.key/value [sourceProperties_properties_attempts_authResult] |
If the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.authResult log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.indicator.indicatorType |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_indicatorType] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.indicator.indicatorType log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.indicator.lastSeenTsGlobal |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_lastSeenTsGlobal] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.indicator.lastSeenTsGlobal log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.indicator.summaryGenerationTs |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_indicator_summaryGenerationTs] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.indicator.summaryGenerationTs log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.customer_industry |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_customer_industry] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.customer_industry log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.customer_name |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_customer_name] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.customer_name log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.lasthit |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_lasthit] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.lasthit log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.myVote |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_myVote] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.source |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_source] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.myVote log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.support_id |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_support_id] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.support_id log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.tag_class_id |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_class_id] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.tag_class_id log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.tag_definition_id |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_id] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_id log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_scope_id] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_scope_id log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.tag_definition_status_id |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_definition_status_id] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.tag_definition_status_id log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.tag_name |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_tag_name] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.tag_name log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.upVotes |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tags_upVotes] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.upVotes log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.downVotes |
security_result.detection_fields.key/value [sourceProperties_properties_autofocusContextCards_tagsdownVotes] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.downVotes log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.contextUris.mitreUri.url/displayName |
security_result.detection_fields.key/value [sourceProperties.contextUris.mitreUri.url/displayName] |
|
sourceProperties.contextUris.relatedFindingUri.url/displayName |
metadata.url_back_to_product |
If the category log field value is equal to Active Scan: Log4j Vulnerable to RCE or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Over-Privileged Grant or Exfiltration: CloudSQL Restore Backup to External Organization or Initial Access: Log4j Compromise Attempt or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP or Persistence: IAM Anomalous Grant , then the security_result.detection_fields.key UDM field is set to sourceProperties_contextUris_relatedFindingUri_url and the sourceProperties.contextUris.relatedFindingUri.url log field is mapped to the metadata.url_back_to_product UDM field. |
sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName |
security_result.detection_fields.key/value [sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName] |
If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP , then the sourceProperties.contextUris.virustotalIndicatorQueryUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.virustotalIndicatorQueryUri.url log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.contextUris.workspacesUri.url/displayName |
security_result.detection_fields.key/value [sourceProperties.contextUris.workspacesUri.url/displayName] |
If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Strong Authentication Disabled or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed , then the sourceProperties.contextUris.workspacesUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.workspacesUri.url log field is mapped to the security_result.detection_fields.key/value UDM field. |
sourceProperties.properties.autofocusContextCards.tags.public_tag_name |
security_result.detection_fields.key/value [sourceProperties.properties.autofocusContextCards.tags.public_tag_name/description] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.public_tag_name log field is mapped to the intermediary.labels.key UDM field. |
sourceProperties.properties.autofocusContextCards.tags.description |
security_result.detection_fields.key/value [sourceProperties.properties.autofocusContextCards.tags.public_tag_name/description] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.tags.description log field is mapped to the intermediary.labels.value UDM field. |
sourceProperties.properties.autofocusContextCards.indicator.firstSeenTsGlobal |
security_result.detection_fields.key/value [sourcePropertiesproperties_autofocusContextCards_indicator_firstSeenTsGlobal] |
If the category log field value is equal to Malware: Bad IP , then the sourceProperties.properties.autofocusContextCards.indicator.firstSeenTsGlobal log field is mapped to the security_result.detection_fields.value UDM field. |
createTime |
security_result.detection_fields.key/value[create_time] |
|
nextSteps |
security_result.outcomes.key/value [next_steps] |
|
sourceProperties.detectionPriority |
security_result.priority |
If the sourceProperties.detectionPriority log field value is equal to HIGH , then the security_result.priority UDM field is set to HIGH_PRIORITY .Else if, the sourceProperties.detectionPriority log field value is equal to MEDIUM , then the security_result.priority UDM field is set to MEDIUM_PRIORITY .Else if, the sourceProperties.detectionPriority log field value is equal to LOW , then the security_result.priority UDM field is set to LOW_PRIORITY . |
sourceProperties.detectionPriority |
security_result.priority_details |
|
sourceProperties.detectionCategory.subRuleName |
security_result.rule_labels.key/value [sourceProperties_detectionCategory_subRuleName] |
|
sourceProperties.detectionCategory.ruleName |
security_result.rule_name |
|
severity |
security_result.severity |
|
sourceProperties.properties.vpcViolation.violationReason |
security_result.summary |
If the category log field value is equal to Exfiltration: BigQuery Exfiltration , then the sourceProperties.properties.vpcViolation.violationReason log field is mapped to the security_result.summary UDM field. |
name |
security_result.url_back_to_product |
|
database.query |
src.process.command_line |
If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant , then the database.query log field is mapped to the src.process.command_line UDM field. |
resource.folders.resourceFolderDisplayName |
src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.folders.resourceFolderDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field. |
resource.parentDisplayName |
src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.parentDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field. |
resource.parentName |
src.resource_ancestors.attribute.labels.key/value [resource_parentName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.parentName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field. |
resource.projectDisplayName |
src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.projectDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.sourceTables.datasetId |
src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_datasetId] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.datasetId log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.sourceTables.projectId |
src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_projectId] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.projectId log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.sourceTables.resourceUri |
src.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_sourceTables_resourceUri] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.resourceUri log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field. |
parent |
src.resource_ancestors.name |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration , then the parent log field is mapped to the src.resource_ancestors.name UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.sourceTables.tableId |
src.resource_ancestors.name |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.sourceTables.tableId log field is mapped to the src.resource_ancestors.name UDM field and the src.resource_ancestors.resource_type UDM field is set to TABLE . |
resourceName |
src.resource_ancestors.name |
If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the resourceName log field is mapped to the src.resource_ancestors.name UDM field. |
resource.folders.resourceFolder |
src.resource_ancestors.name |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.folders.resourceFolder log field is mapped to the src.resource_ancestors.name UDM field. |
sourceProperties.sourceId.customerOrganizationNumber |
src.resource_ancestors.product_object_id |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.sourceId.customerOrganizationNumber log field is mapped to the src.resource_ancestors.product_object_id UDM field. |
sourceProperties.sourceId.projectNumber |
src.resource_ancestors.product_object_id |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.sourceId.projectNumber log field is mapped to the src.resource_ancestors.product_object_id UDM field. |
sourceProperties.sourceId.organizationNumber |
src.resource_ancestors.product_object_id |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.sourceId.organizationNumber log field is mapped to the src.resource_ancestors.product_object_id UDM field. |
resource.type |
src.resource_ancestors.resource_subtype |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.type log field is mapped to the src.resource_ancestors.resource_subtype UDM field. |
database.displayName |
src.resource.attribute.labels.key/value [database_displayName] |
If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant , then the database.displayName log field is mapped to the src.resource.attribute.labels.value UDM field. |
database.grantees |
src.resource.attribute.labels.key/value [database_grantees] |
If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant , then the src.resource.attribute.labels.key UDM field is set to grantees and the database.grantees log field is mapped to the src.resource.attribute.labels.value UDM field. |
resource.displayName |
src.resource.attribute.labels.key/value [resource_displayName] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive , then the resource.displayName log field is mapped to the src.resource.attribute.labels.value UDM field. |
resource.displayName |
principal.hostname |
If the resource.type log field value matches the regular expression pattern (?i)google.compute.Instance or google.container.Cluster , then the resource.displayName log field is mapped to the principal.hostname UDM field. |
resource.display_name |
src.resource.attribute.labels.key/value [resource_display_name] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive , then the resource.display_name log field is mapped to the src.resource.attribute.labels.value UDM field. |
sourceProperties.properties.extractionAttempt.sourceTable.datasetId |
src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_datasetId] |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.sourceTable.datasetId log field is mapped to the src.resource.attribute.labels.value UDM field. |
sourceProperties.properties.extractionAttempt.sourceTable.projectId |
src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_projectId] |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.sourceTable.projectId log field is mapped to the src.resource.attribute.labels.value UDM field. |
sourceProperties.properties.extractionAttempt.sourceTable.resourceUri |
src.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_sourceTable_resourceUri] |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.sourceTable.resourceUri log field is mapped to the src.resource.attribute.labels.value UDM field. |
sourceProperties.properties.restoreToExternalInstance.backupId |
src.resource.attribute.labels.key/value [sourceProperties_properties_restoreToExternalInstance_backupId] |
If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.backupId log field is mapped to the src.resource.attribute.labels.value UDM field. |
exfiltration.sources.components |
src.resource.attribute.labels.key/value[exfiltration_sources_components] |
If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction , then the src.resource.attribute.labels.key/value log field is mapped to the src.resource.attribute.labels.value UDM field. |
resourceName |
src.resource.name |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration , then the exfiltration.sources.name log field is mapped to the src.resource.name UDM field and the resourceName log field is mapped to the src.resource_ancestors.name UDM field. |
sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource |
src.resource.name |
If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource log field is mapped to the src.resource.name UDM field and the src.resource.resource_subtype UDM field is set to CloudSQL . |
sourceProperties.properties.exportToGcs.cloudsqlInstanceResource |
src.resource.name |
If the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.sourceCloudsqlInstanceResource log field is mapped to the src.resource.name UDM field and the src.resource.resource_subtype UDM field is set to CloudSQL .Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.cloudsqlInstanceResource log field is mapped to the src.resource.name UDM field and the src.resource.resource_subtype UDM field is set to CloudSQL . |
database.name |
src.resource.name |
|
exfiltration.sources.name |
src.resource.name |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration , then the exfiltration.sources.name log field is mapped to the src.resource.name UDM field and the resourceName log field is mapped to the src.resource_ancestors.name UDM field. |
sourceProperties.properties.extractionAttempt.sourceTable.tableId |
src.resource.product_object_id |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.sourceTable.tableId log field is mapped to the src.resource.product_object_id UDM field. |
access.serviceName |
target.application |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Exfiltration: CloudSQL Over-Privileged Grant or Persistence: New Geography or Persistence: IAM Anomalous Grant , then the access.serviceName log field is mapped to the target.application UDM field. |
sourceProperties.properties.serviceName |
target.application |
If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Strong Authentication Disabled or Impair Defenses: Two Step Verification Disabled or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed , then the sourceProperties.properties.serviceName log field is mapped to the target.application UDM field. |
sourceProperties.properties.domainName |
target.domain.name |
If the category log field value is equal to Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed , then the sourceProperties.properties.domainName log field is mapped to the target.domain.name UDM field. |
sourceProperties.properties.domains.0 |
target.domain.name |
If the category log field value is equal to Malware: Bad Domain or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.domains.0 log field is mapped to the target.domain.name UDM field. |
sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.action |
target.group.attribute.labels.key/value [sourceProperties_properties_sensitiveRoleGrant_bindingDeltas_action] |
If the category log field value is equal to Persistence: IAM Anomalous Grant , then the sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.action log field is mapped to the target.group.attribute.labels.key/value UDM field. |
sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.action |
target.group.attribute.labels.key/value [sourceProperties_properties_sensitiveRoleToHybridGroup_bindingDeltas_action] |
If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group , then the sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.action log field is mapped to the target.group.attribute.labels.key/value UDM field. |
sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.member |
target.group.attribute.labels.key/value[sourceProperties_properties_sensitiveRoleGrant_bindingDeltas_member] |
If the category log field value is equal to Persistence: IAM Anomalous Grant , then the sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.member log field is mapped to the target.group.attribute.labels.key/value UDM field. |
sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.member |
target.group.attribute.labels.key/value[sourceProperties_properties_sensitiveRoleToHybridGroup] |
If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group , then the sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.member log field is mapped to the target.group.attribute.labels.key/value UDM field. |
sourceProperties.properties.privilegedGroupOpenedToPublic.whoCanJoin |
target.group.attribute.permissions.name |
If the category log field value is equal to Credential Access: Privileged Group Opened To Public , then the sourceProperties.properties.privilegedGroupOpenedToPublic.whoCanJoin log field is mapped to the target.group.attribute.permissions.name UDM field. |
sourceProperties.properties.customRoleSensitivePermissions.permissions |
target.group.attribute.permissions.name |
If the category log field value is equal to Persistence: IAM Anomalous Grant , then the sourceProperties.properties.customRoleSensitivePermissions.permissions log field is mapped to the target.group.attribute.permissions.name UDM field. |
sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.roleName |
target.group.attribute.roles.name |
If the category log field value is equal to Credential Access: External Member Added To Privileged Group , then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.roleName log field is mapped to the target.group.attribute.roles.name UDM field. |
sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.role |
target.group.attribute.roles.name |
If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group , then the sourceProperties.properties.sensitiveRoleToHybridGroup.bindingDeltas.role log field is mapped to the target.group.attribute.roles.name UDM field. |
sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.role |
target.group.attribute.roles.name |
If the category log field value is equal to Persistence: IAM Anomalous Grant , then the sourceProperties.properties.sensitiveRoleGrant.bindingDeltas.role log field is mapped to the target.group.attribute.roles.name UDM field. |
sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.roleName |
target.group.attribute.roles.name |
If the category log field value is equal to Credential Access: Privileged Group Opened To Public , then the sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.roleName log field is mapped to the target.group.attribute.roles.name UDM field. |
sourceProperties.properties.customRoleSensitivePermissions.roleName |
target.group.attribute.roles.name |
If the category log field value is equal to Persistence: IAM Anomalous Grant , then the sourceProperties.properties.customRoleSensitivePermissions.roleName log field is mapped to the target.group.attribute.roles.name UDM field. |
sourceProperties.properties.externalMemberAddedToPrivilegedGroup.groupName |
target.group.group_display_name |
If the category log field value is equal to Credential Access: External Member Added To Privileged Group , then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.groupName log field is mapped to the target.group.group_display_name UDM field. |
sourceProperties.properties.privilegedGroupOpenedToPublic.groupName |
target.group.group_display_name |
If the category log field value is equal to Credential Access: Privileged Group Opened To Public , then the sourceProperties.properties.privilegedGroupOpenedToPublic.groupName log field is mapped to the target.group.group_display_name UDM field. |
sourceProperties.properties.sensitiveRoleToHybridGroup.groupName |
target.group.group_display_name |
If the category log field value is equal to Credential Access: Sensitive Role Granted To Hybrid Group , then the sourceProperties.properties.sensitiveRoleToHybridGroup.groupName log field is mapped to the target.group.group_display_name UDM field. |
sourceProperties.properties.ipConnection.destIp |
target.ip |
If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Outgoing DoS , then the sourceProperties.properties.ipConnection.destIp log field is mapped to the target.ip UDM field. |
access.methodName |
target.labels [access_methodName] (deprecated) |
|
access.methodName |
additional.fields [access_methodName] |
|
processes.argumentsTruncated |
target.labels [processes_argumentsTruncated] (deprecated) |
|
processes.argumentsTruncated |
additional.fields [processes_argumentsTruncated] |
|
processes.binary.contents |
target.labels [processes_binary_contents] (deprecated) |
|
processes.binary.contents |
additional.fields [processes_binary_contents] |
|
processes.binary.hashedSize |
target.labels [processes_binary_hashedSize] (deprecated) |
|
processes.binary.hashedSize |
additional.fields [processes_binary_hashedSize] |
|
processes.binary.partiallyHashed |
target.labels [processes_binary_partiallyHashed] (deprecated) |
|
processes.binary.partiallyHashed |
additional.fields [processes_binary_partiallyHashed] |
|
processes.envVariables.name |
target.labels [processes_envVariables_name] (deprecated) |
|
processes.envVariables.name |
additional.fields [processes_envVariables_name] |
|
processes.envVariables.val |
target.labels [processes_envVariables_val] (deprecated) |
|
processes.envVariables.val |
additional.fields [processes_envVariables_val] |
|
processes.envVariablesTruncated |
target.labels [processes_envVariablesTruncated] (deprecated) |
|
processes.envVariablesTruncated |
additional.fields [processes_envVariablesTruncated] |
|
processes.libraries.contents |
target.labels [processes_libraries_contents] (deprecated) |
|
processes.libraries.contents |
additional.fields [processes_libraries_contents] |
|
processes.libraries.hashedSize |
target.labels [processes_libraries_hashedSize] (deprecated) |
|
processes.libraries.hashedSize |
additional.fields [processes_libraries_hashedSize] |
|
processes.libraries.partiallyHashed |
target.labels [processes_libraries_partiallyHashed] (deprecated) |
|
processes.libraries.partiallyHashed |
additional.fields [processes_libraries_partiallyHashed] |
|
processes.script.contents |
target.labels [processes_script_contents] (deprecated) |
|
processes.script.contents |
additional.fields [processes_script_contents] |
|
processes.script.hashedSize |
target.labels [processes_script_hashedSize] (deprecated) |
|
processes.script.hashedSize |
additional.fields [processes_script_hashedSize] |
|
processes.script.partiallyHashed |
target.labels [processes_script_partiallyHashed] (deprecated) |
|
processes.script.partiallyHashed |
additional.fields [processes_script_partiallyHashed] |
|
sourceProperties.properties.methodName |
target.labels [sourceProperties_properties_methodName] (deprecated) |
If the category log field value is equal to Impair Defenses: Strong Authentication Disabled or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed , then the sourceProperties.properties.methodName log field is mapped to the target.labels.value UDM field. |
sourceProperties.properties.methodName |
additional.fields [sourceProperties_properties_methodName] |
If the category log field value is equal to Impair Defenses: Strong Authentication Disabled or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed , then the sourceProperties.properties.methodName log field is mapped to the additional.fields.value.string_value UDM field. |
sourceProperties.properties.network.location |
target.location.name |
If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.network.location log field is mapped to the target.location.name UDM field. |
processes.parentPid |
target.parent_process.pid |
|
sourceProperties.properties.ipConnection.destPort |
target.port |
If the category log field value is equal to Malware: Bad IP or Malware: Outgoing DoS , then the sourceProperties.properties.ipConnection.destPort log field is mapped to the target.port UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.query |
target.process.command_line |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.query log field is mapped to the target.process.command_line UDM field. |
processes.args |
target.process.command_line_history [processes.args] |
|
processes.name |
target.process.file.full_path |
|
processes.binary.path |
target.process.file.full_path |
|
processes.libraries.path |
target.process.file.full_path |
|
processes.script.path |
target.process.file.full_path |
|
processes.binary.sha256 |
target.process.file.sha256 |
|
processes.libraries.sha256 |
target.process.file.sha256 |
|
processes.script.sha256 |
target.process.file.sha256 |
|
processes.binary.size |
target.process.file.size |
|
processes.libraries.size |
target.process.file.size |
|
processes.script.size |
target.process.file.size |
|
processes.pid |
target.process.pid |
|
containers.uri |
target.resource_ancestors.attribute.labels.key/value [containers_uri] |
|
containers.labels.name/value |
target.resource_ancestors.attribute.labels.key/value [containers.labels.name/value] |
The containers.labels.name log field is mapped to the target.resource_ancestors.attribute.labels.key UDM field and the containers.labels.value log field is mapped to the target.resource_ancestors.attribute.labels.value UDM field. |
sourceProperties.properties.destVpc.projectId |
target.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_projectId] |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP , then the sourceProperties.properties.destVpc.projectId log field is mapped to the target.resource_ancestors.attribute.labels.value UDM field. |
sourceProperties.properties.destVpc.subnetworkName |
target.resource_ancestors.attribute.labels.key/value [sourceProperties_properties_destVpc_subnetworkName] |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP , then the sourceProperties.properties.destVpc.subnetworkName log field is mapped to the target.resource_ancestors.attribute.labels.value UDM field. |
sourceProperties.properties.network.subnetworkName |
target.resource_ancestors.key/value [sourceProperties_properties_network_subnetworkName] |
If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP , then the sourceProperties.properties.network.subnetworkName log field is mapped to the target.resource_ancestors.value UDM field. |
sourceProperties.properties.network.subnetworkId |
target.resource_ancestors.labels.key/value [sourceProperties_properties_network_subnetworkId] |
If the category log field value is equal to Malware: Bad IP or Malware: Cryptomining Bad IP , then the sourceProperties.properties.network.subnetworkId log field is mapped to the target.resource_ancestors.value UDM field. |
sourceProperties.affectedResources.gcpResourceName |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
sourceProperties.properties.destVpc.vpcName |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
sourceProperties.properties.vpcName |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
resourceName |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
sourceProperties.properties.projectId |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
sourceProperties.properties.vpc.vpcName |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
parent |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
sourceProperties.affectedResources.gcpResourceName |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
containers.name |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.resource |
target.resource_ancestors.name |
If the category log field value is equal to Credential Access: External Member Added To Privileged Group , then the sourceProperties.properties.externalMemberAddedToPrivilegedGroup.sensitiveRoles.resource log field is mapped to the target.resource_ancestors.name UDM field. |
sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.resource |
target.resource_ancestors.name |
If the category log field value is equal to Credential Access: Privileged Group Opened To Public , then the sourceProperties.properties.privilegedGroupOpenedToPublic.sensitiveRoles.resource log field is mapped to the target.resource_ancestors.name UDM field. |
kubernetes.pods.containers.name |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Cryptomining Bad IP or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.destVpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the sourceProperties.properties.vpc.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .Else if, the category log field value is equal to Active Scan: Log4j Vulnerable to RCE , then the sourceProperties.properties.vpcName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
sourceProperties.properties.gceInstanceId |
target.resource_ancestors.product_object_id |
If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key , then the sourceProperties.properties.gceInstanceId log field is mapped to the target.resource_ancestors.product_object_id UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE . |
sourceProperties.sourceId.projectNumber |
target.resource_ancestors.product_object_id |
If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key , then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE . |
sourceProperties.sourceId.customerOrganizationNumber |
target.resource_ancestors.product_object_id |
If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key , then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE . |
sourceProperties.sourceId.organizationNumber |
target.resource_ancestors.product_object_id |
If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key , then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE . |
containers.imageId |
target.resource_ancestors.product_object_id |
If the category log field value is equal to Persistence: GCE Admin Added Startup Script or Persistence: GCE Admin Added SSH Key , then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE . |
sourceProperties.properties.zone |
target.resource.attribute.cloud.availability_zone |
If the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
canonicalName |
metadata.product_log_id |
The finding_id is extracted from the canonicalName log field using a Grok pattern.If the finding_id log field value is not empty, then the finding_id log field is mapped to the metadata.product_log_id UDM field. |
canonicalName |
src.resource.attribute.labels.key/value [finding_id] |
If the finding_id log field value is not empty, then the finding_id log field is mapped to the src.resource.attribute.labels.key/value [finding_id] UDM field. If the category log field value is equal to one of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
src.resource.product_object_id |
If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.product_object_id UDM field. If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
src.resource.attribute.labels.key/value [source_id] |
If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.attribute.labels.key/value [source_id] UDM field. If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
target.resource.attribute.labels.key/value [finding_id] |
If the finding_id log field value is not empty, then the finding_id log field is mapped to the target.resource.attribute.labels.key/value [finding_id] UDM field. If the category log field value is not equal to any of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
target.resource.product_object_id |
If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.product_object_id UDM field. If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
target.resource.attribute.labels.key/value [source_id] |
If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.attribute.labels.key/value [source_id] UDM field. If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
|
sourceProperties.properties.dataExfiltrationAttempt.destinationTables.datasetId |
target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_datasetId] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.datasetId log field is mapped to the target.resource.attribute.labels.value UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.destinationTables.projectId |
target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_projectId] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.projectId log field is mapped to the target.resource.attribute.labels.value UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.destinationTables.resourceUri |
target.resource.attribute.labels.key/value [sourceProperties_properties_dataExfiltrationAttempt_destinationTables_resourceUri] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.resourceUri log field is mapped to the target.resource.attribute.labels.value UDM field. |
sourceProperties.properties.exportToGcs.exportScope |
target.resource.attribute.labels.key/value [sourceProperties_properties_exportToGcs_exportScope] |
If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the target.resource.attribute.labels.key UDM field is set to exportScope and the sourceProperties.properties.exportToGcs.exportScope log field is mapped to the target.resource.attribute.labels.value UDM field. |
sourceProperties.properties.extractionAttempt.destinations.objectName |
target.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_destinations_objectName] |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.objectName log field is mapped to the target.resource.attribute.labels.value UDM field. |
sourceProperties.properties.extractionAttempt.destinations.originalUri |
target.resource.attribute.labels.key/value [sourceProperties_properties_extractionAttempt_destinations_originalUri] |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.originalUri log field is mapped to the target.resource.attribute.labels.value UDM field. |
sourceProperties.properties.metadataKeyOperation |
target.resource.attribute.labels.key/value [sourceProperties_properties_metadataKeyOperation] |
If the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.metadataKeyOperation log field is mapped to the target.resource.attribute.labels.key/value UDM field. |
exfiltration.targets.components |
target.resource.attribute.labels.key/value[exfiltration_targets_components] |
If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction , then the exfiltration.targets.components log field is mapped to the target.resource.attribute.labels.key/value UDM field. |
sourceProperties.properties.exportToGcs.bucketAccess |
target.resource.attribute.permissions.name |
If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketAccess log field is mapped to the target.resource.attribute.permissions.name UDM field. |
sourceProperties.properties.name |
target.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE .Else, the resourceName log field is mapped to the target.resource.name UDM field. |
sourceProperties.properties.exportToGcs.bucketResource |
target.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE .Else, the resourceName log field is mapped to the target.resource.name UDM field. |
sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource |
target.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE .Else, the resourceName log field is mapped to the target.resource.name UDM field. |
resourceName |
target.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE .Else, the resourceName log field is mapped to the target.resource.name UDM field. |
sourceProperties.properties.attempts.vmName |
target.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE .Else, the resourceName log field is mapped to the target.resource.name UDM field. |
sourceProperties.properties.instanceDetails |
target.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE .Else, the resourceName log field is mapped to the target.resource.name UDM field. |
sourceProperties.properties.extractionAttempt.destinations.collectionName |
target.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE .Else, the resourceName log field is mapped to the target.resource.name UDM field. |
sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId |
target.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE .Else, the resourceName log field is mapped to the target.resource.name UDM field. |
exfiltration.targets.name |
target.resource.name |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.bucketResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: CloudSQL Restore Backup to External Organization , then the sourceProperties.properties.restoreToExternalInstance.targetCloudsqlInstanceResource log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.vmName log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP or Malware: Cryptomining Bad Domain or Configurable Bad Domain , then the sourceProperties.properties.instanceDetails log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.attribute.name UDM field and the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field and the sourceProperties.properties.dataExfiltrationAttempt.destinationTables.tableId log field is mapped to the target.resource.attribute.labels UDM field and the target.resource.resource_type UDM field is set to TABLE .Else, the resourceName log field is mapped to the target.resource.name UDM field. |
sourceProperties.properties.instanceId |
target.resource.product_object_id |
If the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.instanceId log field is mapped to the target.resource.product_object_id UDM field. |
kubernetes.pods.containers.imageId |
target.resource_ancestors.attribute.labels[kubernetes_pods_containers_imageId] |
|
sourceProperties.properties.extractionAttempt.destinations.collectionType |
target.resource.resource_subtype |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.destinations.collectionName log field is mapped to the target.resource.resource_subtype UDM field.Else if, the category log field value is equal to Credential Access: External Member Added To Privileged Group , then the target.resource.resource_subtype UDM field is set to Privileged Group .Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the target.resource.resource_subtype UDM field is set to BigQuery . |
|
target.resource.resource_type |
If the sourceProperties.properties.extractionAttempt.destinations.collectionType log field value matches the regular expression BUCKET , then the target.resource.resource_type UDM field is set to STORAGE_BUCKET .Else if, the category log field value is equal to Brute Force: SSH , then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the target.resource.resource_type UDM field is set to TABLE . |
sourceProperties.properties.extractionAttempt.jobLink |
target.url |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the sourceProperties.properties.extractionAttempt.jobLink log field is mapped to the target.url UDM field.If the category log field value is equal to Exfiltration: BigQuery Data Extraction , then the sourceProperties.properties.extractionAttempt.jobLink log field is mapped to the target.url UDM field. |
sourceProperties.properties.exportToGcs.gcsUri |
target.url |
If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration , then the sourceProperties.properties.exportToGcs.gcsUri log field is mapped to the target.url UDM field. |
sourceProperties.properties.requestUrl |
target.url |
If the category log field value is equal to Initial Access: Log4j Compromise Attempt , then the sourceProperties.properties.requestUrl log field is mapped to the target.url UDM field. |
sourceProperties.properties.policyLink |
target.url |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control , then the sourceProperties.properties.policyLink log field is mapped to the target.url UDM field. |
sourceProperties.properties.anomalousLocation.notSeenInLast |
target.user.attribute.labels.key/value [sourceProperties_properties_anomalousLocation_notSeenInLast] |
If the category log field value is equal to Persistence: New Geography , then the sourceProperties.properties.anomalousLocation.notSeenInLast log field is mapped to the target.user.attribute.labels.value UDM field. |
sourceProperties.properties.attempts.username |
target.user.userid |
If the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.attempts.username log field is mapped to the target.user.userid UDM field.If the category log field value is equal to Initial Access: Suspicious Login Blocked , then the userid log field is mapped to the target.user.userid UDM field. |
sourceProperties.properties.principalEmail |
target.user.userid |
If the category log field value is equal to Initial Access: Suspicious Login Blocked , then the userid log field is mapped to the target.user.userid UDM field. |
sourceProperties.Added_Binary_Kind |
target.resource.attribute.labels[sourceProperties_Added_Binary_Kind] |
|
sourceProperties.Container_Creation_Timestamp.nanos |
target.resource.attribute.labels[sourceProperties_Container_Creation_Timestamp_nanos] |
|
sourceProperties.Container_Creation_Timestamp.seconds |
target.resource.attribute.labels[sourceProperties_Container_Creation_Timestamp_seconds] |
|
sourceProperties.Container_Image_Id |
target.resource_ancestors.product_object_id |
|
sourceProperties.Container_Image_Uri |
target.resource.attribute.labels[sourceProperties_Container_Image_Uri] |
|
sourceProperties.Container_Name |
target.resource_ancestors.name |
|
sourceProperties.Environment_Variables |
target.labels [Environment_Variables_name] (deprecated) |
|
sourceProperties.Environment_Variables |
additional.fields [Environment_Variables_name] |
|
|
target.labels [Environment_Variables_val] (deprecated) |
|
|
additional.fields [Environment_Variables_val] |
|
sourceProperties.Kubernetes_Labels |
target.resource.attribute.labels.key/value [sourceProperties_Kubernetes_Labels.name/value] |
|
sourceProperties.Parent_Pid |
target.process.parent_process.pid |
|
sourceProperties.Pid |
target.process.pid |
|
sourceProperties.Pod_Name |
target.resource_ancestors.name |
|
sourceProperties.Pod_Namespace |
target.resource_ancestors.attribute.labels.key/value [sourceProperties_Pod_Namespace] |
|
sourceProperties.Process_Arguments |
target.process.command_line |
|
sourceProperties.Process_Binary_Fullpath |
target.process.file.full_path |
|
sourceProperties.Process_Creation_Timestamp.nanos |
target.labels [sourceProperties_Process_Creation_Timestamp_nanos] (deprecated) |
|
sourceProperties.Process_Creation_Timestamp.nanos |
additional.fields [sourceProperties_Process_Creation_Timestamp_nanos] |
|
sourceProperties.Process_Creation_Timestamp.seconds |
target.labels [sourceProperties_Process_Creation_Timestamp_seconds] (deprecated) |
|
sourceProperties.Process_Creation_Timestamp.seconds |
additional.fields [sourceProperties_Process_Creation_Timestamp_seconds] |
|
sourceProperties.VM_Instance_Name |
target.resource_ancestors.name |
If the category log field value is equal to Added Binary Executed or Added Library Loaded , then the sourceProperties.VM_Instance_Name log field is mapped to the target.resource_ancestors.name UDM field and the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE . |
|
target.resource_ancestors.resource_type |
|
resource.parent |
target.resource_ancestors.attribute.labels.key/value [resource_project] |
|
resource.project |
target.resource_ancestors.attribute.labels.key/value [resource_parent] |
|
sourceProperties.Added_Library_Fullpath |
target.process.file.full_path |
|
sourceProperties.Added_Library_Kind |
target.resource.attribute.labels[sourceProperties_Added_Library_Kind |
|
sourceProperties.affectedResources.gcpResourceName |
target.resource_ancestors.name |
|
sourceProperties.Backend_Service |
target.resource.name |
If the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike or Application DDoS Attack Attempt , then the sourceProperties.Backend_Service log field is mapped to the target.resource.name UDM field and the resourceName log field is mapped to the target.resource_ancestors.name UDM field. |
sourceProperties.Long_Term_Allowed_RPS |
target.resource.attribute.labels[sourceProperties_Long_Term_Allowed_RPS] |
|
sourceProperties.Long_Term_Denied_RPS |
target.resource.attribute.labels[sourceProperties_Long_Term_Denied_RPS] |
|
sourceProperties.Long_Term_Incoming_RPS |
target.resource.attribute.labels[sourceProperties_Long_Term_Incoming_RPS] |
|
sourceProperties.properties.customProperties.domain_category |
target.resource.attribute.labels[sourceProperties_properties_customProperties_domain_category] |
|
sourceProperties.Security_Policy |
target.resource.attribute.labels[sourceProperties_Security_Policy] |
|
sourceProperties.Short_Term_Allowed_RPS |
target.resource.attribute.labels[sourceProperties_Short_Term_Allowed_RPS] |
|
|
target.resource.resource_type |
If the category log field value is equal to Increasing Deny Ratio or Allowed Traffic Spike or Application DDoS Attack Attempt , then the target.resource.resource_type UDM field is set to BACKEND_SERVICE .If the category log field value is equal to Configurable Bad Domain , then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE . |
|
is_alert |
If the state log field value is equal to ACTIVE , then if the mute_is_not_present field value is not equal to true and (the mute log field value is equal to UNMUTED or the mute log field value is equal to UNDEFINED ), then the is_alert UDM field is set to true else, the is_alert UDM field is set to false . |
|
is_significant |
If the state log field value is equal to ACTIVE , then if the mute_is_not_present field value is not equal to true and (the mute log field value is equal to UNMUTED or the mute log field value is equal to UNDEFINED ), then the is_significant UDM field is set to true else, the is_significant UDM field is set to false . |
sourceProperties.properties.sensitiveRoleGrant.principalEmail |
principal.user.userid |
Grok : Extracted user_id from sourceProperties.properties.sensitiveRoleGrant.principalEmail log field, then the user_id field is mapped to the principal.user.userid UDM field. |
sourceProperties.properties.customRoleSensitivePermissions.principalEmail |
principal.user.userid |
Grok : Extracted user_id from sourceProperties.properties.customRoleSensitivePermissions.principalEmail log field, then the user_id field is mapped to the principal.user.userid UDM field. |
resourceName |
principal.asset.location.name |
If the parentDisplayName log field value is equal to Virtual Machine Threat Detection , then Grok : Extracted project_name , region , zone_suffix , asset_prod_obj_id from resourceName log field, then the region log field is mapped to the principal.asset.location.name UDM field. |
resourceName |
principal.asset.product_object_id |
If the parentDisplayName log field value is equal to Virtual Machine Threat Detection , then Grok : Extracted project_name , region , zone_suffix , asset_prod_obj_id from resourceName log field, then the asset_prod_obj_id log field is mapped to the principal.asset.product_object_id UDM field. |
resourceName |
principal.asset.attribute.cloud.availability_zone |
If the parentDisplayName log field value is equal to Virtual Machine Threat Detection , then Grok : Extracted project_name , region , zone_suffix , asset_prod_obj_id from resourceName log field, then the zone_suffix log field is mapped to the principal.asset.attribute.cloud.availability_zone UDM field. |
resourceName |
principal.asset.attribute.labels[project_name] |
If the parentDisplayName log field value is equal to Virtual Machine Threat Detection , then Grok : Extracted project_name , region , zone_suffix , asset_prod_obj_id from resourceName log field, then the project_name log field is mapped to the principal.asset.attribute.labels.value UDM field. |
sourceProperties.threats.memory_hash_detector.detections.binary_name |
security_result.detection_fields[binary_name] |
|
sourceProperties.threats.memory_hash_detector.detections.percent_pages_matched |
security_result.detection_fields[percent_pages_matched] |
|
sourceProperties.threats.memory_hash_detector.binary |
security_result.detection_fields[memory_hash_detector_binary] |
|
sourceProperties.threats.yara_rule_detector.yara_rule_name |
security_result.detection_fields[yara_rule_name] |
|
sourceProperties.Script_SHA256 |
target.resource.attribute.labels[script_sha256] |
|
sourceProperties.Script_Content |
target.resource.attribute.labels[script_content] |
|
state |
security_result.detection_fields[state] |
|
assetDisplayName |
target.asset.attribute.labels[asset_display_name] |
|
assetId |
target.asset.asset_id |
|
findingProviderId |
target.resource.attribute.labels[finding_provider_id] |
|
sourceDisplayName |
target.resource.attribute.labels[source_display_name] |
|
processes.name |
target.process.file.names |
|
target.labels[failedActions_methodName] | sourceProperties.properties.failedActions.methodName | If the category log field value is equal to
Initial Access: Excessive Permission Denied Actions , then the
sourceProperties.properties.failedActions.methodName log field is
mapped to the target.labels UDM field. |
additional.fields[failedActions_methodName] | sourceProperties.properties.failedActions.methodName | If the category log field value is equal to
Initial Access: Excessive Permission Denied Actions , then the
sourceProperties.properties.failedActions.methodName log field is
mapped to the additional.fields UDM field. |
target.labels[failedActions_serviceName] | sourceProperties.properties.failedActions.serviceName | If the category log field value is equal to
Initial Access: Excessive Permission Denied Actions , then the
sourceProperties.properties.failedActions.serviceName log field is
mapped to the target.labels UDM field. |
additional.fields[failedActions_serviceName] | sourceProperties.properties.failedActions.serviceName | If the category log field value is equal to
Initial Access: Excessive Permission Denied Actions , then the
sourceProperties.properties.failedActions.serviceName log field is
mapped to the additional.fields UDM field. |
target.labels[failedActions_attemptTimes] | sourceProperties.properties.failedActions.attemptTimes | If the category log field value is equal to
Initial Access: Excessive Permission Denied Actions , then the
sourceProperties.properties.failedActions.attemptTimes log field is
mapped to the target.labels UDM field. |
additional.fields[failedActions_attemptTimes] | sourceProperties.properties.failedActions.attemptTimes | If the category log field value is equal to
Initial Access: Excessive Permission Denied Actions , then the
sourceProperties.properties.failedActions.attemptTimes log field is
mapped to the additional.fields UDM field. |
target.labels[failedActions_lastOccurredTime] | sourceProperties.properties.failedActions.lastOccurredTime | If the category log field value is equal to
Initial Access: Excessive Permission Denied Actions , then the
sourceProperties.properties.failedActions.lastOccurredTime log field
is mapped to the target.labels UDM field. |
additional.fields[failedActions_lastOccurredTime] | sourceProperties.properties.failedActions.lastOccurredTime | If the category log field value is equal to
Initial Access: Excessive Permission Denied Actions , then the
sourceProperties.properties.failedActions.lastOccurredTime log field.
is mapped to the additional.fields UDM field. |
resource.resourcePathString |
src.resource.attribute.labels[resource_path_string] |
If the category log field value contain one of the following values, then the resource.resourcePathString log field is mapped to the src.resource.attribute.labels[resource_path_string] UDM field.
resource.resourcePathString log field is mapped to the target.resource.attribute.labels[resource_path_string] UDM field. |
Field mapping reference: event identifier to event type
Event Identifier | Event Type | Security Category |
---|---|---|
Active Scan: Log4j Vulnerable to RCE |
SCAN_UNCATEGORIZED |
|
Brute Force: SSH |
USER_LOGIN |
AUTH_VIOLATION |
Credential Access: External Member Added To Privileged Group |
GROUP_MODIFICATION |
|
Credential Access: Privileged Group Opened To Public |
GROUP_MODIFICATION |
|
Credential Access: Sensitive Role Granted To Hybrid Group |
GROUP_MODIFICATION |
|
Defense Evasion: Modify VPC Service Control |
SERVICE_MODIFICATION |
|
Discovery: Can get sensitive Kubernetes object checkPreview |
SCAN_UNCATEGORIZED |
|
Discovery: Service Account Self-Investigation |
USER_UNCATEGORIZED |
|
Evasion: Access from Anonymizing Proxy |
SERVICE_MODIFICATION |
|
Exfiltration: BigQuery Data Exfiltration |
USER_RESOURCE_ACCESS |
DATA_EXFILTRATION |
Exfiltration: BigQuery Data Extraction |
USER_RESOURCE_ACCESS |
DATA_EXFILTRATION |
Exfiltration: BigQuery Data to Google Drive |
USER_RESOURCE_ACCESS |
DATA_EXFILTRATION |
Exfiltration: CloudSQL Data Exfiltration |
USER_RESOURCE_ACCESS |
DATA_EXFILTRATION |
Exfiltration: CloudSQL Over-Privileged Grant |
USER_RESOURCE_ACCESS |
DATA_EXFILTRATION |
Exfiltration: CloudSQL Restore Backup to External Organization |
USER_RESOURCE_ACCESS |
DATA_EXFILTRATION |
Impair Defenses: Strong Authentication Disabled |
USER_CHANGE_PERMISSIONS |
|
Impair Defenses: Two Step Verification Disabled |
USER_CHANGE_PERMISSIONS |
|
Initial Access: Account Disabled Hijacked |
SETTING_MODIFICATION |
|
Initial Access: Disabled Password Leak |
SETTING_MODIFICATION |
|
Initial Access: Government Based Attack |
USER_UNCATEGORIZED |
|
Initial Access: Log4j Compromise Attempt |
SCAN_UNCATEGORIZED |
EXPLOIT |
Initial Access: Suspicious Login Blocked |
USER_LOGIN |
ACL_VIOLATION |
Initial Access: Dormant Service Account Action |
SCAN_UNCATEGORIZED |
|
Log4j Malware: Bad Domain |
NETWORK_CONNECTION |
SOFTWARE_MALICIOUS |
Log4j Malware: Bad IP |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Malware: Bad Domain |
NETWORK_CONNECTION |
SOFTWARE_MALICIOUS |
Malware: Bad IP |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Malware: Cryptomining Bad Domain |
NETWORK_CONNECTION |
SOFTWARE_MALICIOUS |
Malware: Cryptomining Bad IP |
NETWORK_CONNECTION |
SOFTWARE_MALICIOUS |
Malware: Outgoing DoS |
NETWORK_CONNECTION |
NETWORK_DENIAL_OF_SERVICE |
Persistence: GCE Admin Added SSH Key |
SETTING_MODIFICATION |
|
Persistence: GCE Admin Added Startup Script |
SETTING_MODIFICATION |
|
Persistence: IAM Anomalous Grant |
USER_UNCATEGORIZED |
POLICY_VIOLATION |
Persistence: New API MethodPreview |
SCAN_UNCATEGORIZED |
|
Persistence: New Geography |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
Persistence: New User Agent |
USER_RESOURCE_ACCESS |
|
Persistence: SSO Enablement Toggle |
SETTING_MODIFICATION |
|
Persistence: SSO Settings Changed |
SETTING_MODIFICATION |
|
Privilege Escalation: Changes to sensitive Kubernetes RBAC objectsPreview |
RESOURCE_PERMISSIONS_CHANGE |
|
Privilege Escalation: Create Kubernetes CSR for master certPreview |
RESOURCE_CREATION |
|
Privilege Escalation: Creation of sensitive Kubernetes bindingsPreview |
RESOURCE_CREATION |
|
Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentialsPreview |
USER_RESOURCE_ACCESS |
|
Privilege Escalation: Launch of privileged Kubernetes containerPreview |
RESOURCE_CREATION |
|
Added Binary Executed |
USER_RESOURCE_ACCESS |
|
Added Library Loaded |
USER_RESOURCE_ACCESS |
|
Allowed Traffic Spike |
USER_RESOURCE_ACCESS |
|
Increasing Deny Ratio |
USER_RESOURCE_UPDATE_CONTENT |
|
Configurable bad domain |
NETWORK_CONNECTION |
|
Execution: Cryptocurrency Mining Hash Match |
SCAN_UNCATEGORIZED |
|
Execution: Cryptocurrency Mining YARA Rule |
SCAN_UNCATEGORIZED |
|
Malicious Script Executed |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Malicious URL Observed |
SCAN_UNCATEGORIZED |
NETWORK_MALICIOUS |
Execution: Cryptocurrency Mining Combined Detection |
SCAN_UNCATEGORIZED |
|
Application DDoS Attack Attempt |
SCAN_NETWORK |
|
Defense Evasion: Unexpected ftrace handler |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Defense Evasion: Unexpected interrupt handler |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Defense Evasion: Unexpected kernel code modification |
USER_RESOURCE_UPDATE_CONTENT |
SOFTWARE_MALICIOUS |
Defense Evasion: Unexpected kernel modules |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Defense Evasion: Unexpected kernel read-only data modification |
USER_RESOURCE_UPDATE_CONTENT |
SOFTWARE_MALICIOUS |
Defense Evasion: Unexpected kprobe handler |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Defense Evasion: Unexpected processes in runqueue |
PROCESS_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Defense Evasion: Unexpected system call handler |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Reverse Shell |
SCAN_UNCATEGORIZED |
EXPLOIT |
account_has_leaked_credentials |
SCAN_UNCATEGORIZED |
DATA_AT_REST |
Initial Access: Dormant Service Account Key Created |
RESOURCE_CREATION |
|
Process Tree |
PROCESS_UNCATEGORIZED |
|
Unexpected Child Shell |
PROCESS_UNCATEGORIZED |
|
Execution: Added Malicious Binary Executed |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Execution: Modified Malicious Binary Executed |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS |
Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity |
SCAN_UNCATEGORIZED |
|
Breakglass Account Used: break_glass_account |
SCAN_UNCATEGORIZED |
|
Configurable Bad Domain: APT29_Domains |
SCAN_UNCATEGORIZED |
|
Unexpected Role Grant: Forbidden roles |
SCAN_UNCATEGORIZED |
|
Configurable Bad IP |
SCAN_UNCATEGORIZED |
|
Unexpected Compute Engine instance type |
SCAN_UNCATEGORIZED |
|
Unexpected Compute Engine source image |
SCAN_UNCATEGORIZED |
|
Unexpected Compute Engine region |
SCAN_UNCATEGORIZED |
|
Custom role with prohibited permission |
SCAN_UNCATEGORIZED |
|
Unexpected Cloud API Call |
SCAN_UNCATEGORIZED |
The following tables contain UDM event types and UDM fields mapping for Security Command Center - VULNERABILITY
, MISCONFIGURATION
, OBSERVATION
, ERROR
, UNSPECIFIED
, POSTURE_VIOLATION
finding classes.
VULNERABILITY category to UDM event type
The following table lists the VULNERABILITY category and their corresponding UDM event types.
Event Identifier | Event Type | Security Category |
---|---|---|
DISK_CSEK_DISABLED |
SCAN_UNCATEGORIZED |
|
ALPHA_CLUSTER_ENABLED |
SCAN_UNCATEGORIZED |
|
AUTO_REPAIR_DISABLED |
SCAN_UNCATEGORIZED |
|
AUTO_UPGRADE_DISABLED |
SCAN_UNCATEGORIZED |
|
CLUSTER_SHIELDED_NODES_DISABLED |
SCAN_UNCATEGORIZED |
|
COS_NOT_USED |
SCAN_UNCATEGORIZED |
|
INTEGRITY_MONITORING_DISABLED |
SCAN_UNCATEGORIZED |
|
IP_ALIAS_DISABLED |
SCAN_UNCATEGORIZED |
|
LEGACY_METADATA_ENABLED |
SCAN_UNCATEGORIZED |
|
RELEASE_CHANNEL_DISABLED |
SCAN_UNCATEGORIZED |
|
DATAPROC_IMAGE_OUTDATED |
SCAN_VULN_NETWORK |
|
PUBLIC_DATASET |
SCAN_UNCATEGORIZED |
|
DNSSEC_DISABLED |
SCAN_UNCATEGORIZED |
|
RSASHA1_FOR_SIGNING |
SCAN_UNCATEGORIZED |
|
REDIS_ROLE_USED_ON_ORG |
SCAN_UNCATEGORIZED |
|
KMS_PUBLIC_KEY |
SCAN_UNCATEGORIZED |
|
SQL_CONTAINED_DATABASE_AUTHENTICATION |
SCAN_UNCATEGORIZED |
|
SQL_CROSS_DB_OWNERSHIP_CHAINING |
SCAN_UNCATEGORIZED |
|
SQL_EXTERNAL_SCRIPTS_ENABLED |
SCAN_UNCATEGORIZED |
|
SQL_LOCAL_INFILE |
SCAN_UNCATEGORIZED |
|
SQL_LOG_ERROR_VERBOSITY |
SCAN_UNCATEGORIZED |
|
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED |
SCAN_UNCATEGORIZED |
|
SQL_LOG_MIN_ERROR_STATEMENT |
SCAN_UNCATEGORIZED |
|
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY |
SCAN_UNCATEGORIZED |
|
SQL_LOG_MIN_MESSAGES |
SCAN_UNCATEGORIZED |
|
SQL_LOG_EXECUTOR_STATS_ENABLED |
SCAN_UNCATEGORIZED |
|
SQL_LOG_HOSTNAME_ENABLED |
SCAN_UNCATEGORIZED |
|
SQL_LOG_PARSER_STATS_ENABLED |
SCAN_UNCATEGORIZED |
|
SQL_LOG_PLANNER_STATS_ENABLED |
SCAN_UNCATEGORIZED |
|
SQL_LOG_STATEMENT_STATS_ENABLED |
SCAN_UNCATEGORIZED |
|
SQL_LOG_TEMP_FILES |
SCAN_UNCATEGORIZED |
|
SQL_REMOTE_ACCESS_ENABLED |
SCAN_UNCATEGORIZED |
|
SQL_SKIP_SHOW_DATABASE_DISABLED |
SCAN_UNCATEGORIZED |
|
SQL_TRACE_FLAG_3625 |
SCAN_UNCATEGORIZED |
|
SQL_USER_CONNECTIONS_CONFIGURED |
SCAN_UNCATEGORIZED |
|
SQL_USER_OPTIONS_CONFIGURED |
SCAN_UNCATEGORIZED |
|
SQL_WEAK_ROOT_PASSWORD |
SCAN_UNCATEGORIZED |
|
PUBLIC_LOG_BUCKET |
SCAN_UNCATEGORIZED |
|
ACCESSIBLE_GIT_REPOSITORY |
SCAN_UNCATEGORIZED |
DATA_EXFILTRATION |
ACCESSIBLE_SVN_REPOSITORY |
SCAN_NETWORK |
DATA_EXFILTRATION |
CACHEABLE_PASSWORD_INPUT |
SCAN_NETWORK |
NETWORK_SUSPICIOUS |
CLEAR_TEXT_PASSWORD |
SCAN_NETWORK |
NETWORK_MALICIOUS |
INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION |
SCAN_UNCATEGORIZED |
|
INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION |
SCAN_UNCATEGORIZED |
|
INVALID_CONTENT_TYPE |
SCAN_UNCATEGORIZED |
|
INVALID_HEADER |
SCAN_UNCATEGORIZED |
|
MISMATCHING_SECURITY_HEADER_VALUES |
SCAN_UNCATEGORIZED |
|
MISSPELLED_SECURITY_HEADER_NAME |
SCAN_UNCATEGORIZED |
|
MIXED_CONTENT |
SCAN_UNCATEGORIZED |
|
OUTDATED_LIBRARY |
SCAN_VULN_HOST |
SOFTWARE_SUSPICIOUS |
SERVER_SIDE_REQUEST_FORGERY |
SCAN_NETWORK |
NETWORK_MALICIOUS |
SESSION_ID_LEAK |
SCAN_NETWORK |
DATA_EXFILTRATION |
SQL_INJECTION |
SCAN_NETWORK |
EXPLOIT |
STRUTS_INSECURE_DESERIALIZATION |
SCAN_VULN_HOST |
SOFTWARE_SUSPICIOUS |
XSS |
SCAN_NETWORK |
SOFTWARE_SUSPICIOUS |
XSS_ANGULAR_CALLBACK |
SCAN_NETWORK |
SOFTWARE_SUSPICIOUS |
XSS_ERROR |
SCAN_HOST |
SOFTWARE_SUSPICIOUS |
XXE_REFLECTED_FILE_LEAKAGE |
SCAN_HOST |
SOFTWARE_SUSPICIOUS |
BASIC_AUTHENTICATION_ENABLED |
SCAN_UNCATEGORIZED |
|
CLIENT_CERT_AUTHENTICATION_DISABLED |
SCAN_UNCATEGORIZED |
|
LABELS_NOT_USED |
SCAN_UNCATEGORIZED |
|
PUBLIC_STORAGE_OBJECT |
SCAN_UNCATEGORIZED |
|
SQL_BROAD_ROOT_LOGIN |
SCAN_UNCATEGORIZED |
|
WEAK_CREDENTIALS |
SCAN_VULN_NETWORK |
NETWORK_MALICIOUS |
ELASTICSEARCH_API_EXPOSED |
SCAN_VULN_NETWORK |
NETWORK_MALICIOUS |
EXPOSED_GRAFANA_ENDPOINT |
SCAN_VULN_NETWORK |
NETWORK_MALICIOUS |
EXPOSED_METABASE |
SCAN_VULN_NETWORK |
NETWORK_MALICIOUS |
EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT |
SCAN_VULN_NETWORK |
|
HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
JAVA_JMX_RMI_EXPOSED |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
JUPYTER_NOTEBOOK_EXPOSED_UI |
SCAN_VULN_NETWORK |
|
KUBERNETES_API_EXPOSED |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
UNFINISHED_WORDPRESS_INSTALLATION |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
APACHE_HTTPD_RCE |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
APACHE_HTTPD_SSRF |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
CONSUL_RCE |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
DRUID_RCE |
SCAN_VULN_NETWORK |
|
DRUPAL_RCE |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
FLINK_FILE_DISCLOSURE |
SCAN_VULN_NETWORK |
NETWORK_SUSPICIOUS |
GITLAB_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
GoCD_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
JENKINS_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
JOOMLA_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
LOG4J_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
MANTISBT_PRIVILEGE_ESCALATION |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
OGNL_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
OPENAM_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
ORACLE_WEBLOGIC_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
PHPUNIT_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
PHP_CGI_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
PORTAL_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
REDIS_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
SOLR_FILE_EXPOSED |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
SOLR_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
STRUTS_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
TOMCAT_FILE_DISCLOSURE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
VBULLETIN_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
VCENTER_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
WEBLOGIC_RCE |
SCAN_VULN_NETWORK |
SOFTWARE_SUSPICIOUS |
OS_VULNERABILITY |
SCAN_VULN_HOST |
|
IAM_ROLE_HAS_EXCESSIVE_PERMISSIONS |
SCAN_UNCATEGORIZED |
SOFTWARE_SUSPICIOUS |
SERVICE_AGENT_GRANTED_BASIC_ROLE |
SCAN_UNCATEGORIZED |
SOFTWARE_SUSPICIOUS |
UNUSED_IAM_ROLE |
SCAN_UNCATEGORIZED |
|
SERVICE_AGENT_ROLE_REPLACED_WITH_BASIC_ROLE |
SCAN_UNCATEGORIZED |
SOFTWARE_SUSPICIOUS |
MISCONFIGURATION category to UDM event type
The following table lists the MISCONFIGURATION category and their corresponding UDM event types.
Event Identifier | Event Type |
---|---|
API_KEY_APIS_UNRESTRICTED | SCAN_UNCATEGORIZED |
API_KEY_APPS_UNRESTRICTED | SCAN_UNCATEGORIZED |
API_KEY_EXISTS | SCAN_UNCATEGORIZED |
API_KEY_NOT_ROTATED | SCAN_UNCATEGORIZED |
PUBLIC_COMPUTE_IMAGE | SCAN_HOST |
CONFIDENTIAL_COMPUTING_DISABLED | SCAN_HOST |
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED | SCAN_UNCATEGORIZED |
COMPUTE_SECURE_BOOT_DISABLED | SCAN_HOST |
DEFAULT_SERVICE_ACCOUNT_USED | SCAN_UNCATEGORIZED |
FULL_API_ACCESS | SCAN_UNCATEGORIZED |
OS_LOGIN_DISABLED | SCAN_UNCATEGORIZED |
PUBLIC_IP_ADDRESS | SCAN_UNCATEGORIZED |
SHIELDED_VM_DISABLED | SCAN_UNCATEGORIZED |
COMPUTE_SERIAL_PORTS_ENABLED | SCAN_NETWORK |
DISK_CMEK_DISABLED | SCAN_UNCATEGORIZED |
HTTP_LOAD_BALANCER | SCAN_NETWORK |
IP_FORWARDING_ENABLED | SCAN_UNCATEGORIZED |
WEAK_SSL_POLICY | SCAN_NETWORK |
BINARY_AUTHORIZATION_DISABLED | SCAN_UNCATEGORIZED |
CLUSTER_LOGGING_DISABLED | SCAN_UNCATEGORIZED |
CLUSTER_MONITORING_DISABLED | SCAN_UNCATEGORIZED |
CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED | SCAN_UNCATEGORIZED |
CLUSTER_SECRETS_ENCRYPTION_DISABLED | SCAN_UNCATEGORIZED |
INTRANODE_VISIBILITY_DISABLED | SCAN_UNCATEGORIZED |
MASTER_AUTHORIZED_NETWORKS_DISABLED | SCAN_UNCATEGORIZED |
NETWORK_POLICY_DISABLED | SCAN_UNCATEGORIZED |
NODEPOOL_SECURE_BOOT_DISABLED | SCAN_UNCATEGORIZED |
OVER_PRIVILEGED_ACCOUNT | SCAN_UNCATEGORIZED |
OVER_PRIVILEGED_SCOPES | SCAN_UNCATEGORIZED |
POD_SECURITY_POLICY_DISABLED | SCAN_UNCATEGORIZED |
PRIVATE_CLUSTER_DISABLED | SCAN_UNCATEGORIZED |
WORKLOAD_IDENTITY_DISABLED | SCAN_UNCATEGORIZED |
LEGACY_AUTHORIZATION_ENABLED | SCAN_UNCATEGORIZED |
NODEPOOL_BOOT_CMEK_DISABLED | SCAN_UNCATEGORIZED |
WEB_UI_ENABLED | SCAN_UNCATEGORIZED |
AUTO_REPAIR_DISABLED | SCAN_UNCATEGORIZED |
AUTO_UPGRADE_DISABLED | SCAN_UNCATEGORIZED |
CLUSTER_SHIELDED_NODES_DISABLED | SCAN_UNCATEGORIZED |
RELEASE_CHANNEL_DISABLED | SCAN_UNCATEGORIZED |
BIGQUERY_TABLE_CMEK_DISABLED | SCAN_UNCATEGORIZED |
DATASET_CMEK_DISABLED | SCAN_UNCATEGORIZED |
EGRESS_DENY_RULE_NOT_SET | SCAN_NETWORK |
FIREWALL_RULE_LOGGING_DISABLED | SCAN_NETWORK |
OPEN_CASSANDRA_PORT | SCAN_NETWORK |
OPEN_SMTP_PORT | SCAN_NETWORK |
OPEN_REDIS_PORT | SCAN_NETWORK |
OPEN_POSTGRESQL_PORT | SCAN_NETWORK |
OPEN_POP3_PORT | SCAN_NETWORK |
OPEN_ORACLEDB_PORT | SCAN_NETWORK |
OPEN_NETBIOS_PORT | SCAN_NETWORK |
OPEN_MYSQL_PORT | SCAN_NETWORK |
OPEN_MONGODB_PORT | SCAN_NETWORK |
OPEN_MEMCACHED_PORT | SCAN_NETWORK |
OPEN_LDAP_PORT | SCAN_NETWORK |
OPEN_FTP_PORT | SCAN_NETWORK |
OPEN_ELASTICSEARCH_PORT | SCAN_NETWORK |
OPEN_DNS_PORT | SCAN_NETWORK |
OPEN_HTTP_PORT | SCAN_NETWORK |
OPEN_DIRECTORY_SERVICES_PORT | SCAN_NETWORK |
OPEN_CISCOSECURE_WEBSM_PORT | SCAN_NETWORK |
OPEN_RDP_PORT | SCAN_NETWORK |
OPEN_TELNET_PORT | SCAN_NETWORK |
OPEN_FIREWALL | SCAN_NETWORK |
OPEN_SSH_PORT | SCAN_NETWORK |
SERVICE_ACCOUNT_ROLE_SEPARATION | SCAN_UNCATEGORIZED |
NON_ORG_IAM_MEMBER | SCAN_UNCATEGORIZED |
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER | SCAN_UNCATEGORIZED |
ADMIN_SERVICE_ACCOUNT | SCAN_UNCATEGORIZED |
SERVICE_ACCOUNT_KEY_NOT_ROTATED | SCAN_UNCATEGORIZED |
USER_MANAGED_SERVICE_ACCOUNT_KEY | SCAN_UNCATEGORIZED |
PRIMITIVE_ROLES_USED | SCAN_UNCATEGORIZED |
KMS_ROLE_SEPARATION | SCAN_UNCATEGORIZED |
OPEN_GROUP_IAM_MEMBER | SCAN_UNCATEGORIZED |
KMS_KEY_NOT_ROTATED | SCAN_UNCATEGORIZED |
KMS_PROJECT_HAS_OWNER | SCAN_UNCATEGORIZED |
TOO_MANY_KMS_USERS | SCAN_UNCATEGORIZED |
OBJECT_VERSIONING_DISABLED | SCAN_UNCATEGORIZED |
LOCKED_RETENTION_POLICY_NOT_SET | SCAN_UNCATEGORIZED |
BUCKET_LOGGING_DISABLED | SCAN_UNCATEGORIZED |
LOG_NOT_EXPORTED | SCAN_UNCATEGORIZED |
AUDIT_LOGGING_DISABLED | SCAN_UNCATEGORIZED |
MFA_NOT_ENFORCED | SCAN_UNCATEGORIZED |
ROUTE_NOT_MONITORED | SCAN_NETWORK |
OWNER_NOT_MONITORED | SCAN_NETWORK |
AUDIT_CONFIG_NOT_MONITORED | SCAN_UNCATEGORIZED |
BUCKET_IAM_NOT_MONITORED | SCAN_UNCATEGORIZED |
CUSTOM_ROLE_NOT_MONITORED | SCAN_UNCATEGORIZED |
FIREWALL_NOT_MONITORED | SCAN_NETWORK |
NETWORK_NOT_MONITORED | SCAN_NETWORK |
SQL_INSTANCE_NOT_MONITORED | SCAN_UNCATEGORIZED |
DEFAULT_NETWORK | SCAN_NETWORK |
DNS_LOGGING_DISABLED | SCAN_NETWORK |
PUBSUB_CMEK_DISABLED | SCAN_UNCATEGORIZED |
PUBLIC_SQL_INSTANCE | SCAN_NETWORK |
SSL_NOT_ENFORCED | SCAN_NETWORK |
AUTO_BACKUP_DISABLED | SCAN_UNCATEGORIZED |
SQL_CMEK_DISABLED | SCAN_UNCATEGORIZED |
SQL_LOG_CHECKPOINTS_DISABLED | SCAN_UNCATEGORIZED |
SQL_LOG_CONNECTIONS_DISABLED | SCAN_UNCATEGORIZED |
SQL_LOG_DISCONNECTIONS_DISABLED | SCAN_UNCATEGORIZED |
SQL_LOG_DURATION_DISABLED | SCAN_UNCATEGORIZED |
SQL_LOG_LOCK_WAITS_DISABLED | SCAN_UNCATEGORIZED |
SQL_LOG_STATEMENT | SCAN_UNCATEGORIZED |
SQL_NO_ROOT_PASSWORD | SCAN_UNCATEGORIZED |
SQL_PUBLIC_IP | SCAN_NETWORK |
SQL_CONTAINED_DATABASE_AUTHENTICATION | SCAN_UNCATEGORIZED |
SQL_CROSS_DB_OWNERSHIP_CHAINING | SCAN_UNCATEGORIZED |
SQL_LOCAL_INFILE | SCAN_UNCATEGORIZED |
SQL_LOG_MIN_ERROR_STATEMENT | SCAN_UNCATEGORIZED |
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY | SCAN_UNCATEGORIZED |
SQL_LOG_TEMP_FILES | SCAN_UNCATEGORIZED |
SQL_REMOTE_ACCESS_ENABLED | SCAN_UNCATEGORIZED |
SQL_SKIP_SHOW_DATABASE_DISABLED | SCAN_UNCATEGORIZED |
SQL_TRACE_FLAG_3625 | SCAN_UNCATEGORIZED |
SQL_USER_CONNECTIONS_CONFIGURED | SCAN_UNCATEGORIZED |
SQL_USER_OPTIONS_CONFIGURED | SCAN_UNCATEGORIZED |
PUBLIC_BUCKET_ACL | SCAN_UNCATEGORIZED |
BUCKET_POLICY_ONLY_DISABLED | SCAN_UNCATEGORIZED |
BUCKET_CMEK_DISABLED | SCAN_UNCATEGORIZED |
FLOW_LOGS_DISABLED | SCAN_NETWORK |
PRIVATE_GOOGLE_ACCESS_DISABLED | SCAN_NETWORK |
kms_key_region_europe | SCAN_UNCATEGORIZED |
kms_non_euro_region | SCAN_UNCATEGORIZED |
LEGACY_NETWORK | SCAN_NETWORK |
LOAD_BALANCER_LOGGING_DISABLED | SCAN_NETWORK |
INSTANCE_OS_LOGIN_DISABLED | SCAN_UNCATEGORIZED |
GKE_PRIVILEGE_ESCALATION | SCAN_UNCATEGORIZED |
GKE_RUN_AS_NONROOT | SCAN_UNCATEGORIZED |
GKE_HOST_PATH_VOLUMES | SCAN_UNCATEGORIZED |
GKE_HOST_NAMESPACES | SCAN_UNCATEGORIZED |
GKE_PRIVILEGED_CONTAINERS | SCAN_UNCATEGORIZED |
GKE_HOST_PORTS | SCAN_UNCATEGORIZED |
GKE_CAPABILITIES | SCAN_UNCATEGORIZED |
OBSERVATION category to UDM event type
The following table lists the OBSERVATION category and their corresponding UDM event types.
Event Identifier | Event Type |
---|---|
Persistence: Project SSH Key Added | SETTING_MODIFICATION |
Persistence: Add Sensitive Role | RESOURCE_PERMISSIONS_CHANGE |
Impact: GPU Instance Created | USER_RESOURCE_CREATION |
Impact: Many Instances Created | USER_RESOURCE_CREATION |
ERROR category to UDM event type
The following table lists the ERROR category and their corresponding UDM event types.
Event Identifier | Event Type |
---|---|
VPC_SC_RESTRICTION | SCAN_UNCATEGORIZED |
MISCONFIGURED_CLOUD_LOGGING_EXPORT | SCAN_UNCATEGORIZED |
API_DISABLED | SCAN_UNCATEGORIZED |
KTD_IMAGE_PULL_FAILURE | SCAN_UNCATEGORIZED |
KTD_BLOCKED_BY_ADMISSION_CONTROLLER | SCAN_UNCATEGORIZED |
KTD_SERVICE_ACCOUNT_MISSING_PERMISSIONS | SCAN_UNCATEGORIZED |
GKE_SERVICE_ACCOUNT_MISSING_PERMISSIONS | SCAN_UNCATEGORIZED |
SCC_SERVICE_ACCOUNT_MISSING_PERMISSIONS | SCAN_UNCATEGORIZED |
UNSPECIFIED category to UDM event type
The following table lists the UNSPECIFIED category and their corresponding UDM event types.
Event Identifier | Event Type | Security Category |
---|---|---|
OPEN_FIREWALL |
SCAN_VULN_HOST |
POLICY_VIOLATION |
POSTURE_VIOLATION category to UDM event type
The following table lists the POSTURE_VIOLATION category and their corresponding UDM event types.
Event Identifier | Event Type |
---|---|
SECURITY_POSTURE_DRIFT |
SERVICE_MODIFICATION |
SECURITY_POSTURE_POLICY_DRIFT |
SCAN_UNCATEGORIZED |
SECURITY_POSTURE_POLICY_DELETE |
SCAN_UNCATEGORIZED |
SECURITY_POSTURE_DETECTOR_DRIFT |
SCAN_UNCATEGORIZED |
SECURITY_POSTURE_DETECTOR_DELETE |
SCAN_UNCATEGORIZED |
Field mapping reference: VULNERABILITY
The following table lists the log fields of the VULNERABILITY category and their corresponding UDM fields.
RawLog field | UDM mapping | Logic |
---|---|---|
assetDisplayName | target.asset.attribute.labels.key/value [assetDisplayName] | |
assetId | target.asset.asset_id | |
findingProviderId | target.resource.attribute.labels.key/value [findings_findingProviderId] | |
sourceDisplayName | target.resource.attribute.labels.key/value [sourceDisplayName] | |
sourceProperties.description | extensions.vuln.vulnerabilities.description | |
sourceProperties.finalUrl | network.http.referral_url | |
sourceProperties.form.fields | target.resource.attribute.labels.key/value [sourceProperties_form_fields] | |
sourceProperties.httpMethod | network.http.method | |
sourceProperties.name | target.resource.attribute.labels.key/value [sourceProperties_name] | |
sourceProperties.outdatedLibrary.learnMoreUrls | target.resource.attribute.labels.key/value[sourceProperties_outdatedLibrary_learnMoreUrls] | |
sourceProperties.outdatedLibrary.libraryName | target.resource.attribute.labels.key/value[outdatedLibrary.libraryName] | |
sourceProperties.outdatedLibrary.version | target.resource.attribute.labels.key/value[sourceProperties_outdatedLibrary_libraryName] | |
sourceProperties.ResourcePath | target.resource.attribute.labels.key/value[sourceProperties_ResourcePath] | |
externalUri | about.url | |
category | extensions.vuln.vulnerabilities.name | |
resourceName | principal.asset.location.name | Extracted region from resourceName using a Grok pattern, and mapped to the principal.asset.location.name UDM field. |
resourceName | principal.asset.product_object_id | Extracted asset_prod_obj_id from resourceName using a Grok pattern, and mapped to the principal.asset.product_object_id UDM field. |
resourceName | principal.asset.attribute.cloud.availability_zone | Extracted zone_suffix from resourceName using a Grok pattern, and mapped to the principal.asset.attribute.cloud.availability_zone UDM field. |
sourceProperties.RevokedIamPermissionsCount | security_result.detection_fields.key/value[revoked_Iam_permissions_count] | |
sourceProperties.TotalRecommendationsCount | security_result.detection_fields.key/value[total_recommendations_count] | |
sourceProperties.DeactivationReason | security_result.detection_fields.key/value[deactivation_reason] | |
iamBindings.role | about.user.attribute.roles.name | |
iamBindings.member | about.user.email_addresses | |
iamBindings.action | about.user.attribute.labels.key/value[action] |
Field mapping reference: MISCONFIGURATION
The following table lists the log fields of the MISCONFIGURATION category and their corresponding UDM fields.
RawLog field | UDM mapping |
---|---|
assetDisplayName | target.asset.attribute.labels.key/value [assetDisplayName] |
assetId | target.asset.asset_id |
externalUri | about.url |
findingProviderId | target.resource.attribute.labels[findingProviderId] |
sourceDisplayName | target.resource.attribute.labels[sourceDisplayName] |
sourceProperties.Recommendation | security_result.detection_fields.key/value[sourceProperties_Recommendation] |
sourceProperties.ExceptionInstructions | security_result.detection_fields.key/value[sourceProperties_ExceptionInstructions] |
sourceProperties.ScannerName | principal.labels.key/value[sourceProperties_ScannerName] |
sourceProperties.ResourcePath | target.resource.attribute.labels.key/value[sourceProperties_ResourcePath] |
sourceProperties.ReactivationCount | target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount] |
sourceProperties.DeactivationReason | target.resource.attribute.labels.key/value [DeactivationReason] |
sourceProperties.ActionRequiredOnProject | target.resource.attribute.labels.key/value [sourceProperties_ActionRequiredOnProject] |
sourceProperties.VulnerableNetworkInterfaceNames | target.resource.attribute.labels.key/value [sourceProperties_VulnerableNetworkInterfaceNames] |
sourceProperties.VulnerableNodePools | target.resource.attribute.labels.key/value [sourceProperties_VulnerableNodePools] |
sourceProperties.VulnerableNodePoolsList | target.resource.attribute.labels.key/value [sourceProperties_VulnerableNodePoolsList] |
sourceProperties.AllowedOauthScopes | target.resource.attribute.permissions.name |
sourceProperties.ExposedService | target.application |
sourceProperties.OpenPorts.TCP | target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_TCP] |
sourceProperties.OffendingIamRolesList.member | about.user.email_addresses |
sourceProperties.OffendingIamRolesList.roles | about.user.attribute.roles.name |
sourceProperties.ActivationTrigger | target.resource.attribute.labels.key/value [sourceProperties_ActivationTrigger] |
sourceProperties.MfaDetails.users | target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_users] |
sourceProperties.MfaDetails.enrolled | target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_enrolled] |
sourceProperties.MfaDetails.enforced | target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_enforced] |
sourceProperties.MfaDetails.advancedProtection | target.resource.attribute.labels.key/value [sourceProperties_MfaDetails_advancedProtection] |
sourceProperties.cli_remediation | target.process.command_line_history |
sourceProperties.OpenPorts.UDP | target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_UDP] |
sourceProperties.HasAdminRoles | target.resource.attribute.labels.key/value [sourceProperties_HasAdminRoles] |
sourceProperties.HasEditRoles | target.resource.attribute.labels.key/value [sourceProperties_HasEditRoles] |
sourceProperties.AllowedIpRange | target.resource.attribute.labels.key/value [sourceProperties_AllowedIpRange] |
sourceProperties.ExternalSourceRanges | target.resource.attribute.labels.key/value [sourceProperties_ExternalSourceRanges] |
sourceProperties.ExternallyAccessibleProtocolsAndPorts.IPProtocol | target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_IPProtocol] |
sourceProperties.OpenPorts.SCTP | target.resource.attribute.labels.key/value[sourceProperties_OpenPorts_SCTP] |
sourceProperties.RecommendedLogFilter | target.resource.attribute.labels.key/value [sourceProperties_RecommendedLogFilter] |
sourceProperties.QualifiedLogMetricNames | target.resource.attribute.labels.key/value [sourceProperties_QualifiedLogMetricNames] |
sourceProperties.HasDefaultPolicy | target.resource.attribute.labels.key/value [sourceProperties_HasDefaultPolicy] |
sourceProperties.CompatibleFeatures | target.resource.attribute.labels.key/value [sourceProperties_CompatibleFeatures] |
sourceProperties.TargetProxyUrl | target.url |
sourceProperties.OffendingIamRolesList.description | about.user.attribute.roles.description |
sourceProperties.DatabaseVersion | target.resource.attribute.label[sourceProperties_DatabaseVersion] |
Field mapping reference: OBSERVATION
The following table lists the log fields of the OBSERVATION category and their corresponding UDM fields.
RawLog field | UDM mapping |
---|---|
findingProviderId | target.resource.attribute.labels[findingProviderId] |
sourceDisplayName | target.resource.attribute.labels.key/value [sourceDisplayName] |
assetDisplayName | target.asset.attribute.labels.key/value [asset_display_name] |
assetId | target.asset.asset_id |
Field mapping reference: ERROR
The following table lists the log fields of the ERROR category and their corresponding UDM fields.
RawLog field | UDM mapping |
---|---|
externalURI | about.url |
sourceProperties.ReactivationCount | target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount] |
findingProviderId | target.resource.attribute.labels[findingProviderId] |
sourceDisplayName | target.resource.attribute.labels.key/value [sourceDisplayName] |
Field mapping reference: UNSPECIFIED
The following table lists the log fields of the UNSPECIFIED category and their corresponding UDM fields.
RawLog field | UDM mapping |
---|---|
sourceProperties.ScannerName | principal.labels.key/value [sourceProperties_ScannerName] |
sourceProperties.ResourcePath | src.resource.attribute.labels.key/value [sourceProperties_ResourcePath] |
sourceProperties.ReactivationCount | target.resource.attribute.labels.key/value [sourceProperties_ReactivationCount] |
sourceProperties.AllowedIpRange | target.resource.attribute.labels.key/value [sourceProperties_AllowedIpRange] |
sourceProperties.ExternallyAccessibleProtocolsAndPorts.IPProtocol | target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_IPProtocol] |
sourceProperties.ExternallyAccessibleProtocolsAndPorts.ports | target.resource.attribute.labels.key/value [sourceProperties_ExternallyAccessibleProtocolsAndPorts_ports |
sourceDisplayName | target.resource.attribute.labels.key/value [sourceDisplayName] |
Field mapping reference: POSTURE_VIOLATION
The following table lists the log fields of the POSTURE_VIOLATION category and their corresponding UDM fields.
Log field | UDM mapping | Logic |
---|---|---|
finding.resourceName |
target.resource_ancestors.name |
If the finding.resourceName log field value is not empty, then the finding.resourceName log field is mapped to the target.resource.name UDM field.The project_name field is extracted from the finding.resourceName log field using the Grok pattern.If the project_name field value is not empty, then the project_name field is mapped to the target.resource_ancestors.name UDM field. |
resourceName |
target.resource_ancestors.name |
If the resourceName log field value is not empty, then the resourceName log field is mapped to the target.resource.name UDM field.The project_name field is extracted from the resourceName log field using the Grok pattern.If the project_name field value is not empty, then the project_name field is mapped to the target.resource_ancestors.name UDM field. |
finding.sourceProperties.posture_revision_id |
security_result.detection_fields[source_properties_posture_revision_id] |
|
sourceProperties.posture_revision_id |
security_result.detection_fields[source_properties_posture_revision_id] |
|
sourceProperties.revision_id |
security_result.detection_fields[source_properties_posture_revision_id] |
|
finding.sourceProperties.policy_drift_details.drift_details.expected_configuration |
security_result.rule_labels[policy_drift_details_expected_configuration] |
|
sourceProperties.policy_drift_details.drift_details.expected_configuration |
security_result.rule_labels[policy_drift_details_expected_configuration] |
|
finding.sourceProperties.policy_drift_details.drift_details.detected_configuration |
security_result.rule_labels[policy_drift_details_detected_configuration] |
|
sourceProperties.policy_drift_details.drift_details.detected_configuration |
security_result.rule_labels[policy_drift_details_detected_configuration] |
|
finding.sourceProperties.policy_drift_details.field_name |
security_result.rule_labels[policy_drift_details_field_name] |
|
sourceProperties.policy_drift_details.field_name |
security_result.rule_labels[policy_drift_details_field_name] |
|
finding.sourceProperties.changed_policy |
security_result.rule_name |
|
sourceProperties.changed_policy |
security_result.rule_name |
|
finding.sourceProperties.posture_deployment_resource |
security_result.detection_fields[source_properties_posture_deployment_resource] |
|
sourceProperties.posture_deployment_resource |
security_result.detection_fields[source_properties_posture_deployment_resource] |
|
finding.sourceProperties.posture_name |
target.application |
|
sourceProperties.posture_name |
target.application |
|
sourceProperties.name |
target.application |
|
finding.sourceProperties.posture_deployment_name |
security_result.detection_fields[source_properties_posture_deployment_name] |
|
sourceProperties.posture_deployment_name |
security_result.detection_fields[source_properties_posture_deployment_name] |
|
sourceProperties.posture_deployment |
security_result.detection_fields[source_properties_posture_deployment_name] |
|
finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.expected_configuration.primitiveDataType |
security_result.rule_labels[expected_configuration_primitive_data_type] |
|
propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.expected_configuration.primitiveDataType |
security_result.rule_labels[expected_configuration_primitive_data_type] |
|
finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.detected_configuration.primitiveDataType |
security_result.rule_labels[detected_configuration_primitive_data_type] |
|
propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.drift_details.structValue.fields.detected_configuration.primitiveDataType |
security_result.rule_labels[detected_configuration_primitive_data_type] |
|
finding.propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.field_name.primitiveDataType |
security_result.rule_labels[field_name_primitive_data_type] |
|
propertyDataTypes.policy_drift_details.listValues.propertyDataTypes.structValue.fields.field_name.primitiveDataType |
security_result.rule_labels[field_name_primitive_data_type] |
|
finding.propertyDataTypes.changed_policy.primitiveDataType |
security_result.rule_labels[changed_policy_primitive_data_type] |
|
propertyDataTypes.changed_policy.primitiveDataType |
security_result.rule_labels[changed_policy_primitive_data_type] |
|
finding.propertyDataTypes.posture_revision_id.primitiveDataType |
security_result.detection_fields[posture_revision_id_primitiveDataType] |
|
propertyDataTypes.posture_revision_id.primitiveDataType |
security_result.detection_fields[posture_revision_id_primitiveDataType] |
|
finding.propertyDataTypes.posture_name.primitiveDataType |
security_result.detection_fields[posture_name_primitiveDataType] |
|
propertyDataTypes.posture_name.primitiveDataType |
security_result.detection_fields[posture_name_primitiveDataType] |
|
finding.propertyDataTypes.posture_deployment_name.primitiveDataType |
security_result.detection_fields[posture_deployment_name_primitiveDataType] |
|
propertyDataTypes.posture_deployment_name.primitiveDataType |
security_result.detection_fields[posture_deployment_name_primitiveDataType] |
|
finding.propertyDataTypes.posture_deployment_resource.primitiveDataType |
security_result.detection_fields[posture_deployment_resource_primitiveDataType] |
|
propertyDataTypes.posture_deployment_resource.primitiveDataType |
security_result.detection_fields[posture_deployment_resource_primitiveDataType] |
|
finding.originalProviderId |
target.resource.attribute.labels[original_provider_id] |
|
originalProviderId |
target.resource.attribute.labels[original_provider_id] |
|
finding.securityPosture.name |
security_result.detection_fields[security_posture_name] |
|
securityPosture.name |
security_result.detection_fields[security_posture_name] |
|
finding.securityPosture.revisionId |
security_result.detection_fields[security_posture_revision_id] |
|
securityPosture.revisionId |
security_result.detection_fields[security_posture_revision_id] |
|
finding.securityPosture.postureDeploymentResource |
security_result.detection_fields[posture_deployment_resource] |
|
securityPosture.postureDeploymentResource |
security_result.detection_fields[posture_deployment_resource] |
|
finding.securityPosture.postureDeployment |
security_result.detection_fields[posture_deployment] |
|
securityPosture.postureDeployment |
security_result.detection_fields[posture_deployment] |
|
finding.securityPosture.changedPolicy |
security_result.rule_labels[changed_policy] |
|
securityPosture.changedPolicy |
security_result.rule_labels[changed_policy] |
|
finding.cloudProvider |
about.resource.attribute.cloud.environment |
If the finding.cloudProvider log field value contains one of the following values, then the finding.cloudProvider log field is mapped to the about.resource.attribute.cloud.environment UDM field.
|
cloudProvider |
about.resource.attribute.cloud.environment |
If the cloudProvider log field value contains one of the following values, then the cloudProvider log field is mapped to the about.resource.attribute.cloud.environment UDM field.
|
resource.cloudProvider |
target.resource.attribute.cloud.environment |
If the resource.cloudProvider log field value contains one of the following values, then the resource.cloudProvider log field is mapped to the target.resource.attribute.cloud.environment UDM field.
|
resource.organization |
target.resource.attribute.labels[resource_organization] |
|
resource.gcpMetadata.organization |
target.resource.attribute.labels[resource_organization] |
|
resource.service |
target.resource_ancestors.name |
|
resource.resourcePath.nodes.nodeType |
target.resource_ancestors.resource_subtype |
|
resource.resourcePath.nodes.id |
target.resource_ancestors.product_object_id |
|
resource.resourcePath.nodes.displayName |
target.resource_ancestors.name |
|
resource.resourcePathString |
target.resource.attribute.labels[resource_path_string] |
|
finding.risks.riskCategory |
security_result.detection_fields[risk_category] |
|
finding.securityPosture.policyDriftDetails.field |
security_result.rule_labels[policy_drift_details_field] |
|
finding.securityPosture.policyDriftDetails.expectedValue |
security_result.rule_labels[policy_drift_details_expected_value] |
|
finding.securityPosture.policyDriftDetails.detectedValue |
security_result.rule_labels[policy_drift_details_detected_value] |
|
finding.securityPosture.policySet |
security_result.rule_set |
|
sourceProperties.categories |
security_result.detection_fields[source_properties_categories] |
Common Fields: SECURITY COMMAND CENTER - VULNERABILITY, MISCONFIGURATION, OBSERVATION, ERROR, UNSPECIFIED, POSTURE_VIOLATION, TOXIC_COMBINATION
The following table lists common fields of the SECURITY COMMAND CENTER - VULNERABILITY
, MISCONFIGURATION
, OBSERVATION
, ERROR
, UNSPECIFIED
, POSTURE_VIOLATION
, TOXIC_COMBINATION
categories and their corresponding UDM fields.
RawLog field | UDM mapping | Logic |
---|---|---|
compliances.ids |
about.labels [compliance_ids] (deprecated) |
|
compliances.ids |
additional.fields [compliance_ids] |
|
compliances.version |
about.labels [compliance_version] (deprecated) |
|
compliances.version |
additional.fields [compliance_version] |
|
compliances.standard |
about.labels [compliances_standard] (deprecated) |
|
compliances.standard |
additional.fields [compliances_standard] |
|
connections.destinationIp |
about.labels [connections_destination_ip] (deprecated) |
If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp , then the connections.destinationIp log field is mapped to the about.labels.value UDM field. |
connections.destinationIp |
additional.fields [connections_destination_ip] |
If the connections.destinationIp log field value is not equal to the sourceProperties.properties.ipConnection.destIp , then the connections.destinationIp log field is mapped to the additional.fields.value UDM field. |
connections.destinationPort |
about.labels [connections_destination_port] (deprecated) |
|
connections.destinationPort |
additional.fields [connections_destination_port] |
|
connections.protocol |
about.labels [connections_protocol] (deprecated) |
|
connections.protocol |
additional.fields [connections_protocol] |
|
connections.sourceIp |
about.labels [connections_source_ip] (deprecated) |
|
connections.sourceIp |
additional.fields [connections_source_ip] |
|
connections.sourcePort |
about.labels [connections_source_port] (deprecated) |
|
connections.sourcePort |
additional.fields [connections_source_port] |
|
kubernetes.pods.ns |
target.resource_ancestors.attribute.labels.key/value [kubernetes_pods_ns] |
|
kubernetes.pods.name |
target.resource_ancestors.name |
|
kubernetes.nodes.name |
target.resource_ancestors.name |
|
kubernetes.nodePools.name |
target.resource_ancestors.name |
|
|
target.resource_ancestors.resource_type |
The target.resource_ancestors.resource_type UDM field is set to CLUSTER . |
|
about.resource.attribute.cloud.environment |
The about.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM . |
externalSystems.assignees |
about.resource.attribute.labels.key/value [externalSystems_assignees] |
|
externalSystems.status |
about.resource.attribute.labels.key/value [externalSystems_status] |
|
kubernetes.nodePools.nodes.name |
target.resource.attribute.labels.key/value [kubernetes_nodePools_nodes_name] |
|
kubernetes.pods.containers.uri |
target.resource.attribute.labels.key/value [kubernetes_pods_containers_uri] |
|
kubernetes.roles.kind |
target.resource.attribute.labels.key/value [kubernetes_roles_kind] |
|
kubernetes.roles.name |
target.resource.attribute.labels.key/value [kubernetes_roles_name] |
|
kubernetes.roles.ns |
target.resource.attribute.labels.key/value [kubernetes_roles_ns] |
|
kubernetes.pods.containers.labels.name/value |
target.resource.attribute.labels.key/value [kubernetes.pods.containers.labels.name/value] |
|
kubernetes.pods.labels.name/value |
target.resource.attribute.labels.key/value [kubernetes.pods.labels.name/value] |
|
externalSystems.externalSystemUpdateTime |
about.resource.attribute.last_update_time |
|
externalSystems.name |
about.resource.name |
|
externalSystems.externalUid |
about.resource.product_object_id |
|
indicator.uris |
about.url |
|
vulnerability.cve.references.uri |
extensions.vulns.vulnerabilities.about.labels [vulnerability.cve.references.uri] (deprecated) |
|
vulnerability.cve.references.uri |
additional.fields [vulnerability.cve.references.uri] |
|
vulnerability.cve.cvssv3.attackComplexity |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_attackComplexity] (deprecated) |
|
vulnerability.cve.cvssv3.attackComplexity |
additional.fields [vulnerability_cve_cvssv3_attackComplexity] |
|
vulnerability.cve.cvssv3.availabilityImpact |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_availabilityImpact] (deprecated) |
|
vulnerability.cve.cvssv3.availabilityImpact |
additional.fields [vulnerability_cve_cvssv3_availabilityImpact] |
|
vulnerability.cve.cvssv3.confidentialityImpact |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_confidentialityImpact] (deprecated) |
|
vulnerability.cve.cvssv3.confidentialityImpact |
additional.fields [vulnerability_cve_cvssv3_confidentialityImpact] |
|
vulnerability.cve.cvssv3.integrityImpact |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_integrityImpact] (deprecated) |
|
vulnerability.cve.cvssv3.integrityImpact |
additional.fields [vulnerability_cve_cvssv3_integrityImpact] |
|
vulnerability.cve.cvssv3.privilegesRequired |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_privilegesRequired] (deprecated) |
|
vulnerability.cve.cvssv3.privilegesRequired |
additional.fields [vulnerability_cve_cvssv3_privilegesRequired] |
|
vulnerability.cve.cvssv3.scope |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_scope] (deprecated) |
|
vulnerability.cve.cvssv3.scope |
additional.fields [vulnerability_cve_cvssv3_scope] |
|
vulnerability.cve.cvssv3.userInteraction |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_cvssv3_userInteraction] (deprecated) |
|
vulnerability.cve.cvssv3.userInteraction |
additional.fields [vulnerability_cve_cvssv3_userInteraction] |
|
vulnerability.cve.references.source |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_references_source] (deprecated) |
|
vulnerability.cve.references.source |
additional.fields [vulnerability_cve_references_source] |
|
vulnerability.cve.upstreamFixAvailable |
extensions.vulns.vulnerabilities.about.labels [vulnerability_cve_upstreamFixAvailable] (deprecated) |
|
vulnerability.cve.upstreamFixAvailable |
additional.fields [vulnerability_cve_upstreamFixAvailable] |
|
vulnerability.cve.id |
extensions.vulns.vulnerabilities.cve_id |
|
vulnerability.cve.cvssv3.baseScore |
extensions.vulns.vulnerabilities.cvss_base_score |
|
vulnerability.cve.cvssv3.attackVector |
extensions.vulns.vulnerabilities.cvss_vector |
|
vulnerability.cve.impact |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_cve_impact] |
|
vulnerability.cve.exploitationActivity |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_cve_exploitation_activity] |
|
parentDisplayName |
metadata.description |
|
eventTime |
metadata.event_timestamp |
|
category |
metadata.product_event_type |
|
sourceProperties.evidence.sourceLogId.insertId |
metadata.product_log_id |
If the canonicalName log field value is not empty, then the finding_id is extracted from the canonicalName log field using a Grok pattern.If the finding_id log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field.If the canonicalName log field value is empty, then the sourceProperties.evidence.sourceLogId.insertId log field is mapped to the metadata.product_log_id UDM field. |
sourceProperties.contextUris.cloudLoggingQueryUri.url |
security_result.detection_fields.key/value[sourceProperties_contextUris_cloudLoggingQueryUri_url] |
|
sourceProperties.sourceId.customerOrganizationNumber |
principal.resource.attribute.labels.key/value [sourceProperties_sourceId_customerOrganizationNumber] |
If the message log field value matches the regular expression sourceProperties.sourceId.*?customerOrganizationNumber , then the sourceProperties.sourceId.customerOrganizationNumber log field is mapped to the principal.resource.attribute.labels.value UDM field. |
resource.projectName |
principal.resource.name |
|
resource.gcpMetadata.project |
principal.resource.name |
|
|
principal.user.account_type |
If the access.principalSubject log field value matches the regular expression serviceAccount , then the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE .Else if, the access.principalSubject log field value matches the regular expression user , then the principal.user.account_type UDM field is set to CLOUD_ACCOUNT_TYPE . |
access.principalSubject |
principal.user.attribute.labels.key/value [access_principalSubject] |
|
access.serviceAccountDelegationInfo.principalSubject |
principal.user.attribute.labels.key/value [access_serviceAccountDelegationInfo_principalSubject] |
|
access.serviceAccountKeyName |
principal.user.attribute.labels.key/value [access_serviceAccountKeyName] |
|
access.principalEmail |
principal.user.email_addresses |
If the access.principalEmail log field value is not empty and the access.principalEmail log field value matches the regular expression ^.+@.+$ , then the access.principalEmail log field is mapped to the principal.user.email_addresses UDM field. |
access.principalEmail |
principal.user.userid |
If the access.principalEmail log field value is not empty and the access.principalEmail log field value does not match the regular expression ^.+@.+$ , then the access.principalEmail log field is mapped to the principal.user.userid UDM field. |
database.userName |
principal.user.userid |
|
workflowState |
security_result.about.investigation.status |
|
sourceProperties.findingId |
metadata.product_log_id |
|
kubernetes.accessReviews.group |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_group] |
|
kubernetes.accessReviews.name |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_name] |
|
kubernetes.accessReviews.ns |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_ns] |
|
kubernetes.accessReviews.resource |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_resource] |
|
kubernetes.accessReviews.subresource |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_subresource] |
|
kubernetes.accessReviews.verb |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_verb] |
|
kubernetes.accessReviews.version |
target.resource.attribute.labels.key/value [kubernetes_accessReviews_version] |
|
kubernetes.bindings.name |
security_result.about.resource.attribute.labels.key/value [kubernetes_bindings_name] |
|
kubernetes.bindings.ns |
target.resource.attribute.labels.key/value [kubernetes_bindings_ns] |
|
kubernetes.bindings.role.kind |
target.resource.attribute.labels.key/value [kubernetes_bindings_role_kind] |
|
kubernetes.bindings.role.ns |
target.resource.attribute.labels.key/value [kubernetes_bindings_role_ns] |
|
kubernetes.bindings.subjects.kind |
target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_kind] |
|
kubernetes.bindings.subjects.name |
target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_name] |
|
kubernetes.bindings.subjects.ns |
target.resource.attribute.labels.key/value [kubernetes_bindings_subjects_ns] |
|
kubernetes.bindings.role.name |
target.resource.attribute.roles.name |
|
|
security_result.about.user.attribute.roles.name |
If the message log field value matches the regular expression contacts.?security , then the security_result.about.user.attribute.roles.name UDM field is set to security .If the message log field value matches the regular expression contacts.?technical , then the security_result.about.user.attribute.roles.name UDM field is set to Technical . |
contacts.security.contacts.email |
security_result.about.user.email_addresses |
|
contacts.technical.contacts.email |
security_result.about.user.email_addresses |
|
|
security_result.alert_state |
If the state log field value is equal to ACTIVE , then the security_result.alert_state UDM field is set to ALERTING .Else, the security_result.alert_state UDM field is set to NOT_ALERTING . |
findingClass, category |
security_result.catgory_details |
The findingClass - category log field is mapped to the security_result.catgory_details UDM field. |
description |
security_result.description |
|
indicator.signatures.memoryHashSignature.binaryFamily |
security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_binaryFamily] |
|
indicator.signatures.memoryHashSignature.detections.binary |
security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_binary] |
|
indicator.signatures.memoryHashSignature.detections.percentPagesMatched |
security_result.detection_fields.key/value [indicator_signatures_memoryHashSignature_detections_percentPagesMatched] |
|
indicator.signatures.yaraRuleSignature.yararule |
security_result.detection_fields.key/value [indicator_signatures_yaraRuleSignature_yararule] |
|
mitreAttack.additionalTactics |
security_result.detection_fields.key/value [mitreAttack_additionalTactics] |
|
mitreAttack.additionalTechniques |
security_result.detection_fields.key/value [mitreAttack_additionalTechniques] |
|
mitreAttack.primaryTactic |
security_result.detection_fields.key/value [mitreAttack_primaryTactic] |
|
mitreAttack.primaryTechniques.0 |
security_result.detection_fields.key/value [mitreAttack_primaryTechniques] |
|
mitreAttack.version |
security_result.detection_fields.key/value [mitreAttack_version] |
|
muteInitiator |
security_result.detection_fields.key/value [mute_initiator] |
If the mute log field value is equal to MUTED or UNMUTED , then the muteInitiator log field is mapped to the security_result.detection_fields.value UDM field. |
muteUpdateTime |
security_result.detection_fields.key/value [mute_update_time] |
If the mute log field value is equal to MUTED or UNMUTED , then the muteUpdateTimer log field is mapped to the security_result.detection_fields.value UDM field. |
mute |
security_result.detection_fields.key/value [mute] |
|
securityMarks.canonicalName |
security_result.detection_fields.key/value [securityMarks_cannonicleName] |
|
securityMarks.marks |
security_result.detection_fields.key/value [securityMarks_marks] |
|
securityMarks.name |
security_result.detection_fields.key/value [securityMarks_name] |
|
sourceProperties.detectionCategory.indicator |
security_result.detection_fields.key/value [sourceProperties_detectionCategory_indicator] |
|
sourceProperties.detectionCategory.technique |
security_result.detection_fields.key/value [sourceProperties_detectionCategory_technique] |
|
sourceProperties.contextUris.mitreUri.url/displayName |
security_result.detection_fields.key/value [sourceProperties.contextUris.mitreUri.url/displayName] |
|
sourceProperties.contextUris.relatedFindingUri.url/displayName |
metadata.url_back_to_product |
If the category log field value is equal to Active Scan: Log4j Vulnerable to RCE or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Over-Privileged Grant or Exfiltration: CloudSQL Restore Backup to External Organization or Initial Access: Log4j Compromise Attempt or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP or Persistence: IAM Anomalous Grant , then the security_result.detection_fields.key UDM field is set to sourceProperties_contextUris_relatedFindingUri_url and the sourceProperties.contextUris.relatedFindingUri.url log field is mapped to the metadata.url_back_to_product UDM field. |
sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName |
security_result.detection_fields.key/value [sourceProperties.contextUris.virustotalIndicatorQueryUri.url/displayName] |
If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad Domain or Malware: Cryptomining Bad IP , then the sourceProperties.contextUris.virustotalIndicatorQueryUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.virustotalIndicatorQueryUri.url log field is mapped to the security_result.detection_fields.value UDM field. |
sourceProperties.contextUris.workspacesUri.url/displayName |
security_result.detection_fields.key/value [sourceProperties.contextUris.workspacesUri.url/displayName] |
If the category log field value is equal to Initial Access: Account Disabled Hijacked or Initial Access: Disabled Password Leak or Initial Access: Government Based Attack or Initial Access: Suspicious Login Blocked or Impair Defenses: Strong Authentication Disabled or Persistence: SSO Enablement Toggle or Persistence: SSO Settings Changed , then the sourceProperties.contextUris.workspacesUri.displayName log field is mapped to the security_result.detection_fields.key UDM field and the sourceProperties.contextUris.workspacesUri.url log field is mapped to the security_result.detection_fields.value UDM field. |
createTime |
security_result.detection_fields.key/value [create_time] |
|
nextSteps |
security_result.outcomes.key/value [next_steps] |
|
sourceProperties.detectionPriority |
security_result.priority |
If the sourceProperties.detectionPriority log field value is equal to HIGH , then the security_result.priority UDM field is set to HIGH_PRIORITY .Else if, the sourceProperties.detectionPriority log field value is equal to MEDIUM , then the security_result.priority UDM field is set to MEDIUM_PRIORITY .Else if, the sourceProperties.detectionPriority log field value is equal to LOW , then the security_result.priority UDM field is set to LOW_PRIORITY . |
sourceProperties.detectionCategory.subRuleName |
security_result.rule_labels.key/value [sourceProperties_detectionCategory_subRuleName] |
|
sourceProperties.detectionCategory.ruleName |
security_result.rule_name |
|
severity |
security_result.severity |
|
name |
security_result.url_back_to_product |
|
database.query |
src.process.command_line |
If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant , then the database.query log field is mapped to the src.process.command_line UDM field.Else, the database.query log field is mapped to the target.process.command_line UDM field. |
resource.folders.resourceFolderDisplayName |
src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.folders.resourceFolderDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.Else, the resource.folders.resourceFolderDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.gcpMetadata.folders.resourceFolderDisplay |
src.resource_ancestors.attribute.labels.key/value [resource_folders_resourceFolderDisplayName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.gcpMetadata.folders.resourceFolderDisplay log field is mapped to the src.resource_ancestors.attribute.labels.value UDM field.Else, the resource.gcpMetadata.folders.resourceFolderDisplay log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.gcpMetadata.folders.resourceFolder |
src.resource_ancestors.name |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.gcpMetadata.folders.resourceFolder log field is mapped to the src.resource_ancestors.name UDM field.Else, the resource.gcpMetadata.folders.resourceFolder log field is mapped to the target.resource_ancestors.name UDM field. |
resource.organization |
src.resource_ancestors.name |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.organization log field is mapped to the src.resource_ancestors.name UDM field.Else, the resource.organization log field is mapped to the target.resource_ancestors.name UDM field. |
resource.gcpMetadata.organization |
src.resource_ancestors.name |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.gcpMetadata.organization log field is mapped to the src.resource_ancestors.name UDM field.Else, the resource.gcpMetadata.organization log field is mapped to the target.resource_ancestors.name UDM field. |
resource.parentDisplayName |
src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.parentDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.Else, the resource.parentDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.gcpMetadata.parentDisplayName |
src.resource_ancestors.attribute.labels.key/value [resource_parentDisplayName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.gcpMetadata.parentDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.Else, the resource.gcpMetadata.parentDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.parentName |
src.resource_ancestors.attribute.labels.key/value [resource_parentName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.parentName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.Else, the resource.parentName log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.gcpMetadata.parent |
src.resource_ancestors.attribute.labels.key/value [resource_parentName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.gcpMetadata.parent log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.Else, the resource.gcpMetadata.parent log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.projectDisplayName |
src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.projectDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.Else, the resource.projectDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.gcpMetadata.projectDisplayName |
src.resource_ancestors.attribute.labels.key/value [resource_projectDisplayName] |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.gcpMetadata.projectDisplayName log field is mapped to the src.resource_ancestors.attribute.labels.key/value UDM field.Else, the resource.gcpMetadata.projectDisplayName log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.type |
src.resource_ancestors.resource_subtype |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.type log field is mapped to the src.resource_ancestors.resource_subtype UDM field. |
database.displayName |
src.resource.attribute.labels.key/value [database_displayName] |
If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant , then the database.displayName log field is mapped to the src.resource.attribute.labels.value UDM field. |
database.grantees |
src.resource.attribute.labels.key/value [database_grantees] |
If the category log field value is equal to Exfiltration: CloudSQL Over-Privileged Grant , then the src.resource.attribute.labels.key UDM field is set to grantees and the database.grantees log field is mapped to the src.resource.attribute.labels.value UDM field. |
resource.displayName |
src.resource.attribute.labels.key/value [resource_displayName] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive , then the resource.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.Else, the resource.displayName log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.display_name |
src.resource.attribute.labels.key/value [resource_display_name] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive , then the resource.display_name log field is mapped to the src.resource.attribute.labels.value UDM field.Else, the resource.display_name log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.type |
src.resource_ancestors.resource_subtype |
If the category log field value is equal to Exfiltration: BigQuery Data to Google Drive , then the resource.type log field is mapped to the src.resource_ancestors.resource_subtype UDM field. |
database.displayName |
src.resource.attribute.labels.key/value [database_displayName] |
|
database.grantees |
src.resource.attribute.labels.key/value [database_grantees] |
|
resource.displayName |
target.resource.attribute.labels.key/value [resource_displayName] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive , then the resource.displayName log field is mapped to the src.resource.attribute.labels.value UDM field.Else, the resource.displayName log field is mapped to the target.resource.attribute.labels.value UDM field. |
resource.display_name |
target.resource.attribute.labels.key/value [resource_display_name] |
If the category log field value is equal to Exfiltration: BigQuery Data Exfiltration or Exfiltration: BigQuery Data to Google Drive , then the resource.display_name log field is mapped to the src.resource.attribute.labels.value UDM field.Else, the resource.display_name log field is mapped to the target.resource.attribute.labels.value UDM field. |
exfiltration.sources.components |
src.resource.attribute.labels.key/value[exfiltration_sources_components] |
If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction , then the exfiltration.sources.components log field is mapped to the src.resource.attribute.labels.value UDM field. |
resourceName |
src.resource.name |
If the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: BigQuery Data Exfiltration , then the resourceName log field is mapped to the src.resource.name UDM field. |
database.name |
src.resource.name |
|
exfiltration.sources.name |
src.resource.name |
|
access.serviceName |
target.application |
If the category log field value is equal to Defense Evasion: Modify VPC Service Control or Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive or Exfiltration: CloudSQL Data Exfiltration or Exfiltration: CloudSQL Restore Backup to External Organization or Exfiltration: CloudSQL Over-Privileged Grant or Persistence: New Geography or Persistence: IAM Anomalous Grant , then the access.serviceName log field is mapped to the target.application UDM field. |
access.methodName |
target.labels [access_methodName] (deprecated) |
|
access.methodName |
additional.fields [access_methodName] |
|
processes.argumentsTruncated |
target.labels [processes_argumentsTruncated] (deprecated) |
|
processes.argumentsTruncated |
additional.fields [processes_argumentsTruncated] |
|
processes.binary.contents |
target.labels [processes_binary_contents] (deprecated) |
|
processes.binary.contents |
additional.fields [processes_binary_contents] |
|
processes.binary.hashedSize |
target.labels [processes_binary_hashedSize] (deprecated) |
|
processes.binary.hashedSize |
additional.fields [processes_binary_hashedSize] |
|
processes.binary.partiallyHashed |
target.labels [processes_binary_partiallyHashed] (deprecated) |
|
processes.binary.partiallyHashed |
additional.fields [processes_binary_partiallyHashed] |
|
processes.envVariables.name |
target.labels [processes_envVariables_name] (deprecated) |
|
processes.envVariables.name |
additional.fields [processes_envVariables_name] |
|
processes.envVariables.val |
target.labels [processes_envVariables_val] (deprecated) |
|
processes.envVariables.val |
additional.fields [processes_envVariables_val] |
|
processes.envVariablesTruncated |
target.labels [processes_envVariablesTruncated] (deprecated) |
|
processes.envVariablesTruncated |
additional.fields [processes_envVariablesTruncated] |
|
processes.libraries.contents |
target.labels [processes_libraries_contents] (deprecated) |
|
processes.libraries.contents |
additional.fields [processes_libraries_contents] |
|
processes.libraries.hashedSize |
target.labels [processes_libraries_hashedSize] (deprecated) |
|
processes.libraries.hashedSize |
additional.fields [processes_libraries_hashedSize] |
|
processes.libraries.partiallyHashed |
target.labels [processes_libraries_partiallyHashed] (deprecated) |
|
processes.libraries.partiallyHashed |
additional.fields [processes_libraries_partiallyHashed] |
|
processes.script.contents |
target.labels [processes_script_contents] (deprecated) |
|
processes.script.contents |
additional.fields [processes_script_contents] |
|
processes.script.hashedSize |
target.labels [processes_script_hashedSize] (deprecated) |
|
processes.script.hashedSize |
additional.fields [processes_script_hashedSize] |
|
processes.script.partiallyHashed |
target.labels [processes_script_partiallyHashed] (deprecated) |
|
processes.script.partiallyHashed |
additional.fields [processes_script_partiallyHashed] |
|
processes.parentPid |
target.parent_process.pid |
|
processes.args |
target.process.command_line_history [processes.args] |
|
processes.name |
target.process.file.full_path |
|
processes.binary.path |
target.process.file.full_path |
|
processes.libraries.path |
target.process.file.full_path |
|
processes.script.path |
target.process.file.full_path |
|
processes.binary.sha256 |
target.process.file.sha256 |
|
processes.libraries.sha256 |
target.process.file.sha256 |
|
processes.script.sha256 |
target.process.file.sha256 |
|
processes.binary.size |
target.process.file.size |
|
processes.libraries.size |
target.process.file.size |
|
processes.script.size |
target.process.file.size |
|
processes.pid |
target.process.pid |
|
containers.uri |
target.resource_ancestors.attribute.labels.key/value [containers_uri] |
|
containers.labels.name/value |
target.resource_ancestors.attribute.labels.key/value [containers.labels.name/value] |
|
resourceName |
target.resource_ancestors.name |
If the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Persistence: GCE Admin Added SSH Key or Persistence: GCE Admin Added Startup Script , then the sourceProperties.properties.projectId log field is mapped to the target.resource_ancestors.name UDM field. |
parent |
target.resource_ancestors.name |
|
sourceProperties.affectedResources.gcpResourceName |
target.resource_ancestors.name |
|
containers.name |
target.resource_ancestors.name |
|
kubernetes.pods.containers.name |
target.resource_ancestors.name |
|
sourceProperties.sourceId.projectNumber |
target.resource_ancestors.product_object_id |
|
sourceProperties.sourceId.customerOrganizationNumber |
target.resource_ancestors.product_object_id |
|
sourceProperties.sourceId.organizationNumber |
target.resource_ancestors.product_object_id |
|
containers.imageId |
target.resource_ancestors.product_object_id |
|
sourceProperties.properties.zone |
target.resource.attribute.cloud.availability_zone |
If the category log field value is equal to Brute Force: SSH , then the sourceProperties.properties.zone log field is mapped to the target.resource.attribute.cloud.availability_zone UDM field. |
canonicalName |
metadata.product_log_id |
The finding_id is extracted from the canonicalName log field using a Grok pattern.If the finding_id log field value is not empty, then the finding_id log field is mapped to the metadata.product_log_id UDM field. |
canonicalName |
src.resource.attribute.labels.key/value [finding_id] |
If the finding_id log field value is not empty, then the finding_id log field is mapped to the src.resource.attribute.labels.key/value [finding_id] UDM field. If the category log field value is equal to one of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
src.resource.product_object_id |
If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.product_object_id UDM field. If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
src.resource.attribute.labels.key/value [source_id] |
If the source_id log field value is not empty, then the source_id log field is mapped to the src.resource.attribute.labels.key/value [source_id] UDM field. If the category log field value is equal to one of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
target.resource.attribute.labels.key/value [finding_id] |
If the finding_id log field value is not empty, then the finding_id log field is mapped to the target.resource.attribute.labels.key/value [finding_id] UDM field. If the category log field value is not equal to any of the following values, then the finding_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
target.resource.product_object_id |
If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.product_object_id UDM field. If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
|
canonicalName |
target.resource.attribute.labels.key/value [source_id] |
If the source_id log field value is not empty, then the source_id log field is mapped to the target.resource.attribute.labels.key/value [source_id] UDM field. If the category log field value is not equal to any of the following values, then the source_id is extracted from the canonicalName log field using a Grok pattern:
|
exfiltration.targets.components |
target.resource.attribute.labels.key/value[exfiltration_targets_components] |
If the category log field value is equal to Exfiltration: CloudSQL Data Exfiltration or Exfiltration: BigQuery Data Extraction , then the exfiltration.targets.components log field is mapped to the target.resource.attribute.labels.key/value UDM field. |
resourceName |
target.resource.name |
If the category log field value is equal to Brute Force: SSH , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field.Else if, the category log field value is equal to Malware: Bad Domain or Malware: Bad IP or Malware: Cryptomining Bad IP , then the resourceName log field is mapped to the target.resource_ancestors.name UDM field and the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE .Else if, the category log field value is equal to Exfiltration: BigQuery Data Extraction or Exfiltration: BigQuery Data to Google Drive , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else if, the category log field value is equal to Exfiltration: BigQuery Data Exfiltration , then the exfiltration.target.name log field is mapped to the target.resource.name UDM field.Else, the resourceName log field is mapped to the target.resource.name UDM field. |
kubernetes.pods.containers.imageId |
target.resource_ancestors.product_object_id |
|
resource.project |
target.resource.attribute.labels.key/value [resource_project] |
|
resource.parent |
target.resource.attribute.labels.key/value [resource_parent] |
|
|
|
|
sourceProperties.Header_Signature.significantValues.value |
principal.location.country_or_region |
If the sourceProperties.Header_Signature.name log field value is equal to RegionCode , then the sourceProperties.Header_Signature.significantValues.value log field is mapped to principal.location.country_or_region UDM field.
|
sourceProperties.Header_Signature.significantValues.value |
principal.ip |
If the sourceProperties.Header_Signature.name log field value is equal to RemoteHost , then the sourceProperties.Header_Signature.significantValues.value log field is mapped to principal.ip UDM field.
|
sourceProperties.Header_Signature.significantValues.value |
network.http.user_agent |
If the sourceProperties.Header_Signature.name log field value is equal to UserAgent , then the sourceProperties.Header_Signature.significantValues.value log field is mapped to network.http.user_agent UDM field.
|
sourceProperties.Header_Signature.significantValues.value |
principal.url |
If the sourceProperties.Header_Signature.name log field value is equal to RequestUriPath , then the sourceProperties.Header_Signature.significantValues.value log field is mapped to principal.url UDM field.
|
sourceProperties.Header_Signature.significantValues.proportionInAttack |
security_result.detection_fields [proportionInAttack] |
|
sourceProperties.Header_Signature.significantValues.attackLikelihood |
security_result.detection_fields [attackLikelihood] |
|
sourceProperties.Header_Signature.significantValues.matchType |
security_result.detection_fields [matchType] |
|
sourceProperties.Header_Signature.significantValues.proportionInBaseline |
security_result.detection_fields [proportionInBaseline] |
|
sourceProperties.compromised_account |
principal.user.userid |
If the category log field value is equal to account_has_leaked_credentials , then the sourceProperties.compromised_account log field is mapped to principal.user.userid UDM field and the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE .
|
sourceProperties.project_identifier |
principal.resource.product_object_id |
If the category log field value is equal to account_has_leaked_credentials , then the sourceProperties.project_identifier log field is mapped to principal.resource.product_object_id UDM field.
|
sourceProperties.private_key_identifier |
principal.user.attribute.labels.key/value [private_key_identifier] |
If the category log field value is equal to account_has_leaked_credentials , then the sourceProperties.private_key_identifier log field is mapped to principal.user.attribute.labels.value UDM field.
|
sourceProperties.action_taken |
principal.labels [action_taken] (deprecated) |
If the category log field value is equal to account_has_leaked_credentials , then the sourceProperties.action_taken log field is mapped to principal.labels.value UDM field.
|
sourceProperties.action_taken |
additional.fields [action_taken] |
If the category log field value is equal to account_has_leaked_credentials , then the sourceProperties.action_taken log field is mapped to additional.fields.value UDM field.
|
sourceProperties.finding_type |
principal.labels [finding_type] (deprecated) |
If the category log field value is equal to account_has_leaked_credentials , then the sourceProperties.finding_type log field is mapped to principal.labels.value UDM field.
|
sourceProperties.finding_type |
additional.fields [finding_type] |
If the category log field value is equal to account_has_leaked_credentials , then the sourceProperties.finding_type log field is mapped to additional.fields.value UDM field.
|
sourceProperties.url |
principal.user.attribute.labels.key/value [key_file_path] |
If the category log field value is equal to account_has_leaked_credentials , then the sourceProperties.url log field is mapped to principal.user.attribute.labels.value UDM field.
|
sourceProperties.security_result.summary |
security_result.summary |
If the category log field value is equal to account_has_leaked_credentials , then the sourceProperties.security_result.summary log field is mapped to security_result.summary UDM field.
|
kubernetes.objects.kind |
target.resource.attribute.labels[kubernetes_objects_kind] |
|
kubernetes.objects.ns |
target.resource.attribute.labels[kubernetes_objects_ns] |
|
kubernetes.objects.name |
target.resource.attribute.labels[kubernetes_objects_name] |
|
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageName] |
vulnerability.offendingPackage.packageName |
|
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_cpeUri] |
vulnerability.offendingPackage.cpeUri |
|
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageType] |
vulnerability.offendingPackage.packageType |
|
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_offendingPackage_packageVersion] |
vulnerability.offendingPackage.packageVersion |
|
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageName] |
vulnerability.fixedPackage.packageName |
|
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_cpeUri] |
vulnerability.fixedPackage.cpeUri |
|
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageType] |
vulnerability.fixedPackage.packageType |
|
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_fixedPackage_packageVersion] |
vulnerability.fixedPackage.packageVersion |
|
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_securityBulletin_bulletinId] |
vulnerability.securityBulletin.bulletinId |
|
security_result.detection_fields[vulnerability_securityBulletin_submissionTime] |
vulnerability.securityBulletin.submissionTime |
|
security_result.detection_fields[vulnerability_securityBulletin_suggestedUpgradeVersion] |
vulnerability.securityBulletin.suggestedUpgradeVersion |
|
target.location.name |
resource.location |
|
additional.fields[resource_service] |
resource.service |
|
target.resource_ancestors.attribute.labels[kubernetes_object_kind] |
kubernetes.objects.kind |
|
target.resource_ancestors.name |
kubernetes.objects.name |
|
kubernetes_res_ancestor.attribute.labels[kubernetes_objects_ns] |
kubernetes.objects.ns |
|
kubernetes_res_ancestor.attribute.labels[kubernetes_objects_group] |
kubernetes.objects.group |