Google Workspace 로그 수집
이 문서에서는 Google Security Operations 피드를 설정하여 Google Workspace 로그를 수집하는 방법과 로그 필드가 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑되는 방식을 설명합니다. 이 문서에서는 Google Workspace에서 지원되는 로그 유형과 이벤트 유형도 설명합니다.
자세한 내용은 Google Security Operations에 데이터 수집을 참조하세요.
일반적인 배포는 로그를 Google Security Operations에 전송하도록 구성된 Google Workspace 및 Google Security Operations 피드로 구성됩니다. 고객 배포마다 다를 수 있으며 더 복잡할 수도 있습니다.
배포에는 다음 구성요소가 포함됩니다.
Google Workspace: 로그를 수집하는 Google Workspace 플랫폼입니다.
Google Security Operations 피드: Google Workspace에서 로그를 가져오고 로그를 Google Security Operations에 작성하는 Google Security Operations 피드입니다.
Google Security Operations. Google Security Operations에서는 Google Workspace의 로그를 보관하고 분석합니다.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 다음 수집 라벨이 있는 Google Workspace 파서에 적용됩니다.
WORKSPACE_ACTIVITY
WORKSPACE_ALERTS
WORKSPACE_CHROMEOS
WORKSPACE_GROUPS
WORKSPACE_MOBILE
WORKSPACE_PRIVILEGES
WORKSPACE_USERS
시작하기 전에
Google Workspace 파서에서 두 버전을 모두 지원하므로 Google Workspace Business Standard 또는 Business Plus 버전을 사용해야 합니다.
Google Workspace 관리자 계정이 있어야 합니다.
Google Cloud 프로젝트에서 다음 API를 사용 설정하세요.
Google Workspace API를 인증하려면 Google Cloud 프로젝트에서 서비스 계정을 만들고 서비스 계정의 고유 숫자 ID와 이메일 주소를 기록해 둡니다. 서비스 계정 만들기에 대한 자세한 내용은 서비스 계정 만들기 및 관리를 참조하세요.
서비스 계정을 가장하는 사용자를 만든 다음 사용자에게 권한을 부여합니다.
- Google 관리 콘솔에 로그인합니다.
- 디렉터리 > 사용자를 선택한 후 새 사용자 추가를 클릭합니다.
- 사용자 세부정보를 입력합니다.
- 새 사용자 추가를 클릭합니다.
- 새로 생성된 사용자 링크를 클릭한 다음 관리자 역할 및 권한을 클릭합니다.
- 접기를 클릭합니다.
- 맞춤 역할 만들기를 클릭합니다.
- 새 역할 만들기를 클릭하고 역할에 이름을 지정합니다.
- 역할에 다음 권한을 부여합니다.
- 권한 > 보고서
- 권한 > 서비스 > 알림 센터 > 전체 액세스 > 보기 액세스
- 권한 > 서비스 > 휴대기기 관리 > 기기 및 설정 관리
- 권한 > 서비스 > Chrome 관리 > 설정
- Admin API > 권한 > 사용자 > 읽기
- Admin API > 권한 > 그룹 > 읽기
- 계속을 클릭한 다음 역할 만들기를 클릭합니다.
- 사용자 할당을 클릭합니다.
- 역할을 할당할 사용자를 선택합니다.
- 역할 지정을 클릭합니다.
액세스 사용자 인증 정보를 만듭니다. 액세스 인증 정보 만들기에 대한 자세한 내용은 서비스 계정 키 만들기를 참조하세요.
데이터에 액세스하려면 다음 범위로 서비스 계정에 대한 도메인 전체 위임을 승인하세요:
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/apps.alerts
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
Google Workspace 고객 ID를 찾으려면 Google 관리 콘솔에서 계정 > 계정 설정 > 프로필을 선택합니다.
배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
Google Security Operations 파서에서 지원하는 로그 유형을 확인합니다. 지원되는 Google Workspace 로그에 대한 자세한 내용은 지원되는 Google Workspace 로그 유형을 참조하세요.
Google Workspace 로그를 수집하도록 Google Security Operations에서 피드 구성
- 탐색 메뉴에서 설정 > SIEM 설정 > 피드를 선택합니다.
- 새 항목 추가를 클릭합니다.
- 소스 유형으로 타사 API를 선택합니다.
- Workspace 활동에 대한 피드를 만들려면 로그 유형으로 Workspace 활동을 선택합니다.
- 다음을 클릭합니다.
자신이 만든 Google Workspace 구성에 따라 다음 필드의 값을 지정합니다.
- OAuth JWT 엔드포인트. OAuth JSON 웹 토큰이 포함된 엔드포인트입니다.
서비스 계정 JSON 키의
token_uri
값을 지정하세요. - JWT 클레임 발급자. 클라이언트 ID입니다. 서비스 계정 JSON 키의
client_email
값을 지정합니다. 예를 들면InsertServiceAccount@project.iam.gserviceaccount.com
입니다. - JWT 클레임 주체. Google Workspace 관리자 콘솔에서 만든 사용자의 이메일 주소를 지정합니다.
- JWT 클레임 대상. 서비스 계정 JSON 키의
token_uri
값을 지정하세요. RSA 비공개 키. PEM 형식의 RSA 비공개 키입니다. PEM 키는 서비스 계정 키 파일에서 제공됩니다. 비공개 키를 입력할 때
BEGIN PRIVATE KEY
헤더와END PRIVATE KEY
바닥글을 포함하고\n
토큰의 모든 인스턴스를 텍스트 상자에 있는 실제Enter
키 입력으로 바꿉니다.고객 ID. 알림 로그 유형을 제외한 모든 로그 유형에서 고객 ID 필드에는 선행 'C' 문자가 필요합니다. 고객 ID 필드에 선행 'C' 문자가 포함되지 않은 경우 값 앞에 'C' 문자를 추가합니다.
애플리케이션. 애플리케이션 필드는 Workspace 활동에 대한 피드를 만들 때만 필요합니다.
- OAuth JWT 엔드포인트. OAuth JSON 웹 토큰이 포함된 엔드포인트입니다.
서비스 계정 JSON 키의
다음을 클릭한 후 제출을 클릭합니다.
Workspace 활동에 대한 피드를 만드는 단계를 완료한 후 위 단계를 반복하여 다음 로그 유형마다 별도의 피드를 만듭니다.
Workspace Alerts
Workspace ChromeOS Devices
Workspace Groups
Workspace Mobile Devices
Workspace Privileges
Workspace Users
Google Security Operations 피드에 대한 자세한 내용은 Google Security Operations 피드 문서를 참조하세요. 각 피드 유형의 요구사항은 유형별 피드 구성을 참조하세요.
피드를 만들 때 문제가 발생하면 Google Security Operations 지원팀에 문의하세요.
지원되는 Google Workspace 로그 유형
다음 섹션에는 Google Workspace 파서에서 지원하는 로그 유형이 나열되어 있습니다.
WORKSPACE_ACTIVITY
다음 테이블에는 WORKSPACE_ACTIVITY
로그 유형에 대해 지원되는 애플리케이션 이름과 이벤트 유형이 나와 있습니다.
애플리케이션 이름 | 이벤트 유형 |
---|---|
access_transparency
|
GSUITE_RESOURCE
|
chrome
|
CHROME_OS_ADD_REMOVE_USER_TYPE
|
DEVICE_BOOT_STATE_CHANGE_TYPE
|
|
CHROME_OS_LOGIN_LOGOUT_TYPE
|
|
CHROME_OS_REPORTING_DATA_LOST_TYPE
|
|
SAFE_BROWSING_PASSWORD_ALERT
|
|
DLP_EVENTS_TYPE
|
|
CONTENT_TRANSFER_TYPE
|
|
CONTENT_UNSCANNED_TYPE
|
|
EXTENSION_REQUEST_TYPE
|
|
LOGIN_EVENT_TYPE
|
|
MALWARE_TRANSFER_TYPE
|
|
PASSWORD_BREACH_TYPE
|
|
SENSITIVE_DATA_TRANSFER_TYPE
|
|
UNSAFE_SITE_VISIT_TYPE
|
|
context_aware_access
|
CONTEXT_AWARE_ACCESS_USER_EVENT
|
gplus
|
comment_change
|
plusone_change
|
|
poll_vote_change
|
|
post_change
|
|
data_studio
|
ACCESS
|
ACL_CHANGE
|
|
mobile
|
device_applications
|
device_updates
|
|
suspicious_activity
|
|
groups_enterprise
|
moderator_action
|
calendar
|
calendar_change
|
notification
|
|
subscription_change
|
|
event_change
|
|
interop
|
|
chat
|
user_action
|
gcp
|
CLOUD_OSLOGIN
|
drive
|
access
|
acl_change
|
|
pooled_quota_metadata
|
|
groups
|
acl_change
|
moderator_action
|
|
keep
|
user_action
|
meet
|
call
|
token
|
auth
|
rules
|
action_complete_type
|
rule_match_type
|
|
rule_trigger_type
|
|
saml
|
login
|
user_accounts
|
2sv_change
|
password_change
|
|
recovery_info_change
|
|
titanium_change
|
|
email_forwarding_change
|
|
login
|
2sv_change
|
password_change
|
|
recovery_info_change
|
|
account_warning
|
|
titanium_change
|
|
email_forwarding_change
|
|
jamboard
|
administrative_action
|
setting_change
|
|
status_change
|
|
admin
|
USER_SETTINGS
|
Google Security Operations에서 지원하는 Google Workspace 애플리케이션에 대한 자세한 내용은 Google Workspace 애플리케이션을 참조하세요.
WORKSPACE_ALERTS
다음은 지원되는 경고 유형 목록입니다.
Customer takeout initiated
Malware reclassification
Misconfigured whitelist
Phishing reclassification
Suspicious message reported
User reported phishing
User reported spam spike
Leaked password
Suspicious login
Suspicious login (less secure app)
Suspicious programmatic login
User suspended
User suspended (spam)
User suspended (spam through relay)
User suspended (suspicious activity)
Google Operations
Configuration problem
Government attack warning
Device compromised
Suspicious activity
AppMaker Default Cloud SQL setup
Activity Rule
Data Loss Prevention
Apps outage
Primary admin changed
SSO profile added
SSO profile updated
SSO profile deleted
Super admin password reset
WORKSPACE_CHROMEOS
지원되는 ChromeOS 로그 스키마에 관한 자세한 내용은 ChromeOS 기기를 참고하세요.
WORKSPACE_GROUPS
지원되는 그룹 로그 스키마에 대한 자세한 내용은 그룹을 참조하세요.
WORKSPACE_MOBILE
지원되는 모바일 로그 스키마에 대한 자세한 내용은 모바일을 참조하세요.
WORKSPACE_PRIVILEGES
지원되는 권한 로그 스키마에 대한 자세한 내용은 권한을 참조하세요.
WORKSPACE_USERS
지원되는 사용자 로그 스키마에 대한 자세한 내용은 사용자를 참조하세요.
필드 매핑 참조
다음 섹션에서는 Google Security Operations 파서가 Google Workspace 로그 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다. 이 파서의 필드 매핑은 피드 기반 수집과 네이티브 수집에서 동일하게 유지됩니다.
필드 매핑 참조: WORKSPACE_ACTIVITY 로그 유형에서 UDM 이벤트 유형으로
다음 표에는 WORKSPACE_ACTIVITY
로그 유형과 해당 UDM 이벤트 유형이 나와 있습니다.
Workspace application | Event identifier | Event type |
---|---|---|
access_transparency |
ACCESS |
USER_RESOURCE_ACCESS |
chrome |
CHROME_OS_ADD_USER |
USER_CREATION |
chrome |
CHROME_OS_REMOVE_USER |
USER_DELETION |
chrome |
DEVICE_BOOT_STATE_CHANGE |
SETTING_MODIFICATION |
chrome |
CHROME_OS_LOGIN_FAILURE_EVENT |
USER_LOGIN |
chrome |
CHROME_OS_LOGIN_LOGOUT_EVENT |
USER_LOGIN |
chrome |
CHROME_OS_LOGIN_EVENT |
USER_LOGIN |
chrome |
CHROME_OS_LOGOUT_EVENT |
USER_LOGOUT |
chrome |
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
chrome |
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
chrome |
PASSWORD_REUSE |
USER_UNCATEGORIZED |
chrome |
DLP_EVENT |
USER_UNCATEGORIZED |
chrome |
CONTENT_TRANSFER |
STATUS_UNCATEGORIZED |
chrome |
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
chrome |
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
chrome |
LOGIN_EVENT |
USER_LOGIN |
chrome |
MALWARE_TRANSFER |
SCAN_UNCATEGORIZED . The security category is |
chrome |
PASSWORD_BREACH |
USER_RESOURCE_ACCESS . The security category is |
chrome |
SENSITIVE_DATA_TRANSFER |
SCAN_UNCATEGORIZED |
chrome |
UNSAFE_SITE_VISIT |
NETWORK_UNCATEGORIZED . The security category is |
chrome |
BROWSER_CRASH |
STATUS_UNCATEGORIZED |
chrome |
BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
chrome |
CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
chrome |
CHROMEOS_AFFILIATED_UNLOCK_FAILURE |
USER_LOGIN |
chrome |
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
chrome |
CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
chrome |
CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
chrome |
CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
chrome |
CHROMEOS_UPDATE_FAILURE |
STATUS_UNCATEGORIZED |
chrome |
CHROMEOS_UPDATE_SUCCESS |
STATUS_UNCATEGORIZED |
chrome |
CHROME_OS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
chrome |
CHROME_OS_CRD_HOST_ENDED |
STATUS_STARTUP |
chrome |
CHROME_OS_CRD_HOST_STARTED |
STATUS_STARTUP |
chrome |
URL_FILTERING_INTERSTITIAL |
STATUS_UNCATEGORIZED |
context_aware_access |
ACCESS_DENY_EVENT |
USER_RESOURCE_ACCESS |
context_aware_access |
ACCESS_DENY_INTERNAL_ERROR_EVENT |
USER_RESOURCE_ACCESS |
context_aware_access |
MONITOR_MODE_ACCESS_DENY_EVENT |
USER_RESOURCE_ACCESS |
gplus |
create_comment |
USER_RESOURCE_CREATION |
gplus |
delete_comment |
USER_RESOURCE_DELETION |
gplus |
edit_comment |
USER_RESOURCE_UPDATE_CONTENT |
gplus |
add_plusone |
STATUS_UPDATE |
gplus |
remove_plusone |
STATUS_UPDATE |
gplus |
add_poll_vote |
STATUS_UPDATE |
gplus |
remove_poll_vote |
STATUS_UPDATE |
gplus |
create_post |
USER_RESOURCE_CREATION |
gplus |
delete_post |
USER_RESOURCE_DELETION |
gplus |
content_manager_delete_post |
USER_RESOURCE_DELETION |
gplus |
edit_post |
USER_RESOURCE_UPDATE_CONTENT |
data_studio |
ADD_REPORT_EMAIL_DELIVERY |
USER_UNCATEGORIZED |
data_studio |
CREATE |
USER_RESOURCE_CREATION |
data_studio |
DATA_EXPORT |
USER_RESOURCE_ACCESS |
data_studio |
DELETE |
USER_RESOURCE_DELETION |
data_studio |
DOWNLOAD_REPORT |
USER_UNCATEGORIZED |
data_studio |
EDIT |
USER_RESOURCE_UPDATE_CONTENT |
data_studio |
RESTORE |
USER_RESOURCE_CREATION |
data_studio |
STOP_REPORT_EMAIL_DELIVERY |
USER_UNCATEGORIZED |
data_studio |
TRASH |
USER_RESOURCE_DELETION |
data_studio |
UPDATE_REPORT_EMAIL_DELIVERY |
USER_UNCATEGORIZED |
data_studio |
VIEW |
USER_RESOURCE_ACCESS |
data_studio |
CHANGE_DATA_SOURCE_ACCESS_TYPE |
USER_RESOURCE_UPDATE_PERMISSIONS |
data_studio |
CHANGE_ASSET_LINK_SHARING_ACCESS_TYPE |
USER_RESOURCE_UPDATE_PERMISSIONS |
data_studio |
CHANGE_ASSET_LINK_SHARING_VISIBILITY |
USER_RESOURCE_UPDATE_PERMISSIONS |
data_studio |
CHANGE_USER_ACCESS |
USER_CHANGE_PERMISSIONS |
mobile |
APPLICATION_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
APPLICATION_REPORT_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_REGISTER_UNREGISTER_EVENT |
USER_RESOURCE_UPDATE_PERMISSIONS |
mobile |
ADVANCED_POLICY_SYNC_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_ACTION_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
DEVICE_COMPLIANCE_CHANGED_EVENT |
STATUS_UPDATE |
mobile |
OS_UPDATED_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
DEVICE_OWNERSHIP_CHANGE_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_SETTINGS_UPDATED_EVENT |
SETTING_MODIFICATION |
mobile |
APPLE_DEP_DEVICE_UPDATE_ON_APPLE_PORTAL_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_SYNC_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
RISK_SIGNAL_UPDATED_EVENT |
STATUS_UPDATE |
mobile |
ANDROID_WORK_PROFILE_SUPPORT_ENABLED_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_COMPROMISED_EVENT |
STATUS_UPDATE |
mobile |
FAILED_PASSWORD_ATTEMPTS_EVENT |
STATUS_UPDATE |
mobile |
SUSPICIOUS_ACTIVITY_EVENT |
STATUS_UPDATE |
groups_enterprise |
accept_invitation |
USER_UNCATEGORIZED |
groups_enterprise |
add_info_setting |
GROUP_MODIFICATION |
groups_enterprise |
add_member |
GROUP_MODIFICATION |
groups_enterprise |
add_member_role |
USER_CHANGE_PERMISSIONS |
groups_enterprise |
add_security_setting |
GROUP_MODIFICATION |
groups_enterprise |
add_service_account_permission |
USER_CHANGE_PERMISSIONS |
groups_enterprise |
approve_join_request |
USER_UNCATEGORIZED |
groups_enterprise |
ban_member_with_moderation |
GROUP_MODIFICATION |
groups_enterprise |
change_info_setting |
GROUP_MODIFICATION |
groups_enterprise |
change_security_setting |
GROUP_MODIFICATION |
groups_enterprise |
create_group |
GROUP_CREATION |
groups_enterprise |
create_namespace |
GROUP_UNCATEGORIZED |
groups_enterprise |
delete_group |
GROUP_DELETION |
groups_enterprise |
delete_namespace |
GROUP_UNCATEGORIZED |
groups_enterprise |
add_dynamic_group_query |
GROUP_UNCATEGORIZED |
groups_enterprise |
change_dynamic_group_query |
GROUP_MODIFICATION |
groups_enterprise |
invite_member |
GROUP_UNCATEGORIZED |
groups_enterprise |
join |
GROUP_MODIFICATION |
groups_enterprise |
add_membership_expiry |
GROUP_MODIFICATION |
groups_enterprise |
remove_membership_expiry |
GROUP_MODIFICATION |
groups_enterprise |
update_membership_expiry |
GROUP_MODIFICATION |
groups_enterprise |
reject_invitation |
USER_UNCATEGORIZED |
groups_enterprise |
reject_join_request |
USER_UNCATEGORIZED |
groups_enterprise |
remove_info_setting |
GROUP_MODIFICATION |
groups_enterprise |
remove_member |
GROUP_MODIFICATION |
groups_enterprise |
remove_member_role |
GROUP_MODIFICATION |
groups_enterprise |
remove_security_setting |
GROUP_MODIFICATION |
groups_enterprise |
remove_service_account_permission |
GROUP_MODIFICATION |
groups_enterprise |
request_to_join |
USER_UNCATEGORIZED |
groups_enterprise |
revoke_invitation |
USER_UNCATEGORIZED |
groups_enterprise |
unban_member |
GROUP_MODIFICATION |
calendar |
change_calendar_acls |
USER_CHANGE_PERMISSIONS |
calendar |
change_calendar_country |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
create_calendar |
USER_RESOURCE_CREATION |
calendar |
delete_calendar |
USER_RESOURCE_DELETION |
calendar |
change_calendar_description |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_calendar_location |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_calendar_timezone |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_calendar_title |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
notification_triggered |
USER_UNCATEGORIZED |
calendar |
add_subscription |
USER_UNCATEGORIZED |
calendar |
delete_subscription |
STATUS_UPDATE |
calendar |
create_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
delete_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
add_event_guest |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_guest_response_auto |
USER_UNCATEGORIZED |
calendar |
remove_event_guest |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_guest_response |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
remove_event_from_trash |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
restore_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_start_time |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_title |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
transfer_event_requested |
USER_UNCATEGORIZED |
calendar |
transfer_event_completed |
USER_UNCATEGORIZED |
calendar |
interop_freebusy_lookup_outbound_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_freebusy_lookup_inbound_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_availability_lookup_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_list_lookup_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_freebusy_lookup_outbound_unsuccessful |
USER_RESOURCE_ACCESS |
calendar |
interop_freebusy_lookup_inbound_unsuccessful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_availability_lookup_unsuccessful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_list_lookup_unsuccessful |
USER_RESOURCE_ACCESS |
chat |
add_room_member |
GROUP_MODIFICATION |
chat |
attachment_download |
FILE_UNCATEGORIZED |
chat |
attachment_upload |
FILE_UNCATEGORIZED |
chat |
block_room |
GROUP_UNCATEGORIZED |
chat |
block_user |
USER_UNCATEGORIZED |
chat |
direct_message_started |
USER_UNCATEGORIZED |
chat |
invite_accept |
USER_UNCATEGORIZED |
chat |
invite_decline |
USER_UNCATEGORIZED |
chat |
invite_send |
USER_UNCATEGORIZED |
chat |
message_edited |
USER_RESOURCE_UPDATE_CONTENT |
chat |
message_posted |
USER_RESOURCE_CREATION |
chat |
message_reported |
USER_UNCATEGORIZED |
chat |
message_deleted |
USER_RESOURCE_DELETION |
chat |
remove_room_member |
GROUP_MODIFICATION |
chat |
room_created |
GROUP_CREATED |
chat |
reaction_added |
USER_UNCATEGORIZED |
chat |
call_ended |
USER_UNCATEGORIZED |
chat |
presentation_started |
STATUS_UNCATEGORIZED |
chat |
invitation_sent |
STATUS_UNCATEGORIZED |
chat |
presentation_stopped |
STATUS_UNCATEGORIZED |
gcp |
IMPORT_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
gcp |
DELETE_POSIX_ACCOUNT |
USER_UNCATEGORIZED |
gcp |
DELETE_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
gcp |
GET_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
gcp |
GET_LOGIN_PROFILE |
USER_UNCATEGORIZED |
gcp |
UPDATE_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
drive |
add_to_folder |
USER_RESOURCE_CREATION |
drive |
approval_canceled |
USER_UNCATEGORIZED |
drive |
approval_comment_added |
USER_UNCATEGORIZED |
drive |
approval_completed |
USER_UNCATEGORIZED |
drive |
approval_decisions_reset |
USER_UNCATEGORIZED |
drive |
approval_due_time_change |
USER_UNCATEGORIZED |
drive |
approval_requested |
USER_UNCATEGORIZED |
drive |
approval_reviewer_change |
USER_UNCATEGORIZED |
drive |
approval_reviewer_responded |
USER_UNCATEGORIZED |
drive |
copy |
USER_RESOURCE_CREATION |
drive |
create |
USER_RESOURCE_CREATION |
drive |
delete |
USER_RESOURCE_DELETION |
drive |
download |
USER_RESOURCE_ACCESS |
drive |
email_as_attachment |
EMAIL_TRANSACTION |
drive |
edit |
USER_RESOURCE_UPDATE_CONTENT |
drive |
label_added |
USER_UNCATEGORIZED |
drive |
label_added_by_item_create |
USER_UNCATEGORIZED |
drive |
label_field_changed |
USER_UNCATEGORIZED |
drive |
label_removed |
USER_UNCATEGORIZED |
drive |
add_lock |
USER_UNCATEGORIZED |
drive |
move |
USER_UNCATEGORIZED |
drive |
preview |
USER_RESOURCE_ACCESS |
drive |
print |
USER_UNCATEGORIZED |
drive |
remove_from_folder |
USER_RESOURCE_DELETION |
drive |
rename |
USER_RESOURCE_UPDATE_CONTENT |
drive |
untrash |
USER_RESOURCE_CREATION |
drive |
sheets_import_range |
USER_RESOURCE_ACCESS |
drive |
source_copy |
USER_RESOURCE_UPDATE_CONTENT |
drive |
trash |
USER_RESOURCE_DELETION |
drive |
remove_lock |
USER_UNCATEGORIZED |
drive |
unmovable_item_reparented |
USER_UNCATEGORIZED |
drive |
upload |
USER_RESOURCE_CREATION |
drive |
view |
USER_RESOURCE_ACCESS |
drive |
connected_sheets_query |
USER_RESOURCE_ACCESS |
drive |
accept_suggestion |
USER_RESOURCE_UPDATE_CONTENT |
drive |
create_comment |
USER_RESOURCE_CREATION |
drive |
create_suggestion |
USER_RESOURCE_CREATION |
drive |
delete_comment |
USER_RESOURCE_DELETION |
drive |
delete_suggestion |
USER_RESOURCE_DELETION |
drive |
edit_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
expire_access_request |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
reassign_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
reject_suggestion |
USER_RESOURCE_UPDATE_CONTENT |
drive |
reopen_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
request_access |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
resolve_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
deny_access_request |
USER_UNCATEGORIZED |
drive |
download_forms_response |
USER_RESOURCE_ACCESS |
drive |
email_collaborators |
EMAIL_UNCATEGORIZED |
drive |
access_url |
USER_RESOURCE_ACCESS |
drive |
access_item_content |
USER_RESOURCE_ACCESS |
drive |
sheets_import_url |
USER_UNCATEGORIZED |
drive |
apply_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_apply_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_remove_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
publish_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_acl_editors |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_access_scope |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_access_scope_hierarchy_reconciled |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_visibility |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_visibility_hierarchy_reconciled |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
remove_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_membership_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_settings_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
sheets_import_range_access_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_user_access |
USER_CHANGE_PERMISSIONS |
drive |
change_user_access_hierarchy_reconciled |
USER_CHANGE_PERMISSIONS |
drive |
change_owner |
USER_CHANGE_PERMISSIONS |
drive |
publish_new_version |
USER_UNCATEGORIZED |
drive |
change_owner_hierarchy_reconciled |
USER_CHANGE_PERMISSIONS |
drive |
team_drive_membership_change |
USER_CHANGE_PERMISSIONS |
drive |
team_drive_settings_change |
USER_CHANGE_PERMISSIONS |
drive |
storage_usage_update |
USER_RESOURCE_ACCESS |
groups |
change_acl_permission |
GROUP_MODIFICATION |
groups |
accept_invitation |
USER_UNCATEGORIZED |
groups |
approve_join_request |
USER_UNCATEGORIZED |
groups |
join |
GROUP_MODIFICATION |
groups |
request_to_join |
USER_UNCATEGORIZED |
groups |
change_basic_setting |
GROUP_MODIFICATION |
groups |
create_group |
GROUP_CREATION |
groups |
delete_group |
GROUP_DELETION |
groups |
change_identity_setting |
GROUP_MODIFICATION |
groups |
add_info_setting |
GROUP_MODIFICATION |
groups |
change_info_setting |
GROUP_MODIFICATION |
groups |
remove_info_setting |
GROUP_MODIFICATION |
groups |
change_new_members_restrictions_setting |
GROUP_UNCATEGORIZED |
groups |
change_post_replies_setting |
GROUP_MODIFICATION |
groups |
change_spam_moderation_setting |
GROUP_MODIFICATION |
groups |
change_topic_setting |
GROUP_MODIFICATION |
groups |
moderate_message |
GROUP_MODIFICATION |
groups |
always_post_from_user |
USER_UNCATEGORIZED |
groups |
add_user |
GROUP_MODIFICATION |
groups |
ban_user_with_moderation |
GROUP_MODIFICATION |
groups |
revoke_invitation |
USER_UNCATEGORIZED |
groups |
invite_user |
USER_UNCATEGORIZED |
groups |
reject_join_request |
USER_UNCATEGORIZED |
groups |
reinvite_user |
USER_UNCATEGORIZED |
groups |
remove_user |
GROUP_MODIFICATION |
groups |
change_email_subscription_type |
GROUP_MODIFICATION |
groups |
unsubscribe_via_mail |
USER_UNCATEGORIZED |
keep |
deleted_attachment |
USER_UNCATEGORIZED |
keep |
uploaded_attachment |
USER_UNCATEGORIZED |
keep |
edited_note_content |
USER_RESOURCE_UPDATE_CONTENT |
keep |
created_note |
USER_RESOURCE_CREATION |
keep |
deleted_note |
USER_RESOURCE_DELETION |
keep |
modified_acl |
USER_RESOURCE_UPDATE_PERMISSIONS |
meet |
abuse_report_submitted |
USER_UNCATEGORIZED |
meet |
call_ended |
USER_UNCATEGORIZED |
meet |
livestream_watched |
USER_COMMUNICATION |
meet |
invitation_sent |
STATUS_UNCATEGORIZED |
meet |
presentation_started |
STATUS_UNCATEGORIZED |
meet |
presentation_stopped |
STATUS_UNCATEGORIZED |
meet |
knocking_denied |
STATUS_UNCATEGORIZED |
meet |
knocking_accepted |
STATUS_UNCATEGORIZED |
meet |
recording_activity |
STATUS_UNCATEGORIZED |
meet |
dialed_out |
STATUS_UNCATEGORIZED |
token |
activity |
USER_RESOURCE_ACCESS |
token |
authorize |
USER_RESOURCE_ACCESS |
token |
revoke |
USER_RESOURCE_UPDATE_PERMISSIONS |
rules |
action_complete |
USER_RESOURCE_ACCESS |
rules |
rule_match |
USER_RESOURCE_ACCESS |
rules |
rule_trigger |
USER_RESOURCE_ACCESS |
rules |
label_field_value_changed |
USER_RESOURCE_UPDATE_CONTENT |
rules |
label_applied |
USER_RESOURCE_UPDATE_CONTENT |
rules |
sharing_blocked |
USER_RESOURCE_UPDATE_CONTENT |
rules |
content_matched |
USER_RESOURCE_ACCESS |
rules |
content_unmatched |
USER_RESOURCE_ACCESS |
saml |
login_failure |
USER_LOGIN |
saml |
login_success |
USER_LOGIN |
user_accounts |
2sv_disable |
USER_UNCATEGORIZED |
user_accounts |
2sv_enroll |
USER_UNCATEGORIZED |
user_accounts |
password_edit |
USER_UNCATEGORIZED |
user_accounts |
recovery_email_edit |
USER_UNCATEGORIZED |
user_accounts |
recovery_phone_edit |
USER_UNCATEGORIZED |
user_accounts |
recovery_secret_qa_edit |
USER_UNCATEGORIZED |
user_accounts |
titanium_enroll |
USER_UNCATEGORIZED |
user_accounts |
titanium_unenroll |
USER_UNCATEGORIZED |
user_accounts |
email_forwarding_out_of_domain |
USER_UNCATEGORIZED |
jamboard |
DEVICE_LICENSE_ENROLLMENT_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_OTA_UPDATE_REQUESTED |
SETTING_MODIFICATION |
jamboard |
DEVICE_PROVISIONING_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_REBOOT_REQUESTED |
USER_UNCATEGORIZED |
jamboard |
EXPORT_JAMBOARD_FLEET |
USER_UNCATEGORIZED |
jamboard |
ADB_ENABLED_STATE_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_ADDITIONAL_IMES_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_LOGGING_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEMO_MODE_AVAILABILITY_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEMO_MODE_CHANGE |
SETTING_MODIFICATION |
jamboard |
FINGER_ERASING_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_LANGUAGE_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_LOCATION_CHANGE |
STATUS_UPDATE |
jamboard |
DEVICE_NAME_CHANGE |
STATUS_UPDATE |
jamboard |
DEVICE_NOTE_CHANGE |
STATUS_UPDATE |
jamboard |
DEVICE_PAIRING_CHANGE |
SETTING_MODIFICATION |
jamboard |
SCREENSAVER_TIMEOUT_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_SETTING_LOCKED |
SETTING_MODIFICATION |
jamboard |
DEVICE_SETTING_UNLOCKED |
SETTING_MODIFICATION |
jamboard |
VIDEOCONF_ENABLED_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_UPDATE |
STATUS_UPDATE |
login |
2sv_disable |
SERVICE_STOP |
login |
2sv_enroll |
SERVICE_START |
login |
password_edit |
USER_CHANGE_PASSWORD |
login |
recovery_email_edit |
USER_UNCATEGORIZED |
login |
recovery_phone_edit |
USER_UNCATEGORIZED |
login |
recovery_secret_qa_edit |
USER_UNCATEGORIZED |
login |
account_disabled_password_leak |
USER_UNCATEGORIZED |
login |
suspicious_login |
USER_LOGIN |
login |
suspicious_login_less_secure_app |
USER_LOGIN |
login |
suspicious_programmatic_login |
USER_LOGIN |
login |
account_disabled_generic |
USER_UNCATEGORIZED |
login |
account_disabled_spamming_through_relay |
USER_UNCATEGORIZED |
login |
account_disabled_spamming |
USER_UNCATEGORIZED |
login |
account_disabled_hijacked |
USER_UNCATEGORIZED |
login |
titanium_enroll |
USER_UNCATEGORIZED |
login |
titanium_unenroll |
USER_UNCATEGORIZED |
login |
gov_attack_warning |
STATUS_UNCATEGORIZED |
login |
email_forwarding_out_of_domain |
USER_UNCATEGORIZED |
login |
login_failure |
USER_LOGIN . The security category is |
login |
login_challenge |
USER_LOGIN |
login |
login_verification |
USER_LOGIN |
login |
logout |
USER_LOGOUT |
login |
login_success |
USER_LOGIN |
login |
risky_sensitive_action_allowed |
USER_LOGIN |
login |
risky_sensitive_action_blocked |
USER_LOGIN |
login |
blocked_sender |
STATUS_UNCATEGORIZED |
admin |
DELETE_2SV_SCRATCH_CODES |
USER_RESOURCE_DELETION |
admin |
GENERATE_2SV_SCRATCH_CODES |
USER_RESOURCE_CREATION |
admin |
REVOKE_3LO_DEVICE_TOKENS |
USER_RESOURCE_ACCESS |
admin |
REVOKE_3LO_TOKEN |
USER_RESOURCE_ACCESS |
admin |
ADD_RECOVERY_EMAIL |
USER_RESOURCE_CREATION |
admin |
ADD_RECOVERY_PHONE |
USER_RESOURCE_CREATION |
admin |
GRANT_ADMIN_PRIVILEGE |
USER_CHANGE_PERMISSIONS |
admin |
REVOKE_ADMIN_PRIVILEGE |
USER_CHANGE_PERMISSIONS |
admin |
REVOKE_ASP |
USER_CHANGE_PERMISSIONS |
admin |
TOGGLE_AUTOMATIC_CONTACT_SHARING |
SETTING_MODIFICATION |
admin |
BULK_UPLOAD |
USER_RESOURCE_CREATION |
admin |
BULK_UPLOAD_NOTIFICATION_SENT |
USER_UNCATEGORIZED |
admin |
CANCEL_USER_INVITE |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_CUSTOM_FIELD |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_EXTERNAL_ID |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_GENDER |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_IM |
USER_UNCATEGORIZED |
admin |
ENABLE_USER_IP_WHITELIST |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_KEYWORD |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_LANGUAGE |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_LOCATION |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_ORGANIZATION |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_PHONE_NUMBER |
USER_UNCATEGORIZED |
admin |
CHANGE_RECOVERY_EMAIL |
USER_UNCATEGORIZED |
admin |
CHANGE_RECOVERY_PHONE |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_RELATION |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_ADDRESS |
USER_UNCATEGORIZED |
admin |
CREATE_EMAIL_MONITOR |
SERVICE_CREATION |
admin |
CREATE_DATA_TRANSFER_REQUEST |
USER_UNCATEGORIZED |
admin |
GRANT_DELEGATED_ADMIN_PRIVILEGES |
USER_CHANGE_PERMISSIONS |
admin |
DELETE_ACCOUNT_INFO_DUMP |
USER_RESOURCE_DELETION |
admin |
DELETE_EMAIL_MONITOR |
SERVICE_DELETION |
admin |
DELETE_MAILBOX_DUMP |
USER_RESOURCE_DELETION |
admin |
DELETE_PROFILE_PHOTO |
USER_RESOURCE_DELETION |
admin |
CHANGE_DISPLAY_NAME |
USER_UNCATEGORIZED |
admin |
CHANGE_FIRST_NAME |
USER_UNCATEGORIZED |
admin |
GMAIL_RESET_USER |
USER_UNCATEGORIZED |
admin |
CHANGE_LAST_NAME |
USER_UNCATEGORIZED |
admin |
MAIL_ROUTING_DESTINATION_ADDED |
USER_RESOURCE_CREATION |
admin |
MAIL_ROUTING_DESTINATION_REMOVED |
USER_RESOURCE_DELETION |
admin |
ADD_NICKNAME |
USER_UNCATEGORIZED |
admin |
REMOVE_NICKNAME |
USER_UNCATEGORIZED |
admin |
CHANGE_PASSWORD |
USER_CHANGE_PASSWORD |
admin |
CHANGE_PASSWORD_ON_NEXT_LOGIN |
USER_CHANGE_PASSWORD |
admin |
DOWNLOAD_PENDING_INVITES_LIST |
STATUS_UNCATEGORIZED |
admin |
REMOVE_RECOVERY_EMAIL |
USER_RESOURCE_DELETION |
admin |
REMOVE_RECOVERY_PHONE |
USER_RESOURCE_DELETION |
admin |
REQUEST_ACCOUNT_INFO |
USER_UNCATEGORIZED |
admin |
REQUEST_MAILBOX_DUMP |
USER_UNCATEGORIZED |
admin |
RESEND_USER_INVITE |
USER_UNCATEGORIZED |
admin |
RESET_SIGNIN_COOKIES |
USER_RESOURCE_UPDATE_CONTENT |
admin |
SECURITY_KEY_REGISTERED_FOR_USER |
USER_RESOURCE_CREATION |
admin |
REVOKE_SECURITY_KEY |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
USER_INVITE |
USER_UNCATEGORIZED |
admin |
VIEW_TEMP_PASSWORD |
USER_UNCATEGORIZED |
admin |
TURN_OFF_2_STEP_VERIFICATION |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
UNBLOCK_USER_SESSION |
USER_UNCATEGORIZED |
admin |
UNMANAGED_USERS_BULK_UPLOAD |
USER_RESOURCE_CREATION |
admin |
DOWNLOAD_UNMANAGED_USERS_LIST |
USER_UNCATEGORIZED |
admin |
UPDATE_PROFILE_PHOTO |
USER_RESOURCE_UPDATE_CONTENT |
admin |
UNENROLL_USER_FROM_TITANIUM |
USER_UNCATEGORIZED |
admin |
ARCHIVE_USER |
USER_UNCATEGORIZED |
admin |
UPDATE_BIRTHDATE |
USER_UNCATEGORIZED |
admin |
CREATE_USER |
USER_CREATION |
admin |
DELETE_USER |
USER_DELETION |
admin |
DOWNGRADE_USER_FROM_GPLUS |
USER_CHANGE_PERMISSIONS |
admin |
USER_ENROLLED_IN_TWO_STEP_VERIFICATION |
USER_UNCATEGORIZED |
admin |
DOWNLOAD_USERLIST_CSV |
STATUS_UNCATEGORIZED |
admin |
MOVE_USER_TO_ORG_UNIT |
USER_UNCATEGORIZED |
admin |
USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD |
USER_UNCATEGORIZED |
admin |
RENAME_USER |
USER_RESOURCE_UPDATE_CONTENT |
admin |
UNENROLL_USER_FROM_STRONG_AUTH |
USER_UNCATEGORIZED |
admin |
SUSPEND_USER |
USER_UNCATEGORIZED |
admin |
UNARCHIVE_USER |
USER_UNCATEGORIZED |
admin |
UNDELETE_USER |
USER_UNCATEGORIZED |
admin |
UNSUSPEND_USER |
USER_UNCATEGORIZED |
admin |
UPGRADE_USER_TO_GPLUS |
USER_CHANGE_PERMISSIONS |
admin |
USERS_BULK_UPLOAD |
USER_RESOURCE_CREATION |
admin |
USERS_BULK_UPLOAD_NOTIFICATION_SENT |
USER_UNCATEGORIZED |
admin |
ASSIGN_ROLE |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
CREATE_ROLE |
USER_RESOURCE_CREATION |
admin |
UNASSIGN_ROLE |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
AUTHORIZE_API_CLIENT_ACCESS |
USER_RESOURCE_ACCESS |
admin |
ADD_TRUSTED_DOMAINS |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_DOMAIN_DEFAULT_TIMEZONE |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_DOMAIN_DEFAULT_LOCALE |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CREATE_ALERT |
USER_RESOURCE_CREATION |
admin |
REMOVE_APPLICATION |
USER_RESOURCE_DELETION |
admin |
ADD_APPLICATION |
USER_RESOURCE_CREATION |
admin |
REMOVE_API_CLIENT_ACCESS |
USER_RESOURCE_DELETION |
admin |
CHANGE_SSO_SETTINGS |
SETTING_MODIFICATION |
admin |
ALERT_CENTER_VIEW |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_LIST_FEEDBACK |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_GET_SIT_LINK |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_LIST_CHANGE |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_LIST_RELATED_ALERTS |
STATUS_UNCATEGORIZED |
admin |
EMAIL_LOG_SEARCH |
EMAIL_UNCATEGORIZED |
admin |
CHANGE_EMAIL_SETTING |
SETTING_MODIFICATION |
admin |
CREATE_GMAIL_SETTING |
SETTING_MODIFICATION |
admin |
CHANGE_GMAIL_SETTING |
SETTING_MODIFICATION |
admin |
DELETE_GMAIL_SETTING |
SETTING_MODIFICATION |
admin |
RELEASE_FROM_QUARANTINE |
EMAIL_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_QUERY |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_ACTION |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_OBJECT_CREATE_DRAFT_INVESTIGATION |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_ACTION_COMPLETION |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_EXPORT_QUERY |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_ACTION_CANCELLATION |
STATUS_UNCATEGORIZED |
admin |
CHANGE_GROUP_SETTING |
GROUP_MODIFICATION |
admin |
ADD_GROUP_MEMBER |
GROUP_MODIFICATION |
admin |
CREATE_GROUP |
GROUP_CREATION |
admin |
REMOVE_GROUP_MEMBER |
GROUP_MODIFICATION |
admin |
UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS |
GROUP_MODIFICATION |
admin |
UPDATE_GROUP_MEMBER |
GROUP_MODIFICATION |
admin |
DELETE_GROUP |
GROUP_DELETION |
admin |
USER_LICENSE_ASSIGNMENT |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
USER_LICENSE_REVOKE |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
SECURITY_CHART_DRILLDOWN |
STATUS_UNCATEGORIZED |
admin |
SYSTEM_DEFINED_RULE_UPDATED |
SETTING_MODIFICATION |
admin |
CUSTOMER_USER_DEVICE_DELETION_EVENT |
USER_RESOURCE_DELETION |
admin |
ADD_MOBILE_APPLICATION_TO_WHITELIST |
USER_RESOURCE_UPDATE_CONTENT |
admin |
REMOVE_MOBILE_APPLICATION_FROM_WHITELIST |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_MOBILE_APPLICATION_SETTINGS |
SETTING_MODIFICATION |
admin |
ACTION_REQUESTED |
USER_UNCATEGORIZED |
admin |
CREATE_APPLICATION_SETTING |
SETTING_CREATION |
admin |
CHANGE_APPLICATION_SETTING |
SETTING_MODIFICATION |
admin |
CREATE_SAML2_SERVICE_PROVIDER_CONFIG |
SETTING_CREATION |
admin |
DELETE_SAML2_SERVICE_PROVIDER_CONFIG |
SETTING_DELETION |
admin |
TOGGLE_SERVICE_ENABLED |
SETTING_MODIFICATION |
admin |
CREATE_ORG_UNIT |
USER_RESOURCE_CREATION |
admin |
MOVE_ORG_UNIT |
USER_RESOURCE_UPDATE_CONTENT |
admin |
EDIT_ORG_UNIT_NAME |
USER_RESOURCE_UPDATE_CONTENT |
admin |
REMOVE_ORG_UNIT |
USER_RESOURCE_DELETION |
admin |
UNASSIGN_CUSTOM_LOGO |
USER_RESOURCE_UPDATE_CONTENT |
admin |
ASSIGN_CUSTOM_LOGO |
USER_RESOURCE_UPDATE_CONTENT |
admin |
EDIT_ORG_UNIT_DESCRIPTION |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_DOCS_SETTING |
SETTING_MODIFICATION |
admin |
CHANGE_CALENDAR_SETTING |
SETTING_MODIFICATION |
admin |
SESSION_CONTROL_SETTINGS_CHANGE |
SETTING_MODIFICATION |
admin |
DISALLOW_SERVICE_FOR_OAUTH2_ACCESS |
SETTING_MODIFICATION |
admin |
ALLOW_STRONG_AUTHENTICATION |
SETTING_MODIFICATION |
admin |
ENFORCE_STRONG_AUTHENTICATION |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_FREQUENCY |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION |
SETTING_MODIFICATION |
admin |
CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_START_DATE |
SETTING_MODIFICATION |
admin |
WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED |
SETTING_MODIFICATION |
admin |
ADD_TO_BLOCKED_OAUTH2_APPS |
STATUS_UPDATE |
admin |
ADD_TO_TRUSTED_OAUTH2_APPS |
STATUS_UPDATE |
admin |
GENERATE_CERTIFICATE |
USER_RESOURCE_CREATION |
admin |
ENABLE_DIRECTORY_SYNC |
SETTING_MODIFICATION |
admin |
CHANGE_DEVICE_STATE |
STATUS_UPDATE |
admin |
UPDATE_ACCESS_LEVEL_V2 |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
UPDATE_AUTO_PROVISIONED_USER |
STATUS_UPDATE |
admin |
SECURITY_CENTER_RULE_THRESHOLD_TRIGGER |
STATUS_UPDATE |
gmail |
EMAIL_TRANSACTION |
필드 매핑 참조: WORKSPACE_ACTIVITY-Common 필드
다음 표에는 WORKSPACE_ACTIVITY
로그 유형의 공통 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
actor.callerType |
target.user.attribute.labels[caller_type] |
If the event.name log field value is equal to one of the following values, then the actor.callerType log field is mapped to the target.user.attribute.labels UDM field:
|
actor.callerType |
principal.user.attribute.labels[caller_type] |
If the event.name log field value is not equal to one of the following values, then the actor.callerType log field is mapped to the principal.user.attribute.labels UDM field:
If the id.applicationName log field value is equal to gmail , then principal.user.attribute.labels.key UDM field is set to actor_caller_type and actor.callerType log field is mapped to principal.user.attribute.labels.value UDM field. |
actor.email |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the actor.email log field is mapped to the target.user.email_addresses UDM field:
If the id.applicationName log field value is equal to gmail , then actor.email log field is mapped to principal.user.email_addresses UDM field. |
actor.email |
principal.user.email_addresses |
If the event.name log field value is not equal to one of the following values, then the actor.email log field is mapped to the principal.user.email_addresses UDM field:
|
actor.email |
security_result.about.email |
|
actor.key |
target.user.attribute.labels[actor_key] |
If the event.name log field value is equal to one of the following values, then the actor.key log field is mapped to the target.user.attribute.labels[actor_key] UDM field:
|
actor.key |
principal.user.attribute.labels[actor_key] |
If the event.name log field value is not equal to one of the following values, then the actor.key log field is mapped to the principal.user.attribute.labels[actor_key] UDM field:
|
actor.key |
target.user.userid |
The actor.key log field is mapped to the target.user.userid UDM field if the following conditions are met:
|
actor.key |
principal.user.userid |
The actor.key log field is mapped to the principal.user.userid UDM field if the following conditions are met:
|
actor.profileId |
target.user.product_object_id |
If the event.name log field value is equal to one of the following values, then the actor.profileId log field is mapped to the target.user.product_object_id UDM field:
|
actor.profileId |
principal.user.product_object_id |
If the event.name log field value is not equal to one of the following values, then the actor.profileId log field is mapped to the principal.user.product_object_id UDM field:
|
etag |
metadata.product_log_id |
|
events.name |
metadata.product_event_type |
|
events.type |
security_result.category_details |
|
id.applicationName |
metadata.product_name |
|
id.customerId |
about.resource.product_object_id |
|
id.time |
metadata.event_timestamp |
|
id.uniqueQualifier |
metadata.product_log_id |
|
ipAddress |
principal.ip |
|
kind |
about.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
ownerDomain |
target.administrative_domain |
If the target.resource log field value is not empty, then the ownerDomain log field is mapped to the target.administrative_domain UDM field.If the principal.resource log field value is not empty, then the ownerDomain log field is mapped to the principal.administrative_domain If the id.applicationName log field value is equal to gmail , then ownerDomain log field is mapped to principal.administrative_domain UDM field. |
about.resource.resource_type |
The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION . | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE . |
|
actor.gaiaId |
principal.user.product_object_id |
If the event.name log field value is not equal to one of the following values, then the actor.gaiaId log field is mapped to the principal.user.product_object_id UDM field:
|
actor.gaiaId |
target.user.product_object_id |
If the event.name log field value is equal to one of the following values, then the actor.gaiaId log field is mapped to the target.user.product_object_id UDM field:
|
actor.orgunitPath |
principal.user.attribute.labels[org_unit_path] |
If the event.name log field value is not equal to one of the following values, then the actor.orgunitPath log field is mapped to the principal.user.attribute.labels[org_unit_path] UDM field:
|
actor.orgunitPath |
target.user.attribute.labels[org_unit_path] |
If the event.name log field value is equal to one of the following values, then the actor.orgunitPath log field is mapped to the target.user.attribute.labels[org_unit_path] UDM field:
|
actor.groupId |
principal.user.group_identifiers |
If the event.name log field value is not equal to one of the following values, then the actor.groupId log field is mapped to the principal.user.group_identifiers UDM field:
|
actor.groupId |
target.user.group_identifiers |
If the event.name log field value is equal to one of the following values, then the actor.groupId log field is mapped to the target.user.group_identifiers UDM field:
|
필드 매핑 참조: WORKSPACE_ACTIVITY
다음 표에는 WORKSPACE_ACTIVITY
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Workspace application | Log field | UDM mapping | Logic |
---|---|---|---|
access_transparency |
ACCESS_APPROVAL_REQUEST_IDS |
about.labels [access_approval_request_ids] (deprecated) |
|
access_transparency |
ACCESS_APPROVAL_REQUEST_IDS |
additional.fields [access_approval_request_ids] |
|
access_transparency |
ACCESS_MANAGEMENT_POLICY |
about.labels [access_management_policy] (deprecated) |
|
access_transparency |
ACCESS_MANAGEMENT_POLICY |
additional.fields [access_management_policy] |
|
access_transparency |
ACTOR_HOME_OFFICE |
principal.user.office_address.country_or_region |
If the event.name log field value is equal to ACCESS , then the ACTOR_HOME_OFFICE log field is mapped to the principal.user.office_address.country_or_region UDM field. |
access_transparency |
GSUITE_PRODUCT_NAME |
target.application |
If the event.name log field value is equal to ACCESS , then the GSUITE_PRODUCT_NAME log field is mapped to the target.application UDM field. |
access_transparency |
JUSTIFICATIONS |
about.labels [justifications] (deprecated) |
If the event.name log field value is equal to ACCESS , then the JUSTIFICATIONS log field is mapped to the about.labels UDM field. |
access_transparency |
JUSTIFICATIONS |
additional.fields [justifications] |
If the event.name log field value is equal to ACCESS , then the JUSTIFICATIONS log field is mapped to the additional.fields UDM field. |
access_transparency |
LOG_ID |
about.labels [logid] (deprecated) |
If the event.name log field value is equal to ACCESS , then the LOG_ID log field is mapped to the about.labels UDM field. |
access_transparency |
LOG_ID |
additional.fields [logid] |
If the event.name log field value is equal to ACCESS , then the LOG_ID log field is mapped to the additional.fields UDM field. |
access_transparency |
ON_BEHALF_OF |
about.labels [on_behalf_of] (deprecated) |
If the event.name log field value is equal to ACCESS , then the ON_BEHALF_OF log field is mapped to the about.labels UDM field. |
access_transparency |
ON_BEHALF_OF |
additional.fields [on_behalf_of] |
If the event.name log field value is equal to ACCESS , then the ON_BEHALF_OF log field is mapped to the additional.fields UDM field. |
access_transparency |
OWNER_EMAIL |
target.user.email_addresses |
If the event.name log field value is equal to ACCESS , then the OWNER_EMAIL log field is mapped to the target.user.email_addresses UDM field. |
access_transparency |
RESOURCE_NAME |
target.resource.name |
If the event.name log field value is equal to ACCESS , then the RESOURCE_NAME log field is mapped to the target.resource.name UDM field. |
access_transparency |
TICKETS |
about.labels [tickets] (deprecated) |
|
access_transparency |
TICKETS |
additional.fields [tickets] |
|
chrome |
DEVICE_NAME |
target.asset.attribute.labels [device_name] |
If the event.name log field value is equal to one of the following values, then the DEVICE_NAME log field is mapped to the target.asset.attribute.labels UDM field:
|
chrome |
DEVICE_PLATFORM |
target.asset.platform_software.platform |
If the DEVICE_PLATFORM log field value matches windows , then the target.asset.platform_software.platform UDM field is set to WINDOWS .If the DEVICE_PLATFORM log field value matches mac , then the target.asset.platform_software.platform UDM field is set to MAC .If the DEVICE_PLATFORM log field value matches linux , then the target.asset.platform_software.platform UDM field is set to LINUX .Else, the target.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM . |
chrome |
DEVICE_USER |
principal.user.user_display_name |
If the event.name log field value is equal to LOGIN_EVENT , then the DEVICE_USER log field is mapped to the principal.user.user_display_name UDM field. |
chrome |
LOGIN_USER_NAME |
target.user.user_display_name |
If the event.name log field value is equal to LOGIN_EVENT , then the LOGIN_USER_NAME log field is mapped to the target.user.user_display_name UDM field. |
chrome |
DEVICE_USER |
target.user.user_display_name |
If the event.name log field value is equal to one of the following values, then the DEVICE_USER log field is mapped to the target.user.user_display_name UDM field:
If the event.name log field value is equal to LOGIN_EVENT , then the LOGIN_USER_NAME log field is mapped to the target.user.user_display_name UDM field. |
chrome |
PROFILE_USER_NAME |
target.user.attribute.labels [profile_user_name] |
If the event.name log field value is equal to one of the following values, then the PROFILE_USER_NAME log field is mapped to the target.user.attribute.labels UDM field:
|
chrome |
DIRECTORY_DEVICE_ID |
about.labels [directory_device_id] (deprecated) |
If the event.name log field value is equal to one of the following values, then the DIRECTORY_DEVICE_ID log field is mapped to the about.labels UDM field:
|
chrome |
DIRECTORY_DEVICE_ID |
additional.fields [directory_device_id] |
If the event.name log field value is equal to one of the following values, then the DIRECTORY_DEVICE_ID log field is mapped to the additional.fields UDM field:
|
chrome |
DEVICE_ID |
target.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the DEVICE_ID log field is mapped to the target.asset.asset_id UDM field:
|
chrome |
VIRTUAL_DEVICE_ID |
about.labels [virtual_device_id] (deprecated) |
If the event.name log field value is equal to one of the following values, then the VIRTUAL_DEVICE_ID log field is mapped to the about.labels UDM field:
|
chrome |
VIRTUAL_DEVICE_ID |
additional.fields [virtual_device_id] |
If the event.name log field value is equal to one of the following values, then the VIRTUAL_DEVICE_ID log field is mapped to the additional.fields UDM field:
|
chrome |
EVENT_REASON |
security_result.summary |
If the event.name log field value is equal to one of the following values, then the EVENT_REASON log field is mapped to the security_result.summary UDM field:
|
chrome |
EVENT_RESULT |
security_result.action_details |
If the event.name log field value is equal to one of the following values, then the EVENT_RESULT log field is mapped to the security_result.action_details UDM field:
|
chrome |
security_result.action |
The security_result.action UDM field is set to ALLOW . | |
chrome |
TIMESTAMP |
about.labels [timestamp] (deprecated) |
If the event.name log field value is equal to one of the following values, then the TIMESTAMP log field is mapped to the about.labels UDM field:
|
chrome |
TIMESTAMP |
additional.fields [timestamp] |
If the event.name log field value is equal to one of the following values, then the TIMESTAMP log field is mapped to the additional.fields UDM field:
|
chrome |
BROWSER_VERSION |
target.resource.attribute.labels [browser_version] |
If the event.name log field value is equal to one of the following values, then the BROWSER_VERSION log field is mapped to the target.resource.attribute.labels UDM field:
|
chrome |
LOGIN_FAILURE_REASON |
security_result.description |
|
chrome |
USER_AGENT |
network.http.user_agent |
If the event.name log field value is equal to one of the following values, then the USER_AGENT log field is mapped to the network.http.user_agent UDM field:
|
chrome |
URL |
target.url |
If the event.name log field value is equal to one of the following values, then the URL log field is mapped to the about.url UDM field:
|
chrome |
SCAN_ID |
about.labels [scan_id] (deprecated) |
If the event.name log field value is equal to one of the following values, then the SCAN_ID log field is mapped to the about.labels UDM field:
|
chrome |
SCAN_ID |
additional.fields [scan_id] |
If the event.name log field value is equal to one of the following values, then the SCAN_ID log field is mapped to the additional.fields UDM field:
|
chrome |
REMOVE_USER_REASON |
security_result.detection_fields [remove_user_reason] |
If the event.name log field value is equal to CHROME_OS_REMOVE_USER , then the REMOVE_USER_REASON log field is mapped to the security_result.detection_fields UDM field. |
chrome |
NEW_BOOT_MODE |
target.asset.attribute.labels [new_boot_mode] |
|
chrome |
PREVIOUS_BOOT_MODE |
target.asset.attribute.labels [previous_boot_mode] |
|
chrome |
CLIENT_TYPE |
target.resource.attribute.labels [client_type] |
|
chrome |
TRIGGER_USER |
security_result.about.labels [trigger_user] (deprecated) |
|
chrome |
TRIGGER_USER |
additional.fields [trigger_user] |
|
chrome |
TRIGGER_DESTINATION |
security_result.about.labels [trigger_destination] (deprecated) |
|
chrome |
TRIGGER_DESTINATION |
additional.fields [trigger_destination] |
|
chrome |
TRIGGER_SOURCE |
security_result.about.labels [trigger_source] (deprecated) |
|
chrome |
TRIGGER_SOURCE |
additional.fields [trigger_source] |
|
chrome |
TRIGGER_TYPE |
security_result.about.labels [trigger_type] (deprecated) |
|
chrome |
TRIGGER_TYPE |
additional.fields [trigger_type] |
|
chrome |
TRIGGERED_RULES_REASON |
security_result.about.labels [triggered_rules_reason] (deprecated) |
|
chrome |
TRIGGERED_RULES_REASON |
additional.fields [triggered_rules_reason] |
|
chrome |
CONTENT_HASH |
about.labels [content_hash] (deprecated) |
|
chrome |
CONTENT_HASH |
additional.fields [content_hash] |
|
chrome |
CONTENT_NAME |
about.labels [content_name] (deprecated) |
|
chrome |
CONTENT_NAME |
additional.fields [content_name] |
|
chrome |
CONTENT_SIZE |
about.labels [content_size] (deprecated) |
|
chrome |
CONTENT_SIZE |
additional.fields [content_size] |
|
chrome |
CONTENT_TYPE |
about.labels [content_type] (deprecated) |
|
chrome |
CONTENT_TYPE |
additional.fields [content_type] |
|
chrome |
APP_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the APP_NAME log field is mapped to the target.application UDM field:
|
chrome |
PRODUCT_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the PRODUCT_NAME log field is mapped to the target.application UDM field:
Else, the PRODUCT_NAME log field is mapped to the target.labels UDM field. |
chrome |
PRODUCT_NAME |
target.labels [product_name] (deprecated) |
If the event.name log field value is equal to one of the following values, then the PRODUCT_NAME log field is mapped to the target.application UDM field:
Else, the PRODUCT_NAME log field is mapped to the target.labels UDM field. |
chrome |
PRODUCT_NAME |
additional.fields [product_name] |
If the event.name log field value is equal to one of the following values, then the PRODUCT_NAME log field is mapped to the target.application UDM field:
Else, the PRODUCT_NAME log field is mapped to the additional.fields UDM field. |
chrome |
ORG_UNIT_NAME |
about.labels [org_unit_name] (deprecated) |
If the event.name log field value is equal to EXTENSION_REQUEST , then the ORG_UNIT_NAME log field is mapped to the about.labels UDM field. |
chrome |
ORG_UNIT_NAME |
additional.fields [org_unit_name] |
If the event.name log field value is equal to EXTENSION_REQUEST , then the ORG_UNIT_NAME log field is mapped to the additional.fields UDM field. |
chrome |
USER_JUSTIFICATION |
principal.user.attribute.labels [user_justification] |
|
chrome |
FEDERATED_ORIGIN |
security_result.about.labels [federated_origin] (deprecated) |
|
chrome |
FEDERATED_ORIGIN |
additional.fields [federated_origin] |
|
chrome |
IS_FEDERATED |
security_result.about.labels [is_federated] (deprecated) |
|
chrome |
IS_FEDERATED |
additional.fields [is_federated] |
|
chrome |
EVIDENCE_LOCKER_FILEPATH |
security_result.about.labels [evidence_locker_filepath] (deprecated) |
|
chrome |
EVIDENCE_LOCKER_FILEPATH |
additional.fields [evidence_locker_filepath] |
|
Google Chrome | CONNECTION_TYPE |
about.labels[connection_type] (deprecated) |
|
Google Chrome | CONNECTION_TYPE |
additional.fields[connection_type] |
|
Google Chrome | PREVIOUS_OS_VERSION |
target.asset.attribute.labels[previous_os_version] |
|
Google Chrome | VENDOR_ID |
src.labels[vendor_id] (deprecated) |
|
Google Chrome | VENDOR_ID |
additional.fields[vendor_id] |
|
Google Chrome | LOCALIZED_URL_CATEGORY |
about.labels[localized_url_category] (deprecated) |
|
Google Chrome | LOCALIZED_URL_CATEGORY |
additional.fields[localized_url_category] |
|
Google Chrome | VENDOR_NAME |
src.labels[vendor_name] (deprecated) |
|
Google Chrome | VENDOR_NAME |
additional.fields[vendor_name] |
|
Google Chrome | SESSION_ID |
network.session_id |
|
Google Chrome | APP_ID |
target.resource.product_object_id |
If the event.name log field value is equal to BROWSER_EXTENSION_INSTALL , then the APP_ID log field is mapped to the target.resource.product_object_id UDM field. |
Google Chrome | CURRENT_OS_VERSION |
target.asset.platform_software.platform_version |
|
Google Chrome | PRODUCT_ID |
target.resource.product_object_id |
If the events.name log field value contains one of the following values, then the PRODUCT_ID log field is mapped to the target.resource.product_object_id UDM field.
Else, the PRODUCT_ID log field is mapped to the target.labels UDM field. |
Google Chrome | PRODUCT_ID |
target.labels[product_id] (deprecated) |
If the events.name log field value contains one of the following values, then the PRODUCT_ID log field is mapped to the target.resource.product_object_id UDM field.
Else, the PRODUCT_ID log field is mapped to the target.labels UDM field. |
Google Chrome | PRODUCT_ID |
additional.fields[product_id] |
If the events.name log field value contains one of the following values, then the PRODUCT_ID log field is mapped to the target.resource.product_object_id UDM field.
Else, the PRODUCT_ID log field is mapped to the additional.fields UDM field. |
Google Chrome | UNLOCK_TYPE |
target.labels[unlock_type] (deprecated) |
|
Google Chrome | UNLOCK_TYPE |
additional.fields[unlock_type] |
|
Google Chrome | REPORT_ID |
target.labels[report_id] (deprecated) |
|
Google Chrome | REPORT_ID |
additional.fields[report_id] |
|
Google Chrome | CHANNEL |
target.labels[channel] (deprecated) |
|
Google Chrome | CHANNEL |
additional.fields[channel] |
|
Google Chrome | TAB_URL |
additional.fields[tab_url] |
|
context_aware_access |
CAA_ACCESS_LEVEL_APPLIED |
security_result.about.labels [caa_access_level_applied] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_ACCESS_LEVEL_APPLIED log field is mapped to the security_result.about.labels UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_APPLIED |
additional.fields [caa_access_level_applied] |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_ACCESS_LEVEL_APPLIED log field is mapped to the additional.fields UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_SATISFIED |
security_result.about.labels [caa_access_level_satisfied] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_ACCESS_LEVEL_SATISFIED log field is mapped to the security_result.about.labels UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_SATISFIED |
additional.fields [caa_access_level_satisfied] |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_ACCESS_LEVEL_SATISFIED log field is mapped to the additional.fields UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_UNSATISFIED |
security_result.about.labels [caa_access_level_unsatisfied] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_ACCESS_LEVEL_UNSATISFIED log field is mapped to the security_result.about.labels UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_UNSATISFIED |
additional.fields [caa_access_level_unsatisfied] |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_ACCESS_LEVEL_UNSATISFIED log field is mapped to the additional.fields UDM field. |
context_aware_access |
CAA_APPLICATION |
target.resource.name |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_APPLICATION log field is mapped to the target.resource.name UDM field. |
context_aware_access |
target.resource.resource_type |
If the event.name log field value is equal to DEVICE_SETTINGS_UPDATED_EVENT , then the target.resource.resource_type UDM field is set to SETTING .Else, the target.resource.resource_type UDM field is set to DEVICE . | |
context_aware_access |
CAA_DEVICE_ID |
principal.asset.asset_id |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_DEVICE_ID log field is mapped to the principal.asset.asset_id UDM field. |
context_aware_access |
CAA_DEVICE_STATE |
principal.labels [caa_device_state] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_DEVICE_STATE log field is mapped to the principal.labels UDM field. |
context_aware_access |
CAA_DEVICE_STATE |
additional.fields [caa_device_state] |
If the event.name log field value is equal to ACCESS_DENY_EVENT , then the CAA_DEVICE_STATE log field is mapped to the additional.fields UDM field. |
context_aware_access |
BLOCKED_API_ACCESS |
additional.fields [blocked_api_access] |
|
gplus |
attachment_type |
target.resource.attribute.labels [attachment_type] |
If the event.name log field value is equal to one of the following values, then the attachment_type log field is mapped to the target.resource.attribute.labels UDM field:
|
gplus |
comment_resource_name |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the comment_resource_name log field is mapped to the target.resource.product_object_id UDM field:
|
gplus |
post_resource_name |
target.resource_ancestors.product_object_id |
If the event.name log field value is equal to one of the following values, then the post_resource_name log field is mapped to the target.resource_ancestors.product_object_id UDM field:
|
gplus |
post_permalink |
target.resource_ancestors.attribute.labels [post_permalink] |
|
gplus |
post_visibility |
target.resource_ancestors.attribute.labels [post_visibility] |
|
gplus |
plusone_context |
target.resource_ancestors.attribute.labels [plusone_context] |
|
gplus |
post_author_name |
target.user.user_display_name |
If the event.name log field value is equal to content_manager_delete_post , then the post_resource_name log field is mapped to the target.user.user_display_name UDM field. |
data_studio |
ASSET_ID |
principal.resource.product_object_id |
If the ASSET_TYPE log field value is equal to DATA_SOURCE , then the ASSET_ID log field is mapped to the principal.resource.product_object_id UDM field.Else, the ASSET_ID log field is mapped to the target.resource.product_object_id UDM field. |
data_studio |
ASSET_NAME |
principal.resource.name |
If the ASSET_TYPE log field value is equal to DATA_SOURCE , then the ASSET_NAME log field is mapped to the principal.resource.name UDM field.Else, the ASSET_NAME log field is mapped to the target.resource.name UDM field. |
data_studio |
ASSET_TYPE |
principal.resource.resource_subtype |
If the ASSET_TYPE log field value is equal to DATA_SOURCE , then the ASSET_TYPE log field is mapped to the principal.resource.resource_subtype UDM field.Else, the ASSET_TYPE log field is mapped to the target.resource.resource_subtype UDM field. |
data_studio |
ASSET_ID |
target.resource.product_object_id |
If the ASSET_TYPE log field value is equal to DATA_SOURCE , then the ASSET_ID log field is mapped to the principal.resource.product_object_id UDM field.Else, the ASSET_ID log field is mapped to the target.resource.product_object_id UDM field. |
data_studio |
ASSET_NAME |
target.resource.name |
If the ASSET_TYPE log field value is equal to DATA_SOURCE , then the ASSET_NAME log field is mapped to the principal.resource.name UDM field.Else, the ASSET_NAME log field is mapped to the target.resource.name UDM field. |
data_studio |
ASSET_TYPE |
target.resource.resource_subtype |
If the ASSET_TYPE log field value is equal to DATA_SOURCE , then the ASSET_TYPE log field is mapped to the principal.resource.resource_subtype UDM field.Else, the ASSET_TYPE log field is mapped to the target.resource.resource_subtype UDM field. |
data_studio |
CONNECTOR_TYPE |
target.resource.attribute.labels[connector_type] |
|
data_studio |
EMBEDDED_IN_REPORT_ID |
target.resource.attribute.labels[embedded_in_report_id] |
|
data_studio |
OWNER_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is not equal to the OWNER_EMAIL , then the OWNER_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
data_studio |
TARGET_USER_EMAIL |
target.user.email_addresses |
|
data_studio |
PRIOR_VISIBILITY |
target.resource.attribute.labels [prior_visibility] |
|
data_studio |
VISIBILITY |
target.resource.attribute.labels [visibility] |
|
data_studio |
NEW_VALUE |
target.resource.attribute.labels [new_value] |
|
data_studio |
OLD_VALUE |
target.resource.attribute.labels [old_value] |
|
data_studio |
TARGET_DOMAIN |
target.domain.name [ target_domain] |
|
data_studio |
DATA_EXPORT_TYPE |
target.resource.attribute.labels [data_export_type] |
|
mobile |
target.resource.resource_type |
The target.resource.resource_type UDM field is set to DEVICE . | |
mobile |
ACCOUNT_STATE |
target.resource.attribute.labels [account_state] |
|
mobile |
ACTION_EXECUTION_STATUS |
target.resource.attribute.labels [account_execution_status] |
|
mobile |
ACTION_ID |
target.resource.attribute.labels [action_id] |
|
mobile |
ACTION_TYPE |
target.resource.attribute.labels [action_type] |
|
mobile |
APK_SHA256_HASH |
target.resource.attribute.labels [apk_sha256_hash] |
|
mobile |
APPLICATION_ID |
target.resource.attribute.labels [application_id] |
|
mobile |
APPLICATION_MESSAGE |
target.resource.attribute.labels [application_message] |
|
mobile |
APPLICATION_REPORT_KEY |
target.resource.attribute.labels [application_report_key] |
|
mobile |
APPLICATION_REPORT_SEVERITY |
target.resource.attribute.labels [application_report_severity] |
|
mobile |
APPLICATION_STATE |
target.resource.attribute.labels [application_state] |
|
mobile |
APPLICATION_REPORT_TIMESTAMP |
target.resource.attribute.labels [application_report_timestamp] |
|
mobile |
BASIC_INTEGRITY |
target.resource.attribute.labels [basic_integrity] |
|
mobile |
CTS_PROFILE_MATCH |
target.resource.attribute.labels [cts_profile_match] |
|
mobile |
DEVICE_COMPLIANCE |
target.resource.attribute.labels [device_compliance] |
|
mobile |
DEVICE_COMPROMISED_STATE |
about.target.resource.attribute.labels [device_compromised_state] |
|
mobile |
DEVICE_DEACTIVATION_REASON |
target.resource.attribute.labels [device_deactivation_reason] |
|
mobile |
DEVICE_ID |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the DEVICE_ID log field is mapped to the target.resource.product_object_id UDM field:
|
mobile |
NEW_DEVICE_ID |
target.resource.attribute.labels [new_device_id] |
If the NEW_DEVICE_ID log field value is not empty, then the NEW_DEVICE_ID log field is mapped to the target.resource.product_object_id UDM field. |
mobile |
DEVICE_MODEL |
target.resource.attribute.labels [device_model] |
|
mobile |
DEVICE_OWNERSHIP |
target.resource.attribute.labels [device_ownership] |
|
mobile |
DEVICE_PROPERTY |
target.resource.attribute.labels [device_property] |
|
mobile |
DEVICE_SETTING |
target.resource.attribute.labels [device_setting] |
|
mobile |
DEVICE_STATUS_ON_APPLE_PORTAL |
target.resource.attribute.labels [device_status_on_apple_portal] |
|
mobile |
DEVICE_TYPE |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the DEVICE_TYPE log field is mapped to the target.resource.resource_subtype UDM field:
|
mobile |
FAILED_PASSWD_ATTEMPTS |
target.resource.attribute.labels [failed_passwd_attempts] |
|
mobile |
IOS_VENDOR_ID |
target.resource.attribute.labels [ios_vendor_id] |
|
mobile |
NEW_VALUE |
target.resource.attribute.labels [new_value] |
|
mobile |
OLD_VALUE |
target.resource.attribute.labels [old_value] |
|
mobile |
OS_EDITION |
target.resource.attribute.labels [os_edition] |
|
mobile |
OS_PROPERTY |
target.resource.attribute.labels [os_property] |
|
mobile |
OS_VERSION |
target.resource.attribute.labels [os_version] |
|
mobile |
PHA_CATEGORY |
security_results.detection_fields |
|
mobile |
POLICY_NAME |
security_result.about.labels [policy_name] (deprecated) |
|
mobile |
POLICY_NAME |
additional.fields [policy_name] |
|
mobile |
POLICY_SYNC_RESULT |
security_result.about.labels [policy_sync_result] (deprecated) |
|
mobile |
POLICY_SYNC_RESULT |
additional.fields [policy_sync_result] |
|
mobile |
POLICY_SYNC_TYPE |
security_result.about.labels [policy_sync_type] (deprecated) |
|
mobile |
POLICY_SYNC_TYPE |
additional.fields [policy_sync_type] |
|
mobile |
RESOURCE_ID |
target.resource.attribute.labels |
If the event.name log field value is equal to one of the following values, then the RESOURCE_ID log field is mapped to the target.resource.attribute.labels UDM field:
|
mobile |
REGISTER_PRIVILEGE |
security_result.about.labels [register_privilege] (deprecated) |
|
mobile |
REGISTER_PRIVILEGE |
additional.fields |
|
mobile |
RISK_SIGNAL |
security_result.about.labels [risk_signal] (deprecated) |
|
mobile |
RISK_SIGNAL |
additional.fields [risk_signal] |
|
mobile |
SECURITY_EVENT_ID |
security_result.about.labels [security_event_id] (deprecated) |
If the event.name log field value is equal to APPLICATION_EVENT , then the SECURITY_EVENT_ID log field is mapped to the security_result.about.labels UDM field. |
mobile |
SECURITY_EVENT_ID |
additional.fields |
If the event.name log field value is equal to APPLICATION_EVENT , then the SECURITY_EVENT_ID log field is mapped to the additional.fields UDM field. |
mobile |
SECURITY_PATCH_LEVEL |
security_result.about.labels [security_patch_level] (deprecated) |
If the event.name log field value is equal to one of the following values, then the SECURITY_PATCH_LEVEL log field is mapped to the security_result.about.labels UDM field:
|
mobile |
SECURITY_PATCH_LEVEL |
additional.fields [security_patch_level] |
If the event.name log field value is equal to one of the following values, then the SECURITY_PATCH_LEVEL log field is mapped to the additional.fields UDM field:
|
mobile |
SERIAL_NUMBER |
target.resource.attribute.labels [serial_number] |
|
mobile |
USER_EMAIL |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the USER_EMAIL log field is mapped to the target.user.email_addresses UDM field:
|
mobile |
VALUE |
security_result.about.labels [value] (deprecated) |
|
mobile |
VALUE |
additional.fields [value] |
|
mobile |
WINDOWS_SYNCML_POLICY_STATUS_CODE |
security_result.about.labels [windows_syncml_policy_status_code] (deprecated) |
|
mobile |
WINDOWS_SYNCML_POLICY_STATUS_CODE |
additional.fields [windows_syncml_policy_status_code] |
|
mobile |
LAST_SYNC_AUDIT_DATE |
target.resource.attribute.labels[LAST_SYNC_AUDIT_DATE] |
|
groups_enterprise |
dynamic_group_query |
target.group.attribute.labels [dynamic_group_query] |
|
groups_enterprise |
group_id |
target.user.group_identifiers |
If the event.name log field value is equal to one of the following values, then the group_id log field is mapped to the target.user.group_identifiers UDM field:
|
groups_enterprise |
info_setting |
target.group.attribute.labels [info_setting] |
|
groups_enterprise |
member_id |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the member_id log field is mapped to the target.user.email_addresses UDM field:
|
groups_enterprise |
member_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to one of the following values, then the member_role log field is mapped to the target.user.attribute.roles.name UDM field:
|
groups_enterprise |
member_type |
target.user.attribute.labels[member_type] |
|
groups_enterprise |
membership_expiry |
target.group.attribute.labels [membership_query] |
|
groups_enterprise |
namespace |
target.group.group_display_name |
|
groups_enterprise |
new_value |
target.group.attribute.labels [new_value] |
|
groups_enterprise |
old_value |
target.group.attribute.labels [old_value] |
|
groups_enterprise |
value |
target.group.attribute.labels [value] |
|
groups_enterprise |
security_setting |
target.group.attribute.labels [security_setting] |
|
calendar |
access_level |
security_result.about.labels [access_level] (deprecated) |
|
calendar |
access_level |
additional.fields [access_level] |
|
calendar |
api_kind |
target.resource.attribute.labels [api_kind] |
|
calendar |
calendar_country |
target.resource.attribute.labels [calendar_country] |
If the event.name log field value is equal to change_calendar_country , then the calendar_country log field is mapped to the target.resource.attribute.labels UDM field. |
calendar |
calendar_description |
target.resource.attribute.labels [calendar_description] |
|
calendar |
calendar_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the calendar_id log field is mapped to the target.resource.product_object_id UDM field:
transfer_event_requested transfer_event_completed |
calendar |
calendar_location |
target.resource.attribute.labels [calendar_location] |
|
calendar |
calendar_timezone |
target.resource.attribute.labels [calendar_timezone] |
|
calendar |
calendar_title |
target.resource.name |
If the event.name log field value is equal to change_calendar_title , then the calendar_title log field is mapped to the target.resource.name UDM field. |
calendar |
end_time |
target.resource.attribute.labels [end_time] |
|
calendar |
start_time |
target.resource.attribute.labels [start_time] |
|
calendar |
event_guest |
target.labels [event_guest] (deprecated) |
|
calendar |
event_guest |
additional.fields [event_guest] |
|
calendar |
event_id |
target.resource.attribute.labels [event_id] |
If the event.name log field value is equal to one of the following values, then the event_id log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
event_response_status |
target.resource.attribute.labels [event_response_status] |
|
calendar |
event_title |
target.resource.attribute.labels [event_title] |
If the event.name log field value is equal to one of the following values, then the event_title log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
old_event_title |
target.resource.attribute.labels [old_event_title] |
|
calendar |
grantee_email |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the grantee_email log field is mapped to the target.user.email_addresses UDM field:
|
calendar |
interop_error_code |
security_result.action_details |
If the event.name log field value is equal to one of the following values, then the interop_error_code log field is mapped to the security_result.action_details UDM field:
|
calendar |
notification_message_id |
target.resource.attribute.labels [notification_message_id] |
If the event.name log field value is equal to one of the following values, then the notification_message_id log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
notification_method |
target.resource.attribute.labels [notification_method] |
If the event.name log field value is equal to one of the following values, then the notification_method log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
notification_type |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the notification_type log field is mapped to the target.resource.resource_subtype UDM field:
|
calendar |
organizer_calendar_id |
principal.user.attribute.labels[organizer_calendar_id] |
If the event.name log field value is equal to one of the following values, then the organizer_calendar_id log field is mapped to the principal.user.attribute.labels[organizer_calendar_id] UDM field:
|
calendar |
recipient_email |
principal.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the recipient_email log field is mapped to the principal.user.email_addresses UDM field:
|
calendar |
remote_ews_url |
security_result.about.labels [remote_ews_url] (deprecated) |
|
calendar |
remote_ews_url |
additional.fields [remote_ews_url] |
|
calendar |
requested_period_end |
security_result.about.labels [requested_period_end] (deprecated) |
|
calendar |
requested_period_end |
additional.fields [requested_period_end] |
|
calendar |
requested_period_start |
security_result.about.labels [requested_period_start] (deprecated) |
|
calendar |
requested_period_start |
additional.fields [requested_period_start] |
|
calendar |
subscriber_calendar_id |
principal.user.attribute.labels[subscriber_calendar_id] |
|
calendar |
user_agent |
network.http.user_agent |
|
calendar |
target_calendar_id |
target.resource.attribute.labels [target_calendar_id] |
|
calendar |
user_agent |
network.http.user_agent |
|
calendar |
target_calendar_id |
target.resource.attribute.labels [target_calendar_id] |
|
calendar |
client_side_encrypted |
target.resource.attribute.labels [client_side_encrypted] |
|
calendar |
is_recurring |
target.resource.attribute.labels [is_recurring] |
|
calendar |
recurring |
target.resource.attribute.labels [recurring] |
|
chat |
actor |
principal.user.email_addresses |
The event.name log field is mapped to the principal.user.email_addresses UDM field if the following conditions are met:
|
chat |
attachment_hash |
target.file.sha256 |
If the event.name log field value is equal to one of the following values, then the attachment_hash log field is mapped to the target.file.sha256 UDM field:
|
chat |
attachment_name |
target.file.names |
If the event.name log field value is equal to one of the following values, then the attachment_name log field is mapped to the target.file.names UDM field:
|
chat |
attachment_url |
target.file.full_path |
If the event.name log field value is equal to attachment_download , then the attachment_url log field is mapped to the target.file.full_path UDM field. |
chat |
dlp_scan_status |
security_result.action_details |
If the event.name log field value is equal to one of the following values, then the dlp_scan_status log field is mapped to the security_result.action_details UDM field:
|
chat |
message_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the message_id log field is mapped to the target.resource.product_object_id UDM field:
|
chat |
conference_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the message_id log field is mapped to the target.resource.product_object_id UDM field:
|
chat |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the target.resource.resource_subtype UDM field is set to Google Chat - Message :
| |
chat |
report_type |
target.resource.attribute.labels [report_type] |
|
chat |
room_id |
target.group.product_object_id |
If the event.name log field value is equal to one of the following values, then the room_id log field is mapped to the target.group.product_object_id UDM field:
|
chat |
dm_id |
about.labels [dm_id] (deprecated) |
If the event.name log field value is equal to direct_message_started , then the about.labels UDM field is set to dm_id . |
chat |
dm_id |
additional.fields [dm_id] |
If the event.name log field value is equal to direct_message_started , then the additional.fields UDM field is set to dm_id . |
chat |
target_users |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the target_users log field is mapped to the target.user.email_addresses UDM field:
|
chat |
retention_state |
target.user.attribute.labels[retention_state] |
|
chat |
room_name |
target.group.group_display_name |
|
chat |
timestamp_ms |
target.resource.attribute.labels [timestamp_ms] |
|
chat |
external_room |
about.labels[external_room] (deprecated) |
|
chat |
external_room |
additional.fields[external_room] |
|
chat |
device_type |
principal.asset.attribute.labels [device_type] |
|
chat |
identifier_type |
principal.user.attribute.labels [identifier_type] |
|
chat |
location_region |
principal.user.attribute.labels [location_region] |
|
chat |
identifier |
principal.user.userid |
|
chat |
display_name |
principal.user.user_display_name |
|
chat |
location_country |
principal.location.country_or_region |
|
chat |
product_type |
principal.resource.resource_subtype |
|
chat |
ip_address |
target.ip |
|
chat |
target_user_count |
target.user.attribute.labels[target_user_count] |
|
chat |
duration_seconds |
target.resource.attribute.labels [duration_seconds] |
|
chat |
meeting_code |
target.resource.attribute.labels[meeting_code] |
|
chat |
organizer_email |
about.user.email_addresses |
|
chat |
network_estimated_upload_kbps_mean |
additional.fields [network_estimated_upload_kbps_mean] |
|
chat |
video_recv_fps_mean |
additional.fields [video_recv_fps_mean] |
|
chat |
screencast_send_fps_mean |
additional.fields [screencast_send_fps_mean] |
|
chat |
audio_recv_packet_loss_max |
additional.fields [audio_recv_packet_loss_max] |
|
chat |
video_send_long_side_median_pixels |
additional.fields [video_send_long_side_median_pixels] |
|
chat |
screencast_recv_packet_loss_mean |
additional.fields [screencast_recv_packet_loss_mean] |
|
chat |
video_recv_packet_loss_mean |
additional.fields [video_recv_packet_loss_mean] |
|
chat |
video_recv_long_side_median_pixels |
additional.fields [video_recv_long_side_median_pixels] |
|
chat |
video_send_packet_loss_mean |
additional.fields [video_send_packet_loss_mean] |
|
chat |
audio_send_packet_loss_max |
additional.fields [audio_send_packet_loss_max] |
|
chat |
video_recv_short_side_median_pixels |
additional.fields [video_recv_short_side_median_pixels] |
|
chat |
screencast_recv_bitrate_kbps_mean |
additional.fields [screencast_recv_bitrate_kbps_mean] |
|
chat |
calendar_event_id |
additional.fields [calendar_event_id] |
|
video_send_fps_mean |
additional.fields [video_send_fps_mean] |
target |
|
chat |
audio_recv_packet_loss_mean |
additional.fields [audio_recv_packet_loss_mean] |
|
chat |
video_recv_seconds |
additional.fields [video_recv_seconds] |
|
chat |
video_send_packet_loss_max |
additional.fields [video_send_packet_loss_max] |
|
chat |
network_recv_jitter_msec_max |
additional.fields [network_recv_jitter_msec_max] |
|
chat |
network_recv_jitter_msec_mean |
additional.fields [network_recv_jitter_msec_mean] |
|
chat |
audio_send_seconds |
additional.fields [audio_send_seconds] |
|
chat |
screencast_send_long_side_median_pixels |
additional.fields [screencast_send_long_side_median_pixels] |
|
chat |
screencast_recv_seconds |
additional.fields [screencast_recv_seconds] |
|
chat |
screencast_recv_long_side_median_pixels |
additional.fields [screencast_recv_long_side_median_pixels] |
|
chat |
screencast_send_bitrate_kbps_mean |
additional.fields [screencast_send_bitrate_kbps_mean] |
|
chat |
screencast_send_packet_loss_max |
additional.fields [screencast_send_packet_loss_max] |
|
chat |
video_send_bitrate_kbps_mean |
additional.fields [video_send_bitrate_kbps_mean] |
|
chat |
screencast_send_seconds |
additional.fields [screencast_send_seconds] |
|
chat |
audio_send_bitrate_kbps_mean |
additional.fields [audio_send_bitrate_kbps_mean] |
|
chat |
screencast_recv_fps_mean |
additional.fields [screencast_recv_fps_mean] |
|
chat |
audio_recv_seconds |
additional.fields [audio_recv_seconds] |
|
chat |
video_recv_packet_loss_max |
additional.fields [video_recv_packet_loss_max] |
|
chat |
screencast_send_packet_loss_mean |
additional.fields [screencast_send_packet_loss_mean] |
|
chat |
network_transport_protocol |
additional.fields [network_transport_protocol] |
|
chat |
screencast_recv_short_side_median_pixels |
additional.fields [screencast_recv_short_side_median_pixels] |
|
chat |
screencast_send_short_side_median_pixels |
additional.fields [screencast_send_short_side_median_pixels] |
|
chat |
screencast_recv_packet_loss_max |
additional.fields [screencast_recv_packet_loss_max] |
|
chat |
is_external |
additional.fields [is_external] |
|
chat |
video_send_short_side_median_pixels |
additional.fields [video_send_short_side_median_pixels] |
|
chat |
endpoint_id |
additional.fields [endpoint_id] |
|
chat |
network_estimated_download_kbps_mean |
additional.fields [network_estimated_download_kbps_mean] |
|
chat |
network_send_jitter_msec_mean |
additional.fields [network_send_jitter_msec_mean] |
|
chat |
video_send_seconds |
additional.fields [video_send_seconds] |
|
chat |
network_rtt_msec_mean |
additional.fields [network_rtt_msec_mean] |
|
chat |
network_congestion |
additional.fields [network_congestion] |
|
chat |
audio_send_packet_loss_mean |
additional.fields [audio_send_packet_loss_mean] |
|
chat |
action_time |
additional.fields [action_time] |
|
gcp |
USER_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is empty, then the USER_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
drive |
actor_is_collaborator_account |
about.labels [actor_is_collaborator_account] (deprecated) |
|
drive |
actor_is_collaborator_account |
additional.fields [actor_is_collaborator_account] |
|
drive |
added_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to shared_drive_membership_change , then the added_role log field is mapped to the target.user.attribute.roles.name UDM field. |
drive |
requested_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to request_access , then the requested_role log field is mapped to the target.user.attribute.roles.name UDM field. |
drive |
billable |
about.labels [billable] (deprecated) |
|
drive |
billable |
additional.fields [billable] |
|
drive |
copy_type |
about.labels [copy_type] (deprecated) |
|
drive |
copy_type |
additional.fields [copy_type] |
|
drive |
destination_folder_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the destination_folder_id log field is mapped to the target.resource.product_object_id UDM field:
|
drive |
doc_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the doc_id log field is mapped to the target.resource.product_object_id UDM field:
|
drive |
destination_folder_title |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the destination_folder_title log field is mapped to the target.resource.name UDM field:
|
drive |
doc_title |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the doc_title log field is mapped to the target.resource.name UDM field:
|
drive |
doc_id |
src.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the doc_id log field is mapped to the src.resource.product_object_id UDM field:
|
drive |
doc_title |
src.resource.name |
If the event.name log field value is equal to one of the following values, then the doc_title log field is mapped to the src.resource.name UDM field:
|
drive |
doc_type |
target.resource.attribute.labels[doc_type] |
If the event.name log field value is equal to one of the following values, then the doc_type log field is mapped to the target.resource.attribute.labels[doc_type] UDM field:
|
drive |
doc_type |
src.resource.attribute.labels [doc_type] |
If the event.name log field value is equal to one of the following values, then the doc_type log field is mapped to the src.resource.attribute.labels [doc_type] UDM field:
|
drive |
field |
target.resource.attribute.labels [field] |
|
drive |
field_id |
target.resource.attribute.labels [field_id] |
|
drive |
is_encrypted |
target.labels [is_encrypted] (deprecated) |
|
drive |
is_encrypted |
additional.fields [is_encrypted] |
|
drive |
label |
target.resource.attribute.labels [label] |
|
drive |
label_title |
target.resource.attribute.labels [label_title] |
|
drive |
membership_change_type |
about.labels [membership_change_type] (deprecated) |
|
drive |
membership_change_type |
additional.fields [membership_change_type] |
|
drive |
new_publish_visibility |
target.resource.attribute.labels [new_publish_visibility] |
|
drive |
new_value |
target.resource.attribute.labels [new_value] |
|
drive |
new_value_id |
target.resource.attribute.labels [new_value_id] |
|
drive |
new_settings_state |
about.labels [new_settings_state] (deprecated) |
|
drive |
new_settings_state |
additional.fields [new_settings_state] |
|
drive |
old_settings_state |
about.labels [old_settings_state] (deprecated) |
|
drive |
old_settings_state |
additional.fields [old_settings_state] |
|
drive |
old_publish_visibility |
target.resource.attribute.labels [old_publish_visibility] |
|
drive |
old_value |
target.resource.attribute.labels [old_value] |
|
drive |
old_value_id |
target.resource.attribute.labels [old_value_id] |
|
drive |
old_visibility |
target.resource.attribute.labels [old_visibility] |
|
drive |
originating_app_id |
about.labels [originating_app_id] (deprecated) |
|
drive |
originating_app_id |
additional.fields [originating_app_id] |
|
drive |
owner |
target.resource.attribute.labels[owner] |
|
drive |
owner_is_shared_drive |
target.resource.attribute.labels [owner_is_shared_drive] |
|
drive |
primary_event |
about.labels [primary_event] (deprecated) |
|
drive |
primary_event |
additional.fields [primary_event] |
|
drive |
reason |
security_result.summary |
If the event.name log field value is equal to one of the following values, then the reason log field is mapped to the security_result.summary UDM field:
|
drive |
removed_role |
target.user.attribute.labels [removed_role] and target.user.roles.description |
If the removed_role log field value is equal to commenter ,
then the target.user.roles.description UDM field is set to Team Drive role Commenter .
If the removed_role log field value is equal to content_manager ,
then the target.user.roles.description UDM field is set to Team Drive role Content manager .
If the removed_role log field value is equal to editor ,
then the target.user.roles.description UDM field is set to Team Drive role Contributor .
If the removed_role log field value is equal to none ,
then the target.user.roles.description UDM field is set to No role in Team Drive .
If the removed_role log field value is equal to organizer ,
then the target.user.roles.description UDM field is set to Team Drive role Manager .
If the removed_role log field value is equal to viewer ,
then the target.user.roles.description UDM field is set to Team Drive role Viewer . |
drive |
target_domain |
target.domain.name |
If the event.name log field value is equal to one of the following values, then the target_domain log field is mapped to the target.domain.name UDM field:
|
drive |
target_user |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the target_user log field is mapped to the target.user.email_addresses UDM field:
|
drive |
target_user |
additional.fields[target_user] |
|
drive |
new_owner |
target.user.email_addresses |
The new_owner log field is mapped to the target.user.email_addresses UDM field if the following conditions are met:
Else, the new_owner log field is mapped to the target.user.attribute.labels UDM field. |
drive |
target |
target.user.email_addresses |
If the event.name log field value matches the regular expression pattern ^.+@.+$ , then the target log field is mapped to the target.user.email_addresses UDM field. |
drive |
target |
target.user.attribute.labels[target] |
If the event.name log field value does not match the regular expression pattern ^.+@.+$ , then the target log field is mapped to the target.user.attribute.labels[target] UDM field. |
drive |
recipients |
target.user.email_addresses |
If the event.name log field value is equal to email_collaborators , then the recipients log field is mapped to the target.user.email_addresses UDM field. |
drive |
shared_drive_id |
target.resource_ancestors.product_object_id |
|
drive |
shared_drive_settings_change_type |
about.labels [shared_drive_settings_change_type] (deprecated) |
|
drive |
shared_drive_settings_change_type |
additional.fields [shared_drive_settings_change_type] |
|
drive |
sheets_import_range_recipient_doc |
target.resource.attribute.labels [sheets_import_range_recipient_doc] |
|
drive |
source_folder_id |
principal.resource.id |
If the event.name log field value is equal to one of the following values, then the source_folder_id log field is mapped to the principal.resource.id UDM field:
|
drive |
source_folder_title |
principal.resource.name |
If the event.name log field value is equal to one of the following values, then the source_folder_title log field is mapped to the principal.resource.name UDM field:
|
drive |
storage_entity_id |
about.labels [storage_entity_id] (deprecated) |
|
drive |
storage_entity_id |
additional.fields [storage_entity_id] |
|
drive |
storage_usage_in_bytes |
about.labels [storage_usage_in_bytes] (deprecated) |
|
drive |
storage_usage_in_bytes |
additional.fields [storage_usage_in_bytes] |
|
drive |
visibility |
target.resource.attribute.labels [visibility] |
|
drive |
visibility_change |
target.resource.attribute.labels [visibility_change] |
|
drive |
team_drive_id |
target.group.product_object_id |
|
drive |
owner_is_team_drive |
target.resource.attribute.labels [owner_is_team_drive] |
|
drive |
data_connection_id |
about.labels[data_connection_id] (deprecated) |
|
drive |
data_connection_id |
additional.fields[data_connection_id] |
|
drive |
delegating_principal |
about.user.email_addresses |
If the actor.email log field value is not equal to delegating_principal ,
then the delegating_principal log field is mapped to about.user.email_addresses UDM field. |
drive |
execution_id |
about.labels[execution_id] (deprecated) |
|
drive |
execution_id |
additional.fields[execution_id] |
|
drive |
execution_trigger |
about.labels[execution_trigger] (deprecated) |
|
drive |
execution_trigger |
additional.fields[execution_trigger] |
|
drive |
query_type |
about.labels[query_type] (deprecated) |
|
drive |
query_type |
additional.fields[query_type] |
|
drive |
owner_team_drive_id |
target.resource.attribute.labels[owner_team_drive_id] |
|
drive |
new_owner_is_team_drive |
target.resource.attribute.labels [new_owner_is_team_drive] |
|
drive |
new_owner_team_drive_id |
target.resource.attribute.labels[new_owner_team_drive_id] |
|
drive |
owner_shared_drive_id |
target.resource.attribute.labels[owner_shared_drive_id] |
|
drive |
dlp_info |
target.resource.attribute.labels[dlp_info] |
|
drive |
team_drive_settings_change_type |
target.resource.attribute.labels[team_drive_settings_change_type] |
|
drive |
accessed_url |
target.url |
|
drive |
script_id |
additional.fields[script_id] |
|
drive |
additional.fields[script_id] |
additional.fields[api_method] |
|
keep |
attachment_name |
target.resource.attribute.labels [attachment_name] |
If the event.name log field value is equal to one of the following values, then the attachment_name log field is mapped to the target.resource.attribute.labels UDM field:
|
keep |
note_name |
target.url |
If the event.name log field value is equal to one of the following values, then the note_name log field is mapped to the target.url UDM field:
|
keep |
owner_email |
principal.user.email_addresses |
If the actor.email log field value is empty, then the owner_email log field is mapped to the principal.user.email_addresses UDM field. |
keep |
target.resource_subtype |
The target.resource_subtype UDM field is set to keep . | |
meet |
action_description |
security_result.action_details |
If the event.name log field value is equal to abuse_report_submitted , then the action_description log field is mapped to the security_result.action_details UDM field. |
meet |
action_reason |
security_result.summary |
|
meet |
conference_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the conference_id log field is mapped to the target.resource.product_object_id UDM field:
|
meet |
calendar_event_id |
target.labels [calendar_event_id] (deprecated) |
|
meet |
calendar_event_id |
additional.fields [calendar_event_id] |
|
meet |
device_type |
principal.asset.attribute.labels [device_type] |
|
meet |
display_name |
principal.user.user_display_name |
If the event.name log field value is equal to one of the following values, then the display_name log field is mapped to the principal.user.user_display_name UDM field:
|
meet |
target_display_names |
target.user.user_display_name |
If the event.name log field value is equal to abuse_report_submitted , then the target_display_name log field is mapped to the target.user.user_display_name UDM field. |
meet |
duration_seconds |
target.resource.attribute.labels [duration_seconds] |
|
meet |
end_of_call_rating |
target.resource.attribute.labels [end_of_call_rating] |
|
meet |
endpoint_id |
security_result.about.labels [endpoint_id] (deprecated) |
|
meet |
endpoint_id |
additional.fields [endpoint_id] |
|
meet |
identifier |
principal.user.userid |
If the event.name log field value is equal to one of the following values, then the identifier log field is mapped to the principal.user.userid UDM field:
|
meet |
identifier_type |
principal.user.attribute.labels [identifier_type] |
|
meet |
ip_address |
target.ip |
If the ipAddress log field value is empty, then the ip_address log field is mapped to the target.ip UDM field. |
meet |
is_external |
principal.labels [is_external] (deprecated) |
|
meet |
is_external |
additional.fields [is_external] |
|
meet |
livestream_view_page_id |
target.resource.attribute.labels [livestream_view_page_id] |
|
meet |
location_country |
principal.location.country_or_region |
If the event.name log field value is equal to call_ended , then the location_country log field is mapped to the principal.location.country_or_region UDM field. |
meet |
location_region |
principal.user.attribute.labels [location_region] |
If the event.name log field value is equal to call_ended , then the location_region log field is mapped to the principal.location.country_or_region UDM field. |
meet |
meeting_code |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the meeting_code log field is mapped to the target.resource.product_object_id UDM field:
|
meet |
organizer_email |
about.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the organizer_email log field is mapped to the about.user.email_addresses UDM field:
|
meet |
product_type |
principal.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the product_type log field is mapped to the principal.resource.resource_subtype UDM field:
|
meet |
target_email |
target.user.email_addresses |
If the event.name log field value is equal to abuse_report_submitted , then the target_email log field is mapped to the target.user.email_addresses UDM field. |
meet |
target_phone_number |
target.user.phone_numbers |
If the event.name log field value is equal to abuse_report_submitted , then the target_phone_number log field is mapped to the target.user.phone_numbers UDM field. |
meet |
audio_recv_packet_loss_max |
about.labels [audio_recv_packet_loss_max] (deprecated) |
|
meet |
audio_recv_packet_loss_max |
additional.fields [audio_recv_packet_loss_max] |
|
meet |
audio_recv_packet_loss_mean |
about.labels [audio_recv_packet_loss_mean] (deprecated) |
|
meet |
audio_recv_packet_loss_mean |
additional.fields [audio_recv_packet_loss_mean] |
|
meet |
audio_recv_seconds |
about.labels [audio_recv_seconds] (deprecated) |
|
meet |
audio_recv_seconds |
additional.fields [audio_recv_seconds] |
|
meet |
audio_send_bitrate_kbps_mean |
about.labels [audio_send_bitrate_kbps_mean] (deprecated) |
|
meet |
audio_send_bitrate_kbps_mean |
additional.fields [audio_send_bitrate_kbps_mean] |
|
meet |
audio_send_packet_loss_max |
about.labels [audio_send_packet_loss_max] (deprecated) |
|
meet |
audio_send_packet_loss_max |
additional.fields [audio_send_packet_loss_max] |
|
meet |
audio_send_packet_loss_mean |
about.labels [audio_send_packet_loss_mean] (deprecated) |
|
meet |
audio_send_packet_loss_mean |
additional.fields [audio_send_packet_loss_mean] |
|
meet |
audio_send_seconds |
about.labels [audio_send_seconds] (deprecated) |
|
meet |
audio_send_seconds |
additional.fields [audio_send_seconds] |
|
meet |
network_congestion |
about.labels [network_congestion] (deprecated) |
|
meet |
network_congestion |
additional.fields [network_congestion] |
|
meet |
network_estimated_download_kbps_mean |
about.labels [network_estimated_download_kbps_mean] (deprecated) |
|
meet |
network_estimated_download_kbps_mean |
additional.fields [network_estimated_download_kbps_mean] |
|
meet |
network_estimated_upload_kbps_mean |
about.labels [network_estimated_upload_kbps_mean] (deprecated) |
|
meet |
network_estimated_upload_kbps_mean |
additional.fields [network_estimated_upload_kbps_mean] |
|
meet |
network_recv_jitter_msec_max |
about.labels [network_recv_jitter_msec_max] (deprecated) |
|
meet |
network_recv_jitter_msec_max |
additional.fields [network_recv_jitter_msec_max] |
|
meet |
network_recv_jitter_msec_mean |
about.labels [network_recv_jitter_msec_mean] (deprecated) |
|
meet |
network_recv_jitter_msec_mean |
additional.fields [network_recv_jitter_msec_mean] |
|
meet |
network_rtt_msec_mean |
about.labels [network_rtt_msec_mean] (deprecated) |
|
meet |
network_rtt_msec_mean |
additional.fields [network_rtt_msec_mean] |
|
meet |
network_send_jitter_msec_mean |
about.labels [network_send_jitter_msec_mean] (deprecated) |
|
meet |
network_send_jitter_msec_mean |
additional.fields [network_send_jitter_msec_mean] |
|
meet |
network_transport_protocol |
about.labels [network_transport_protocol] (deprecated) |
|
meet |
network_transport_protocol |
additional.fields [network_transport_protocol] |
|
meet |
screencast_recv_bitrate_kbps_mean |
about.labels [screencast_recv_bitrate_kbps_mean] (deprecated) |
|
meet |
screencast_recv_bitrate_kbps_mean |
additional.fields [screencast_recv_bitrate_kbps_mean] |
|
meet |
screencast_recv_fps_mean |
about.labels [screencast_recv_fps_mean] (deprecated) |
|
meet |
screencast_recv_fps_mean |
additional.fields [screencast_recv_fps_mean] |
|
meet |
screencast_recv_long_side_median_pixels |
about.labels [screencast_recv_long_side_median_pixels] (deprecated) |
|
meet |
screencast_recv_long_side_median_pixels |
additional.fields [screencast_recv_long_side_median_pixels] |
|
meet |
screencast_recv_packet_loss_max |
about.labels [screencast_recv_packet_loss_max] (deprecated) |
|
meet |
screencast_recv_packet_loss_max |
additional.fields [screencast_recv_packet_loss_max] |
|
meet |
screencast_recv_packet_loss_mean |
about.labels [screencast_recv_packet_loss_mean] (deprecated) |
|
meet |
screencast_recv_packet_loss_mean |
additional.fields [screencast_recv_packet_loss_mean] |
|
meet |
screencast_recv_seconds |
about.labels [screencast_recv_seconds] (deprecated) |
|
meet |
screencast_recv_seconds |
additional.fields [screencast_recv_seconds] |
|
meet |
screencast_recv_short_side_median_pixels |
about.labels [screencast_recv_short_side_median_pixels] (deprecated) |
|
meet |
screencast_recv_short_side_median_pixels |
additional.fields [screencast_recv_short_side_median_pixels] |
|
meet |
screencast_send_bitrate_kbps_mean |
about.labels [screencast_send_bitrate_kbps_mean] (deprecated) |
|
meet |
screencast_send_bitrate_kbps_mean |
additional.fields [screencast_send_bitrate_kbps_mean] |
|
meet |
screencast_send_fps_mean |
about.labels [screencast_send_fps_mean] (deprecated) |
|
meet |
screencast_send_fps_mean |
additional.fields [screencast_send_fps_mean] |
|
meet |
screencast_send_long_side_median_pixels |
about.labels [screencast_send_long_side_median_pixels] (deprecated) |
|
meet |
screencast_send_long_side_median_pixels |
additional.fields [screencast_send_long_side_median_pixels] |
|
meet |
screencast_send_packet_loss_max |
about.labels [screencast_send_packet_loss_max] (deprecated) |
|
meet |
screencast_send_packet_loss_max |
additional.fields [screencast_send_packet_loss_max] |
|
meet |
screencast_send_packet_loss_mean |
about.labels [screencast_send_packet_loss_mean] (deprecated) |
|
meet |
screencast_send_packet_loss_mean |
additional.fields [screencast_send_packet_loss_mean] |
|
meet |
screencast_send_seconds |
about.labels [screencast_send_seconds] (deprecated) |
|
meet |
screencast_send_seconds |
additional.fields [screencast_send_seconds] |
|
meet |
screencast_send_short_side_median_pixels |
about.labels [screencast_send_short_side_median_pixels] (deprecated) |
|
meet |
screencast_send_short_side_median_pixels |
additional.fields [screencast_send_short_side_median_pixels] |
|
meet |
video_recv_fps_mean |
about.labels [video_recv_fps_mean] (deprecated) |
|
meet |
video_recv_fps_mean |
additional.fields [video_recv_fps_mean] |
|
meet |
video_recv_long_side_median_pixels |
about.labels [video_recv_long_side_median_pixels] (deprecated) |
|
meet |
video_recv_long_side_median_pixels |
additional.fields [video_recv_long_side_median_pixels] |
|
meet |
video_recv_packet_loss_max |
about.labels [video_recv_packet_loss_max] (deprecated) |
|
meet |
video_recv_packet_loss_max |
additional.fields [video_recv_packet_loss_max] |
|
meet |
video_recv_packet_loss_mean |
about.labels [video_recv_packet_loss_mean] (deprecated) |
|
meet |
video_recv_packet_loss_mean |
additional.fields [video_recv_packet_loss_mean] |
|
meet |
video_recv_seconds |
about.labels [video_recv_seconds] (deprecated) |
|
meet |
video_recv_seconds |
additional.fields [video_recv_seconds] |
|
meet |
video_recv_short_side_median_pixels |
about.labels [video_recv_short_side_median_pixels] (deprecated) |
|
meet |
video_recv_short_side_median_pixels |
additional.fields [video_recv_short_side_median_pixels] |
|
meet |
video_send_bitrate_kbps_mean |
about.labels [video_send_bitrate_kbps_mean] (deprecated) |
|
meet |
video_send_bitrate_kbps_mean |
additional.fields [video_send_bitrate_kbps_mean] |
|
meet |
video_send_fps_mean |
about.labels [video_send_fps_mean] (deprecated) |
|
meet |
video_send_fps_mean |
additional.fields [video_send_fps_mean] |
|
meet |
video_send_long_side_median_pixels |
about.labels [video_send_long_side_median_pixels] (deprecated) |
|
meet |
video_send_long_side_median_pixels |
additional.fields [video_send_long_side_median_pixels] |
|
meet |
video_send_packet_loss_max |
about.labels [video_send_packet_loss_max] (deprecated) |
|
meet |
video_send_packet_loss_max |
additional.fields [video_send_packet_loss_max] |
|
meet |
video_send_packet_loss_mean |
about.labels [video_send_packet_loss_mean] (deprecated) |
|
meet |
video_send_packet_loss_mean |
additional.fields [video_send_packet_loss_mean] |
|
meet |
video_send_seconds |
about.labels [video_send_seconds] (deprecated) |
|
meet |
video_send_seconds |
additional.fields [video_send_seconds] |
|
meet |
video_send_short_side_median_pixels |
about.labels [video_send_short_side_median_pixels] (deprecated) |
|
meet |
video_send_short_side_median_pixels |
additional.fields [video_send_short_side_median_pixels] |
|
meet |
action_time |
about.labels[action_time] (deprecated) |
|
meet |
action_time |
additional.fields[action_time] |
|
meet |
target_user_count |
target.user.attribute.labels[target_user_count] |
|
meet |
streaming_session_state |
about.labels[streaming_session_state] (deprecated) |
|
meet |
streaming_session_state |
additional.fields[streaming_session_state] |
|
login |
affected_email_address |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the affected_email_address log field is mapped to the target.user.email_addresses UDM field:
|
login |
login_timestamp |
security_result.detection_fields [login_timestamp] |
|
login |
is_second_factor |
about.labels[is_2sv] (deprecated) |
|
login |
is_second_factor |
additional.fields[is_2sv] |
|
login |
is_suspicious |
about.labels[is_suspicious] (deprecated) |
|
login |
is_suspicious |
additional.fields[is_suspicious] |
|
login |
login_failure_type |
scurity_result.summary |
|
login |
login_challenge_status |
about.labels[login_challenge_status] (deprecated) |
|
login |
login_challenge_status |
additional.fields[login_challenge_status] |
|
login |
login_challenge_method |
security_result.detection_fields [login_challenge_method] |
|
login |
login_challenge_method |
security_result.detection_fields [login_challenge_method_attempts_count] |
|
login |
login_type |
security_result.detection_fields [login_type] |
|
login |
sensitive_action_name |
security_result.action_details [sensitive_action_name] |
|
login |
extensions.auth.mechanism |
If the param.value log field value is equal to google_password , then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD .Else, the extensions.auth.mechanism UDM field is set to MECHANISM_UNSPECIFIED . | |
login |
extensions.auth.type |
If the param.value log field value is equal to google_password , then the extensions.auth.type UDM field is set to SSO . | |
login |
security_result.action |
If the event.name log field value is equal to one of the following values, then the security_result.action UDM field is set to BLOCK :
| |
token |
api_name |
about.resource.attribute.labels [api_name] |
|
token |
app_name |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the app_name log field is mapped to the target.resource.name UDM field:
|
token |
client_id |
principal.asset.attribute.labels [client_id] |
If the event.name log field value is equal to one of the following values, then the client_id log field is mapped to the principal.asset.attribute.labels UDM field:
|
token |
client_type |
principal.asset.attribute.labels [client_type] |
|
token |
method_name |
target.resource.attribute.labels [method_name] |
|
token |
num_response_bytes |
target.resource.attribute.labels [num_response_bytes] |
|
token |
product_bucket |
target.resource.attribute.labels product_bucket] |
|
token |
scope |
target.resource.attribute.labels [scope] |
|
token |
scope_data |
target.resource.attribute.labels [scope_data] |
|
token |
rejection_type |
target.resource.attribute.labels [rejection_type] |
|
rules |
actions |
security_result.action_details [actions] |
|
rules |
triggered_actions |
security_result.action_details [actions] |
|
rules |
actor_ip_address |
principal.ip |
If the ipAddress log field value is equal to empty, then the actor_ip_address log field is mapped to the principal.ip UDM field. |
rules |
application |
target.resource.attribute.labels[application] |
|
rules |
conference_id |
target.resource.attribute.labels [conference_id] |
|
rules |
data_source |
security_result.detection_fields [data_source] |
|
rules |
device_id |
target.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the device_id log field is mapped to the target.asset.asset_id UDM field:
|
rules |
device_type |
target.asset.attribute.labels[device_type] |
|
rules |
drive_shared_drive_id |
target.resource.attribute.labels[drive_shared_drive_id] |
|
rules |
evaluation_context |
about.labels [evaluation_context] (deprecated) |
|
rules |
evaluation_context |
additional.fields [evaluation_context] |
|
rules |
has_alert |
security_result.about.labels [has_alert] (deprecated) |
|
rules |
has_alert |
additional.fields [has_alert] |
|
rules |
has_content_match |
security_result.about.labels [has_content_match] (deprecated) |
|
rules |
has_content_match |
additional.fields [has_content_match] |
|
rules |
matched_detectors |
security_result.detection_fields [matched_detectors] |
|
rules |
matched_templates |
security_result.detection_fields [matched_templates] |
|
rules |
matched_threshold |
security_result.detection_fields [matched_threshold] |
|
rules |
matched_trigger |
security_result.detection_fields [matched_trigger] |
|
rules |
mobile_device_type |
target.asset.category |
If the event.name log field value is equal to rule_match , then the mobile_device_type log field is mapped to the target.asset.category UDM field. |
rules |
mobile_ios_vendor_id |
target.asset.attribute.labels [mobile_ios_vendor_id] |
|
rules |
resource_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the resource_id log field is mapped to the target.resource.product_object_id UDM field:
|
rules |
resource_name |
target.resource.name |
If the event.name log field value is equal to rule_match , then the resource_name log field is mapped to the target.resource.name UDM field. |
rules |
resource_title |
target.labels [resource_title] (deprecated) |
|
rules |
resource_title |
additional.fields [resource_title] |
|
rules |
resource_owner_email |
principal.user.email_addresses |
If the actor.email log field value is not equal to resource_owner_email , then the principal.user.email_addresses UDM field is set to resource_owner_email . |
rules |
resource_recipients |
principal.user.email_addresses |
If the actor.email log field value is not equal to resource_recipients , then the principal.user.email_addresses UDM field is set to resource_recipients . |
rules |
resource_recipients_omitted_count |
target.labels [resource_recipients_omitted_count] (deprecated) |
|
rules |
resource_recipients_omitted_count |
additional.fields [resource_recipients_omitted_count] |
|
rules |
resource_type |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the resource_type log field is mapped to the target.resource.resource_subtype UDM field:
|
rules |
rule_name |
security_result.rule_name |
If the event.name log field value is equal to one of the following values, then the rule_name log field is mapped to the security_result.rule_name UDM field:
|
rules |
rule_id |
security_result.rule_id |
If the event.name log field value is equal to rule_match , then the rule_id log field is mapped to the security_result.rule_id UDM field. |
rules |
rule_resource_name |
security_result.rule_labels [rule_resource_name] |
|
rules |
rule_type |
security_result.rule_type |
If the event.name log field value is equal to one of the following values, then the rule_type log field is mapped to the security_result.rule_type UDM field:
|
rules |
rule_update_time_usec |
security_result.rule_labels [rule_update_time_usec] |
|
rules |
scan_type |
security_result.about.labels [scan_type] (deprecated) |
|
rules |
scan_type |
additional.fields [scan_type] |
|
rules |
severity |
security_result.severity |
If the event.name log field value is equal to one of the following values, then the severity log field is mapped to the security_result.severity UDM field:
|
rules |
space_id |
target.resource.attribute.labels [space_id] |
|
rules |
space_type |
target.resource.attribute.labels [space_type] |
|
rules |
suppressed_actions |
security_result.about.labels [suppressed_actions] (deprecated) |
|
rules |
suppressed_actions |
additional.fields [suppressed_actions] |
|
rules |
label_field |
target.resource.attribute.labels [label_field] |
|
rules |
label_title |
target.resource.attribute.labels [label_title] |
|
rules |
new_value |
target.resource.attribute.labels [new_value] |
|
rules |
old_value |
target.resource.attribute.labels [old_value] |
|
rules |
blocked_recipients |
target.user.email_addresses |
|
rules |
snippets |
target.resource.attribute.labels [snippets] |
|
saml |
application_name |
target.application |
If the event.name log field value is equal to one of the following values, then the application_name log field is mapped to the target.application UDM field:
|
saml |
device_id |
principal.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the device_id log field is mapped to the principal.asset.assetid UDM field:
|
saml |
failure_type |
security_result.summary |
If the event.name log field value is equal to login_failure , then the failure_type log field is mapped to the security_result.summary UDM field. |
saml |
initiated_by |
security_result.detection_fields[initiated_by] |
If the event.name log field value is equal to one of the following values, then the initiated_by log field is mapped to the security_result.detection_fields UDM field:
|
saml |
orgunit_path |
target.user.attribute.labels [orgunit_path] |
If the event.name log field value is equal to one of the following values, then the orgunit_path log field is mapped to the target.user.attribute.labels UDM field:
|
saml |
saml_second_level_status_code |
security_result.about.labels [saml_second_level_status_code] (deprecated) |
|
saml |
saml_second_level_status_code |
additional.fields [saml_second_level_status_code] |
|
saml |
saml_status_code |
security_result.about.labels [saml_status_code] (deprecated) |
|
saml |
saml_status_code |
additional.fields [saml_status_code] |
|
saml |
security_result.action |
If the event.name log field value is equal to login_failure , then the security_result.action UDM field is set to BLOCK . | |
user_accounts |
email_forwarding_destination_address |
target.user.email_addresses |
|
groups |
acl_permission |
target.group.attribute.roles.name |
If the event.name log field value is equal to change_acl_permission , then the acl_permission log field is mapped to the target.group.attribute.roles.name UDM field. |
groups |
basic_setting |
target.group.attribute.labels [basic_setting] |
|
groups |
group_email |
target.group.email_addresses |
If the event.name log field value is equal to one of the following values, then the group_email log field is mapped to the target.group.email_addresses UDM field:
|
groups |
identity_setting |
target.group.attribute.labels [identity_setting] |
|
groups |
info_setting |
target.group.attribute.labels [info_setting] |
|
groups |
message_id |
network.email.mail_id |
If the event.name log field value is equal to moderate_message , then the message_id log field is mapped to the network.email.mail_id UDM field. |
groups |
message_moderation_action |
target.group.attribute.labels [message_moderation_action] |
|
groups |
member_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to add_user , then the member_role log field is mapped to the target.user.attribute.roles.name UDM field. |
groups |
new_members_restrictions_setting |
target.group.attribute.labels [new_members_restrictions_setting] |
|
groups |
new_value |
target.group.attribute.labels [new_value] |
|
groups |
new_value_repeated |
target.group.attribute.labels [new_value_repeated] |
|
groups |
old_value |
target.group.attribute.labels [old_value] |
|
groups |
old_value_repeated |
target.group.attribute.labels [old_value_repeated] |
|
groups |
post_replies_setting |
target.group.attribute.labels [post_replies_setting] |
|
groups |
spam_moderation_setting |
target.group.attribute.labels [spam_moderation_setting] |
|
groups |
status |
target.group.attribute.labels[status] |
|
groups |
topic_setting |
target.group.attribute.labels [topic_setting] |
|
groups |
user_email |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the user_email log field is mapped to the target.user.email_addresses UDM field:
|
groups |
user_email |
principal.user.email_addresses |
If the event.name log field value is equal to unsubscribe_via_mail and the actor.email log field value is not equal to the user_email , then the user_email log field is mapped to the principal.user.email_addresses UDM field. |
groups |
value |
target.group.attribute.labels [value_of_info_setting] |
|
admin |
USER_EMAIL |
src.user.email_addresses |
If the event.name log field value is equal to CREATE_DATA_TRANSFER_REQUEST , then the USER_EMAIL log field is mapped to the src.user.email_addresses UDM field. |
admin |
USER_EMAIL |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the USER_EMAIL log field is mapped to the target.user.email_addresses UDM field:
|
admin |
DESTINATION_USER_EMAIL |
target.user.email_addresses |
|
admin |
DEVICE_ID |
target.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the DEVICE_ID log field is mapped to the target.asset.asset_id UDM field:
|
admin |
DEVICE_TYPE |
target.platform |
If the DEVICE_TYPE log field value matches the regular expression pattern (?i)windows , then the target.platform UDM field is set to WINDOWS .Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)mac , then the target.platform UDM field is set to MAC .
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)linux , then the target.platform UDM field is set to LINUX .
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)ios , then the target.platform UDM field is set to IOS .
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)android , then the target.platform UDM field is set to ANDROID .
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)chrome , then the target.platform UDM field is set to CHROME_OS . |
admin |
APP_ID |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the APP_ID log field is mapped to the target.resource.name UDM field:
|
admin |
NEW_VALUE |
target.resource.name |
If the event.name log field value is equal to MAIL_ROUTING_DESTINATION_ADDED , then the NEW_VALUE log field is mapped to the target.resource.name UDM field. |
admin |
SETTING_NAME |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the SETTING_NAME log field is mapped to the target.resource.name UDM field:
|
admin |
CERTIFICATE_NAME |
target.resource.name |
If the event.name log field value is equal to GENERATE_CERTIFICATE , then the CERTIFICATE_NAME log field is mapped to the target.resource.name UDM field. |
admin |
ACCESS_LEVEL_NAME |
target.resource.name |
If the event.name log field value is equal to UPDATE_ACCESS_LEVEL_V2 , then the ACCESS_LEVEL_NAME log field is mapped to the target.resource.name UDM field. |
admin |
ASP_ID |
target.labels [asp_id] (deprecated) |
|
admin |
ASP_ID |
additional.fields [asp_id] |
|
admin |
NEW_VALUE |
target.resource.attribute.labels [new_value] |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the target.resource.attribute.labels UDM field:
|
admin |
NEW_VALUE |
target.labels [new_value] (deprecated) |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the target.labels UDM field:
|
admin |
NEW_VALUE |
additional.fields [new_value] |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the additional.fields UDM field:
|
admin |
NEW_VALUE |
target.user.attribute.labels [new_value] |
|
admin |
NEW_VALUE |
target.user.user_display_name |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the target.user.user_display_name UDM field:
|
admin |
NEW_VALUE |
target.user.first_name |
If the event.name log field value is equal to CHANGE_FIRST_NAME , then the NEW_VALUE log field is mapped to the target.user.first_name UDM field. |
admin |
NEW_VALUE |
target.user.last_name |
If the event.name log field value is equal to CHANGE_LAST_NAME , then the NEW_VALUE log field is mapped to the target.user.last_name UDM field. |
admin |
OLD_VALUE |
target.resource.attribute.labels [old_value] |
If the event.name log field value is equal to one of the following values, then the OLD_VALUE log field is mapped to the target.resource.attribute.labels UDM field:
|
admin |
OLD_VALUE |
target.labels [old_value] (deprecated) |
If the event.name log field value is equal to one of the following values, then the OLD_VALUE log field is mapped to the target.labels UDM field:
|
admin |
OLD_VALUE |
additional.fields [old_value] |
If the event.name log field value is equal to one of the following values, then the OLD_VALUE log field is mapped to the additional.fields UDM field:
|
admin |
OLD_VALUE |
target.user.attribute.labels [old_value] |
|
admin |
BULK_UPLOAD_FAIL_USERS_NUMBER |
target.user.attribute.labels [bulk_upload_fail_users_number] |
|
admin |
BULK_UPLOAD_TOTAL_USERS_NUMBER |
target.user.attribute.labels [bulk_upload_total_users_number] |
|
admin |
SYSTEM_DEFINED_RULE_NAME |
security_result.rule_name |
If the event.name log field value is equal to SYSTEM_DEFINED_RULE_UPDATED , then the SYSTEM_DEFINED_RULE_NAME log field is mapped to the security_result.rule_name UDM field. |
admin |
ALERT_NAME |
security_result.rule_name |
|
admin |
SECURITY_CENTER_RULE_NAME |
security_result.rule_name |
|
admin |
DOMAIN_NAME |
target.domain.name |
|
admin |
USER_CUSTOM_FIELD |
target.user.attribute.labels [user_custom_field] |
|
admin |
BEGIN_DATE_TIME |
target.resource.attribute.labels [begin_date_time] |
|
admin |
EMAIL_MONITOR_DEST_EMAIL |
target.resource.attribute.labels [email_monitor_dest_email] |
|
admin |
EMAIL_MONITOR_LEVEL_CHAT |
target.resource.attribute.labels [email_monitor_level_chat] |
|
admin |
EMAIL_MONITOR_LEVEL_DRAFT_EMAIL |
target.resource.attribute.labels [email_monitor_level_draft_email] |
|
admin |
EMAIL_MONITOR_LEVEL_INCOMING_EMAIL |
target.resource.attribute.labels [email_monitor_level_incoming_email] |
|
admin |
EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL |
target.resource.attribute.labels [email_monitor_level_outgoing_email] |
|
admin |
END_DATE_TIME |
target.resource.attribute.labels [end_date_time] |
|
admin |
APPLICATION_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the APPLICATION_NAME log field is mapped to the target.application UDM field:
|
admin |
SERVICE_NAME |
target.application |
If the event.name log field value is equal to TOGGLE_SERVICE_ENABLED , then the SERVICE_NAME log field is mapped to the target.application UDM field. |
admin |
REAUTH_APPLICATION |
target.application |
If the event.name log field value is equal to SESSION_CONTROL_SETTINGS_CHANGE , then the REAUTH_APPLICATION log field is mapped to the target.application UDM field. |
admin |
OAUTH2_SERVICE_NAME |
target.application |
If the event.name log field value is equal to DISALLOW_SERVICE_FOR_OAUTH2_ACCESS , then the OAUTH2_SERVICE_NAME log field is mapped to the target.application UDM field. |
admin |
OAUTH2_APP_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the OAUTH2_APP_NAME log field is mapped to the target.application UDM field:
|
admin |
REQUEST_ID |
target.labels [request_id] (deprecated) |
|
admin |
REQUEST_ID |
additional.fields [request_id] |
|
admin |
GMAIL_RESET_REASON |
security_result.summary |
|
admin |
USER_NICKNAME |
target.user.attribute.labels[nickname] |
|
admin |
EMAIL_EXPORT_INCLUDE_DELETED |
target.resource.attribute.labels [email_export_include_deleted] |
|
admin |
EMAIL_EXPORT_PACKAGE_CONTENT |
target.resource.attribute.labels [email_export_package_content] |
|
admin |
SEARCH_QUERY_FOR_DUMP |
target.resource.attribute.labels [search_query_for_dump] |
|
admin |
BIRTHDATE |
target.user.attribute.labels [birthdate] |
|
admin |
ORG_UNIT_NAME |
target.labels[org_unit_name] (deprecated) |
If the event.name log field value is equal to one of the following values, then the ORG_UNIT_NAME log field is mapped to the target.labels UDM field:
|
admin |
ORG_UNIT_NAME |
additional.fields[org_unit_name] |
If the event.name log field value is equal to one of the following values, then the ORG_UNIT_NAME log field is mapped to the additional.fields UDM field:
|
admin |
ORG_UNIT_NAME |
about.labels[org_unit_name] (deprecated) |
|
admin |
ORG_UNIT_NAME |
additional.fields[org_unit_name] |
|
admin |
ROLE_ID |
target.resource.attribute.labels[role_id] |
|
admin |
ROLE_NAME |
target.resource.attribute.roles.name |
|
admin |
API_SCOPES |
target.user.attribute.labels[api_scopes] |
|
admin |
API_CLIENT_NAME |
target.user.userid |
If the API_CLIENT_NAME log field value matches the regular expression ^(.){1,256}$ , then the API_CLIENT_NAME log field is mapped to the target.user.userid UDM field. |
admin |
API_CLIENT_NAME |
target.user.attribute.labels[api_client_name] |
If the API_CLIENT_NAME log field value doesn't match the regular expression ^(.){1,256}$ , then the API_CLIENT_NAME log field is mapped to the target.user.attribute.labels[api_client_name] UDM field. |
admin |
EMAIL_LOG_SEARCH_END_DATE |
about.labels[email_log_search_end_date] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_END_DATE |
additional.fields[email_log_search_end_date] |
|
admin |
EMAIL_LOG_SEARCH_MSG_ID |
network.email.mail_id |
|
admin |
EMAIL_LOG_SEARCH_RECIPIENT |
network.email.to |
|
admin |
EMAIL_LOG_SEARCH_SENDER |
network.email.from |
|
admin |
EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP |
about.labels[email_log_search_smtp_recipient_ip] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP |
additional.fields[email_log_search_smtp_recipient_ip] |
|
admin |
EMAIL_LOG_SEARCH_SMTP_SENDER_IP |
about.labels[email_log_search_smtp_sender_ip] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_SMTP_SENDER_IP |
additional.fields[email_log_search_smtp_sender_ip] |
|
admin |
EMAIL_LOG_SEARCH_START_DATE |
about.labels[email_log_search_start_date] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_START_DATE |
additional.fields[email_log_search_start_date] |
|
admin |
ALERT_ID |
security_result.detection_fields[alert_id] |
|
admin |
INVESTIGATION_DATA_SOURCE |
security_result.detection_fields[investigation_data_source] |
|
admin |
INVESTIGATION_QUERY |
security_result.detection_fields[investigation_query] |
|
admin |
GROUP_EMAIL |
target.group.email_addresses |
|
admin |
PRODUCT_NAME |
target.resource.attribute.labels[product_name] |
|
admin |
INVESTIGATION_ACTION |
security_result.detection_fields[investigation_action] |
|
admin |
INVESTIGATION_ENTITY_IDS |
security_result.detection_fields[investigation_entity_ids] |
|
admin |
INVESTIGATION_OBJECT_IDENTIFIER |
security_result.detection_fields[investigation_object_identifier] |
|
admin |
INVESTIGATION_URL_DISPLAY_TEXT |
security_result.detection_fields[investigation_display_text] |
|
admin |
CHART_NAME |
about.labels [chart_name] (deprecated) |
|
admin |
CHART_NAME |
additional.fields [chart_name] |
|
admin |
CHART_FILTERS |
about.labels [chart_filters] (deprecated) |
|
admin |
CHART_FILTERS |
additional.fields [chart_filters] |
|
admin |
START_DATE |
about.labels [start_date] (deprecated) |
|
admin |
START_DATE |
additional.fields [start_date] |
|
admin |
END_DATE |
about.labels [end_date] (deprecated) |
|
admin |
END_DATE |
additional.fields [end_date] |
|
admin |
target.resource.resource_type |
If the event.name log field value is not equal to one of the following values, then the target.resource.resource_type UDM field is set to SETTING :
If the event.name log field value is equal to GENERATE_CERTIFICATE , then the target.resource.resource_type UDM field is set to CREDENTIAL . | |
admin |
SYSTEM_DEFINED_RULE_ACTION_STATUS_CHANGE |
security_result.rule_labels[system_defined_rule_action_status_change] |
|
admin |
SYSTEM_DEFINED_RULE_ACTION_SEVERITY_CHANGE |
security_result.rule_labels[system_defined_rule_action_severity_change] |
|
admin |
SYSTEM_DEFINED_RULE_ACTION_RECEIVERS_CHANGE |
security_result.rule_labels[system_defined_rule_action_receivers_change] |
|
admin |
COMPANY_DEVICE_ID |
target.asset_id |
|
admin |
APPLICATION_ENABLED |
target.labels[application_enabled] (deprecated) |
|
admin |
APPLICATION_ENABLED |
additional.fields[application_enabled] |
|
admin |
DISTRIBUTION_ENTITY_NAME |
target.labels[distribution_entity_name] (deprecated) |
|
admin |
DISTRIBUTION_ENTITY_NAME |
additional.fields[distribution_entity_name] |
|
admin |
DISTRIBUTION_ENTITY_TYPE |
target.labels[distribution_entity_type] (deprecated) |
|
admin |
DISTRIBUTION_ENTITY_TYPE |
additional.fields[distribution_entity_type] |
|
admin |
MOBILE_APP_PACKAGE_ID |
target.labels[mobile_app_package_id] (deprecated) |
|
admin |
MOBILE_APP_PACKAGE_ID |
additional.fields[mobile_app_package_id] |
|
admin |
APPLICATION_EDITION |
target.labels[application_edition] (deprecated) |
|
admin |
APPLICATION_EDITION |
additional.fields[application_edition] |
|
admin |
REAUTH_SETTING_NEW |
target.labels[reauth_setting_new] (deprecated) |
|
admin |
REAUTH_SETTING_NEW |
additional.fields[reauth_setting_new] |
|
admin |
REAUTH_SETTING_OLD |
target.labels[reauth_setting_old] (deprecated) |
|
admin |
REAUTH_SETTING_OLD |
additional.fields[reauth_setting_old] |
|
admin |
ALLOWED_TWO_STEP_VERIFICATION_METHOD |
target.labels[allowed_2sv_method] (deprecated) |
|
admin |
ALLOWED_TWO_STEP_VERIFICATION_METHOD |
additional.fields[allowed_2sv_method] |
|
admin |
CERTIFICATE_TYPE |
target.resource.resource_subtype |
|
admin |
SAML2_SERVICE_PROVIDER_ENTITY_ID |
about.labels[saml2_service_provider_entity_id] (deprecated) |
|
admin |
SAML2_SERVICE_PROVIDER_ENTITY_ID |
additional.fields[saml2_service_provider_entity_id] |
|
admin |
SAML2_SERVICE_PROVIDER_NAME |
about.labels[saml2_service_provider_name] (deprecated) |
|
admin |
SAML2_SERVICE_PROVIDER_NAME |
additional.fields[saml2_service_provider_name] |
|
admin |
SERVICE_ACCOUNT_EMAIL |
about.user.email_addresses |
|
admin |
about.user.account_type |
If the event.name log field value is equal to ENABLE_DIRECTORY_SYNC and the SERVICE_ACCOUNT_EMAIL log field value is not empty, then the about.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE . |
|
admin |
DEVICE_NEW_STATE |
target.asset.attribute.labels[device_new_state] |
|
admin |
DEVICE_PREVIOUS_STATE |
target.asset.attribute.labels[device_previous_state] |
|
admin |
DEVICE_SERIAL_NUMBER |
target.asset.hardware.serial_number |
|
admin |
INVESTIGATION_ACTION_NUM_ATTEMPTED |
security_result.detection_fields[investigation_action_num_attempt] |
|
admin |
INVESTIGATION_ACTION_NUM_SUCCESS |
security_result.detection_fields[investigation_action_num_success] |
|
admin |
INVESTIGATION_ACTION_NUM_FAILED |
security_result.detection_fields[investigation_action_num_failed] |
|
admin |
INVESTIGATION_ACTION_IDENTIFIER |
security_result.detection_fields[investigation_action_identifier] |
|
admin |
INVESTIGATION_ACTION_ID |
security_result.detection_fields[investigation_action_id] |
|
admin |
SETTING_DESCRIPTION |
target.resource.attribute.labels[setting_description] |
|
admin |
USER_DEFINED_SETTING_NAME |
target.resource.attribute.labels[user_defined_setting_name] |
|
admin |
ACTION_TYPE |
security_result.action_details |
|
admin |
security_result.action |
If the ACTION_TYPE log field value is equal to BLOCK , then the security_result.action UDM field is set to BLOCK .Else, the security_result.action UDM field is set to ALLOW . |
|
admin |
ACTION_ID |
security_result.detection_fields[action_id] |
|
admin |
OAUTH2_APP_ID |
additional.fields [oauth2_app_id] |
|
admin |
OAUTH2_APP_TYPE |
additional.fields [oauth2_app_type] |
|
admin |
ACCESS_LEVEL_TITLE |
target.resource.attribute.labels [access_level_title] |
|
admin |
ACCESS_LEVEL_CURR_STATE |
target.resource.attribute.labels [access_level_curr_state] |
|
admin |
ACCESS_LEVEL_PREV_STATE |
target.resource.attribute.labels [access_level_prev_state] |
|
admin |
AUTH_PRINCIPLE_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is not equal to the AUTH_PRINCIPLE_EMAIL , then the AUTH_PRINCIPLE_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
admin |
INVESTIGATION_ADMIN_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is not equal to the INVESTIGATION_ADMIN_EMAIL , then the INVESTIGATION_ADMIN_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
admin |
target.resource.resource_type |
If the event.name log field value is equal to UPDATE_ACCESS_LEVEL_V2 , then the target.resource.resource_type UDM field is set to ACCESS_POLICY . |
|
admin |
APP_RESOURCE_ID | additional.fields [app_resource_id] |
|
admin |
SECURITY_CENTER_RULE_TRIGGER_WINDOW | security_result.rule_labels[security_center_rule_trigger_window] |
|
admin |
SECURITY_CENTER_RULE_CONDITION | security_result.rule_labels[security_center_rule_condition] |
|
admin |
SECURITY_CENTER_RULE_THRESHOLD | security_result.rule_labels[security_center_rule_threshold] |
|
admin |
SECURITY_CENTER_RULE_TIME_FRAME | security_result.rule_labels[security_center_rule_time_frame] |
|
admin |
SECURITY_CENTER_RULE_ACTION | security_result.rule_labels[security_center_rule_action] |
|
admin |
QUARANTINE_NAME | additional.fields[quarantine_name] |
|
jamboard |
CURRENT_JAMBOARD_NAME |
target.asset.attribute.labels [current_jamboard_name] |
If the event.name log field value is equal to one of the following values, then the CURRENT_JAMBOARD_NAME log field is mapped to the target.asset.attribute.labels UDM field:
|
jamboard |
JAMBOARD_ID |
target.asset.asset_id |
|
jamboard |
LICENSE_ENROLLMENT_STATE |
target.asset.attribute.labels [license_enrollment_state] |
|
jamboard |
PROVISION_STATE |
target.asset.attribute.labels [provision_state] |
|
jamboard |
ON_OFF |
target.asset.attribute.labels [on_off] |
|
jamboard |
NEW_ADDITIONAL_IMES |
target.asset.attribute.labels [new_additional_imes] |
|
jamboard |
OLD_ADDITIONAL_IMES |
target.asset.attribute.labels [old_additional_imes] |
|
jamboard |
NEW_DEMO_MODE_AVAILABILITY |
target.asset.attribute.labels [new_demo_mode_availability] |
|
jamboard |
OLD_DEMO_MODE_AVAILABILITY |
target.asset.attribute.labels [old_demo_mode_availability] |
|
jamboard |
NEW_LANGUAGE |
target.asset.attribute.labels [new_language] |
|
jamboard |
OLD_LANGUAGE |
target.asset.attribute.labels [old_language] |
|
jamboard |
NEW_LOCATION |
target.asset.location.name |
If the event.name log field value is equal to DEVICE_LOCATION_CHANGE , then the NEW_LOCATION log field is mapped to the target.asset.location.name UDM field. |
jamboard |
OLD_LOCATION |
target.asset.attribute.labels [old_location] |
|
jamboard |
OLD_JAMBOARD_NAME |
target.asset.attribute.labels [old_jamboard_name] |
|
jamboard |
NEW_NOTE |
target.resource.attribute.labels [new_note] |
|
jamboard |
OLD_NOTE |
target.resource.attribute.labels [old_note] |
|
jamboard |
DEVICE_TYPE |
target.asset.attribute.labels [device_type] |
|
jamboard |
NEW_DEVICE |
target.asset.attribute.labels [new_device] |
|
jamboard |
OLD_DEVICE |
target.asset.attribute.labels [old_device] |
|
jamboard |
NEW_TIMEOUT_VALUE |
target.asset.attribute.labels [new_timeout_value] |
|
jamboard |
OLD_TIMEOUT_VALUE |
target.asset.attribute.labels [old_timeout_value] |
|
jamboard |
JAMBOARD_SETTING |
target.asset.attribute.labels [jamboard_setting] |
|
jamboard |
COMPONENT |
target.asset.attribute.labels [component] |
|
jamboard |
NEW_VERSION |
target.asset.software.version |
If the event.name log field value is equal to DEVICE_UPDATE , then the NEW_VERSION log field is mapped to the target.asset.software.version UDM field. |
jamboard |
OLD_VERSION |
target.asset.attribute.labels [old_version] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[description] |
metadata.description |
|
gmail |
events.parameters[delivery].msgValue[event_info].parameter.intValue[timestamp_usec] |
metadata.event_timestamp |
|
gmail |
events.parameters[delivery].msgValue[event_info].parameter.intValue[mail_event_type] |
metadata.product_event_type |
|
gmail |
id.applicationName |
metadata.product_name |
|
gmail |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Workspace . | |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[rfc2822_message_id] |
network.email.mail_id |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[subject] |
network.email.subject |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[payload_size] |
network.sent_bytes |
|
gmail |
events.parameters[delivery].msgValue[event_info].parameter.intValue[elapsed_time_usec] |
network.session_duration |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_tls_state] |
network.smtp.is_tls |
If this log field value is equal to 0 , then the network.smtp.is_tls UDM field is set to false .Else, if this log field value is equal to 1 , then the network.smtp.is_tls UDM field is set to true . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[address] |
network.smtp.rcpt_to |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_response_reason] |
network.smtp.server_response |
If this log field value is equal to 1 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Default reason messages are rejected or accepted .Else, if this log field value is equal to 3 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Malware .Else, if this log field value is equal to 4 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - DMARC policy .Else, if this log field value is equal to 5 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Unsupported attachment (by Gmail) .Else, if this log field value is equal to 6 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Receive limit exceeded .Else, if this log field value is equal to 7 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Account over quota .Else, if this log field value is equal to 8 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Bad PTR record .Else, if this log field value is equal to 9 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Recipient doesn't exist .Else, if this log field value is equal to 10 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Customer policy .Else, if this log field value is equal to 12 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - RFC violation .Else, if this log field value is equal to 13 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Blatant spam .Else, if this log field value is equal to 14 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Denial of service .Else, if this log field value is equal to 15 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Malicious or spammy links .Else, if this log field value is equal to 16 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Low IP reputation .Else, if this log field value is equal to 17 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Low domain reputation .Else, if this log field value is equal to 18 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - IP listed in public Real-time Blackhole List (RBL) .Else, if this log field value is equal to 19 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Temporarily rejected due to DoS limits .Else, if this log field value is equal to 20 , then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Permanently rejected due to DoS limits . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_tls_cipher] |
network.tls.cipher |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_tls_version] |
network.tls.version |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[client_host_zone] |
principal.administrative_domain |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[service] |
principal.application |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.value[customer_domain] |
principal.domain.name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[client_ip] |
principal.ip |
|
gmail |
actor.gaiaId |
principal.labels[actor_gaiaid] (deprecated) |
|
gmail |
actor.gaiaId |
additional.fields[actor_gaiaid] |
|
gmail |
actor.orgunitPath |
principal.labels[actor_orgunitpath] (deprecated) |
|
gmail |
actor.orgunitPath |
additional.fields[actor_orgunitpath] |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.multiIntValue[gaia_ids] |
principal.labels[message_owner_gaia_id] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.multiIntValue[gaia_ids] |
additional.fields[message_owner_gaia_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[selector] |
principal.labels[source_selector] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[selector] |
additional.fields[source_selector] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[from_header_address],events.parameters[delivery].msgValue[message_owner].parameter.multiStrValue[addresses] |
principal.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[address] |
principal.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.multiStrValue[addresses] |
principal.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[from_header_displayname] |
principal.user.user_display_name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.intValue[user_id] |
principal.user.userid |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[flattened_destinations] |
target.labels[flattened_destinations] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[flattened_destinations] |
additional.fields[flattened_destinations] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[service] |
target.application |
This log field is mapped to target.application UDM field when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0 . For every other index value, this log field is mapped to the about.application . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.intValue[rcpt_response] |
target.labels[destination_rcpt_response] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_rcpt_response , when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0 . For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_rcpt_response . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.intValue[rcpt_response] |
additional.fields[destination_rcpt_response] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[selector] |
target.labels[destination_selector] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_selector , when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0 . For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_selector . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[selector] |
additional.fields[destination_selector] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_decryption_success] |
target.labels[destination_smime_decryption_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_decryption_success , when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0 . For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_decryption_success . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_decryption_success] |
additional.fields[destination_smime_decryption_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_extraction_success] |
target.labels[destination_smime_extraction_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_extraction_success , when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0 . For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_extraction_success . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_extraction_success] |
additional.fields[destination_smime_extraction_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_parsing_success] |
target.labels[destination_smime_parsing_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_parsing_success , when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0 . For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_parsing_success . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_parsing_success] |
additional.fields[destination_smime_parsing_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_signature_verification_success] |
target.labels[destination_smime_signature_verification_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_signature_verification_success , when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0 . For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_signature_verification_success . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_signature_verification_success] |
additional.fields[destination_smime_signature_verification_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[address] |
target.user.email_addresses |
This log field is mapped to target.user.email_addresses UDM field when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0 . For every other index value, this log field is mapped to the about.user.email_addresses . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.intValue[user_id] |
target.user.userid |
This log field is mapped to target.user.userid UDM field when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0 . For every other index value, this log field is mapped to the about.user.userid . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_out_remote_host] |
intermediary.hostname |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[host_name] |
intermediary.hostname |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[failed_smtp_out_connect_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_in_connect_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_out_connect_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_user_agent_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[job_name] |
intermediary.labels[job_name] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[job_name] |
additional.fields[job_name] |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[server_type] |
intermediary.labels[server_type] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[server_type] |
additional.fields[server_type] |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[service_pool] |
intermediary.labels[service_pool] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[service_pool] |
additional.fields[service_pool] |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[task_number] |
intermediary.labels[task_number] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[task_number] |
additional.fields[task_number] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.value[policy_holder_address] |
security_result.about.user.email_addresses |
If this log field value doesn't match the regular expression ^.+@.+$ , then it is mapped to the security_result.about.administrative_domain UDM field.Else, it is mapped to the security_result.about.administrative_domain UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.value[policy_holder_email] |
security_result.about.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.intValue[policy_holder_user_id] |
security_result.about.user.userid |
|
gmail |
security_result.action |
If the events.parameters[delivery].msgValue[event_info].parameter.boolValue[success] log field value is equal to true , then the security_result.action UDM field is set to ALLOW .Else, the security_result.action UDM field is set to BLOCK . | |
gmail |
events.parameters[delivery].msgValue[event_info].parameter.boolValue[success] |
security_result.action_details |
|
gmail |
security_result.category |
If the events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.intValue[malware_family] log field value is not empty, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS .If the events.parameters[delivery].msgValue[message_info].parameter.boolValue[is_spam] log field value is equal to true , then the security_result.category UDM field is set to MAIL_SPAM . | |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.intValue[malware_family] |
security_result.category_details |
If this log field value is equal to 1 , then the security_result.category_details UDM field is set to 1 - A known malicious program type of malware .Else, if this log field value is equal to 2 , then the security_result.category_details UDM field is set to 2 - A virus or worm type of malware .Else, if this log field value is equal to 3 , then the security_result.category_details UDM field is set to 3 - Possible harmful email content .Else, if this log field value is equal to 4 , then the security_result.category_details UDM field is set to 4 - Possible unwanted email content .Else, if this log field value is equal to 5 , then the security_result.category_details UDM field is set to 5 - Other type of malware . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[flattened_triggered_rule_info] |
security_result.detection_fields[flattened_triggered_rule_info] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[is_internal] |
security_result.detection_fields[is_internal] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[is_intra_domain] |
security_result.detection_fields[is_intra_domain] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[is_policy_check_for_sender] |
security_result.detection_fields[is_policy_check_for_sender] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[is_spam] |
security_result.detection_fields[is_spam] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[smtp_replay_error] |
security_result.detection_fields[smtp_replay_error] |
If this log field value is equal to 1 , then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the security_result.detection_fields.value UDM field is set to 1 - Authentication error .Else, if this log field value is equal to 2 , then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 2 - Daily rate limit was exceeded. log field is mapped to the security_result.detection_fields.value UDM field.Else, if this log field value is equal to 3 , then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 3 - Peak rate limit was exceeded. log field is mapped to the security_result.detection_fields.value UDM field.Else, if this log field value is equal to 4 , then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 4 - SMTP relay was abused. log field is mapped to the security_result.detection_fields.value UDM field.Else, if this log field value is equal to 5 , then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 5 - Per-user rate limit was exceeded. log field is mapped to the security_result.detection_fields.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.intValue[classification_reason] |
security_result.detection_fields[spam_info_classification_reason] |
If this log field value is equal to 1 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 1 - Default spam classification reason .Else, if this log field value is equal to 2 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 2 - Message classified because of sender's past actions .Else, if this log field value is equal to 3 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 3 - Suspicious content .Else, if this log field value is equal to 4 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 4 - Suspicious link .Else, if this log field value is equal to 5 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 5 - Suspicious attachment .Else, if this log field value is equal to 6 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 6 - Custom policy defined in Google Workspace Admin Console > Gmail settings .Else, if this log field value is equal to 7 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 7 - DMARC .Else, if this log field value is equal to 8 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 8 - Domain in public RBLs .Else, if this log field value is equal to 9 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 9 - RFC standards violation .Else, if this log field value is equal to 10 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 10 - Gmail policy violation .Else, if this log field value is equal to 11 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 11 - Machine learning verdict .Else, if this log field value is equal to 12 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 12 - Sender reputation .Else, if this log field value is equal to 13 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 13 - Blatant spam .Else, if this log field value is equal to 14 , then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 14 - Advanced phishing and malware protection . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.intValue[classification_timestamp_usec] |
security_result.detection_fields[spam_info_classification_timestamp_usec] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.boolValue[delayed_for_deepscan] |
security_result.detection_fields[spam_info_delayed_for_deepscan] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.intValue[disposition] |
security_result.detection_fields[spam_info_disposition] |
If this log field value is equal to 1 , then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 1 - Message considered clean (not spam or malware) .Else, if this log field value is equal to 2 , then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 2 - Spam .Else, if this log field value is equal to 3 , then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 3 - Phishing .Else, if this log field value is equal to 4 , then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 4 - Suspicious .Else, if this log field value is equal to 5 , then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 5 - Malware . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.value[ip_whitelist_entry] |
security_result.detection_fields[spam_info_ip_whitelist_entry] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.multiMsgValue[safety_settings_info].parameter.intValue[safety_settings_action] |
security_result.detection_fields[spam_info_safety_setting_action] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.multiMsgValue[safety_settings_info].parameter.intValue[safety_settings_condition] |
security_result.detection_fields[spam_info_safety_settings_condition] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[attachment_name] |
security_result.detection_fields[triggered_rule_info_string_match_attachment_name] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[matched_string] |
security_result.detection_fields[triggered_rule_info_string_match_matched_string] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.intValue[source] |
security_result.detection_fields[triggered_rule_info_string_match_source] |
If this log field value is equal to 0 , then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 0 - Unknown .Else, if this log field value is equal to 1 , then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 1 - Message body or including text format attachments .Else, if this log field value is equal to 2 , then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 2 - Binary format attachments .Else, if this log field value is equal to 3 , then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 3 - Message headers .Else, if this log field value is equal to 4 , then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 4 - Subject .Else, if this log field value is equal to 5 , then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 5 - Sender header .Else, if this log field value is equal to 6 , then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 6 - Recipient header .Else, if this log field value is equal to 7 , then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 7 - Raw message . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[upload_error_category] |
security_result.detection_fields[upload_error_category] |
If this log field value is equal to 0 , then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 0 - Uncategorized transient error .Else, if this log field value is equal to 1 , then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 1 - Recipient account is too busy .Else, if this log field value is equal to 2 , then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 2 - DNS error resolving recipient domain .Else, if this log field value is equal to 3 , then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 3 - Recipient's server refused connection .Else, if this log field value is equal to 4 , then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 4 - Recipient is out of storage . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.intValue[rule_id] |
security_result.rule_id |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.intValue[action] |
security_result.rule_labels[triggered_rule_info_consequence_action] |
If this log field value is equal to 0 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 0 - Consequence is a no-op .Else, if this log field value is equal to 3 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 3 - Put message in Admin Quarantine .Else, if this log field value is equal to 4 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 4 - Modify the primary delivery target .Else, if this log field value is equal to 5 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 5 - Add a delivery target .Else, if this log field value is equal to 6 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 6 - Added a message header .Else, if this log field value is equal to 7 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 7 - Overwrite the envelope recipient .Else, if this log field value is equal to 9 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 9 - Add message to specified message set .Else, if this log field value is equal to 10 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 10 - Modify the message labels .Else, if this log field value is equal to 11 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 11 - Prefix text to message subject .Else, if this log field value is equal to 12 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 12 - Add a footer to the message .Else, if this log field value is equal to 13 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 13 - Strip the message body .Else, if this log field value is equal to 14 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the 14 - Store a copy of the message in the user's mailbox or according to comprehensive mail storage setting. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 15 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 15 - Replace attachment with canned text .Else, if this log field value is equal to 16 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 16 - Require secure message delivery .Else, if this log field value is equal to 17 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 17 - Message can't be delivered and bounced .Else, if this log field value is equal to 18 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 18 - Archive to Google Vault for recipients .Else, if this log field value is equal to 20 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 20 - Encrypt outbound message using S/MIME .Else, if this log field value is equal to 21 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the 21 - Change the recipient user when message is received at SMTP. log field is mapped to the security_result.rule_labels.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.value[reason] |
security_result.rule_labels[triggered_rule_info_consequence_reason] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.multiMsgValue[subconsequence].parameter.value[action] |
security_result.rule_labels[triggered_rule_info_consequence_subconsequence_action] |
If this log field value is equal to 0 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 0 - Consequence is a no-op .Else, if this log field value is equal to 3 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 3 - Put message in Admin Quarantine .Else, if this log field value is equal to 4 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 4 - Modify the primary delivery target .Else, if this log field value is equal to 5 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 5 - Add a delivery target .Else, if this log field value is equal to 6 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 6 - Added a message header .Else, if this log field value is equal to 7 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 7 - Overwrite the envelope recipient .Else, if this log field value is equal to 9 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 9 - Add message to specified message set .Else, if this log field value is equal to 10 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 10 - Modify the message labels .Else, if this log field value is equal to 11 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 11 - Prefix text to message subject .Else, if this log field value is equal to 12 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 12 - Add a footer to the message .Else, if this log field value is equal to 13 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 13 - Strip the message body .Else, if this log field value is equal to 14 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the 14 - Store a copy of the message in the user's mailbox or according to comprehensive mail storage setting. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 15 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 15 - Replace attachment with canned text .Else, if this log field value is equal to 16 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 16 - Require secure message delivery .Else, if this log field value is equal to 17 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 17 - Message can't be delivered and bounced .Else, if this log field value is equal to 18 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 18 - Archive to Google Vault for recipients .Else, if this log field value is equal to 20 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 20 - Encrypt outbound message using S/MIME .Else, if this log field value is equal to 21 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the 21 - Change the recipient user when message is received at SMTP. log field is mapped to the security_result.rule_labels.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.multiMsgValue[subconsequence].parameter.value[reason] |
security_result.rule_labels[triggered_rule_info_consequence_subconsequence_reason] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.intValue[policy_id] |
security_result.rule_labels[triggered_rule_info_policy_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.value[spam_label_modifier] |
security_result.rule_labels[triggered_rule_info_spam_label_modifier] |
If this log field value is equal to 0 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_spam_label_modifier and the 0 - No action—the rule honored the Gmail spam classification verdict. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 1 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_spam_label_modifier and the 1 - Spam—the rule classified the message as spam. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 2 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_spam_label_modifier and the 2 - Not spam—the rule classified the message as not spam. log field is mapped to the security_result.rule_labels.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[match_expression] |
security_result.rule_labels[triggered_rule_info_string_match_match_expression] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[predefined_detector_name] |
security_result.rule_labels[triggered_rule_info_string_match_predefined_detector_name] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.intValue[type] |
security_result.rule_labels[triggered_rule_info_string_match_type] |
If this log field value is equal to 0 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 0 - Undefined .Else, if this log field value is equal to 1 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 1 - Regular expression match .Else, if this log field value is equal to 2 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 2 - Predefined detector match .Else, if this log field value is equal to 3 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 3 - Simple content match .Else, if this log field value is equal to 4 , then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 4 - Non-ASCII match . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.value[rule_name] |
security_result.rule_name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.intValue[rule_type] |
security_result.rule_type |
If this log field value is equal to 0 , then the security_result.rule_type UDM field is set to 0 - Walled garden .Else, if this log field value is equal to 7 , then the security_result.rule_type UDM field is set to 7 - Objectionable content .Else, if this log field value is equal to 8 , then the security_result.rule_type UDM field is set to 8 - Content compliance .Else, if this log field value is equal to 10 , then the security_result.rule_type UDM field is set to 10 - Received mail routing .Else, if this log field value is equal to 11 , then the security_result.rule_type UDM field is set to 11 - Sent mail routing .Else, if this log field value is equal to 12 , then the security_result.rule_type UDM field is set to 12 - Spam override .Else, if this log field value is equal to 14 , then the security_result.rule_type UDM field is set to 14 - Blocked senders .Else, if this log field value is equal to 15 , then the security_result.rule_type UDM field is set to 15 - Append footer .Else, if this log field value is equal to 16 , then the security_result.rule_type UDM field is set to 16 - Attachment compliance .Else, if this log field value is equal to 17 , then the security_result.rule_type UDM field is set to 17 - TLS compliance .Else, if this log field value is equal to 18 , then the security_result.rule_type UDM field is set to 18 - Domain default routing .Else, if this log field value is equal to 19 , then the security_result.rule_type UDM field is set to 19 - Inbound email journal acceptance in Vault .Else, if this log field value is equal to 20 , then the security_result.rule_type UDM field is set to 20 - Outbound relay .Else, if this log field value is equal to 21 , then the security_result.rule_type UDM field is set to 21 - Quarantine summary .Else, if this log field value is equal to 22 , then the security_result.rule_type UDM field is set to 22 - Alternate secure route .Else, if this log field value is equal to 23 , then the security_result.rule_type UDM field is set to 23 - Alias table .Else, if this log field value is equal to 24 , then the security_result.rule_type UDM field is set to 24 - Comprehensive mail storage .Else, if this log field value is equal to 25 , then the security_result.rule_type UDM field is set to 25 - Routing rule .Else, if this log field value is equal to 26 , then the security_result.rule_type UDM field is set to 26 - Inbound gateway .Else, if this log field value is equal to 27 , then the security_result.rule_type UDM field is set to 27 - S/MIME .Else, if this log field value is equal to 28 , then the security_result.rule_type UDM field is set to 28 - Third-party email archiving .Else, if this log field value is equal to 31 , then the security_result.rule_type UDM field is set to 31 - S/MIME restrict delivery . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.multiMsgValue[authenticated_domain].parameter.value[name] |
about.domain.name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.value[file_extension_type] |
about.file.file_type |
about.file.file_type UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.value[file_extension_type] |
about.file.mime_type |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.multiMsgValue[detected_file_types].parameter.value[mime_type] |
about.file.mime_type |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.value[sha256] |
about.file.sha256 |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[ip_geo_city] |
about.ip_geo_artifact.location.city |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[ip_geo_country] |
about.ip_geo_artifact.location.country_or_region |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[action_type] |
about.labels[action_type] (deprecated) |
If this log field value is equal to 1 , then the about.labels UDM field is set to 1 - Message received by inbound SMTP server. Else, if this log field value is equal to 2 , then the about.labels UDM field is set to 2 - Message accepted by Gmail and prepared for delivery. Else, if this log field value is equal to 3 , then the about.labels UDM field is set to 3 - Message was handled by Gmail. Else, if this log field value is equal to 10 , then the about.labels UDM field is set to 10 - Message sent out by outbound SMTP server. Else, if this log field value is equal to 14 , then the about.labels UDM field is set to 14 - A temporary error occurred when Gmail tried to deliver the message or and the message has been scheduled for retry. Else, if this log field value is equal to 18 , then the about.labels UDM field is set to 18 - Message could not be delivered and bounced. Else, if this log field value is equal to 19 , then the about.labels UDM field is set to 19 - Message was dropped by Gmail. Else, if this log field value is equal to 45 , then the about.labels UDM field is set to 45 - Message was accepted for delivery by the Google Groups subsystem. Else, if this log field value is equal to 46 , then the about.labels UDM field is set to 46 - Message's recipient address was a Google Group or and the recipient was expanded to each member of the Google Group that has message delivery enabled. Else, if this log field value is equal to 48 , then the about.labels UDM field is set to 48 - Message received by inbound SMTP server for relay. Else, if this log field value is equal to 49 , then the about.labels UDM field is set to 49 - Message sent through relay by outbound SMTP server. Else, if this log field value is equal to 51 , then the about.labels UDM field is set to 51 - Message was written to Google Groups storage. Else, if this log field value is equal to 54 , then the about.labels UDM field is set to 54 - Message was rejected by the Google Groups storage system. Else, if this log field value is equal to 55 , then the about.labels UDM field is set to 55 - Message was re-inserted into Gmail by policies that modify the primary delivery route or envelope recipient. Else, if this log field value is equal to 68 , then the about.labels UDM field is set to 68 - Message accepted by Gmail and prepared for delivery. Else, if this log field value is equal to 69 , then the about.labels UDM field is set to 69 - A user changed the message's spam classification in Gmail. Else, if this log field value is equal to 70 , then the about.labels UDM field is set to 70 - The message was reclassified as spam or phishing after it was delivered to Gmail. Else, if this log field value is equal to 71 , then the about.labels UDM field is set to 71 - A user took an action in the inbox after receiving the message. Post-delivery actions include opening a message or clicking a link in a message or and downloading an attachment. BigQuery export doesn't provide details about the action. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[action_type] |
additional.fields[action_type] |
If this log field value is equal to 1 , then the additional.fields UDM field is set to 1 - Message received by inbound SMTP server. Else, if this log field value is equal to 2 , then the additional.fields UDM field is set to 2 - Message accepted by Gmail and prepared for delivery. Else, if this log field value is equal to 3 , then the additional.fields UDM field is set to 3 - Message was handled by Gmail. Else, if this log field value is equal to 10 , then the additional.fields UDM field is set to 10 - Message sent out by outbound SMTP server. Else, if this log field value is equal to 14 , then the additional.fields UDM field is set to 14 - A temporary error occurred when Gmail tried to deliver the message or and the message has been scheduled for retry. Else, if this log field value is equal to 18 , then the additional.fields UDM field is set to 18 - Message could not be delivered and bounced. Else, if this log field value is equal to 19 , then the additional.fields UDM field is set to 19 - Message was dropped by Gmail. Else, if this log field value is equal to 45 , then the additional.fields UDM field is set to 45 - Message was accepted for delivery by the Google Groups subsystem. Else, if this log field value is equal to 46 , then the additional.fields UDM field is set to 46 - Message's recipient address was a Google Group or and the recipient was expanded to each member of the Google Group that has message delivery enabled. Else, if this log field value is equal to 48 , then the additional.fields UDM field is set to 48 - Message received by inbound SMTP server for relay. Else, if this log field value is equal to 49 , then the additional.fields UDM field is set to 49 - Message sent through relay by outbound SMTP server. Else, if this log field value is equal to 51 , then the additional.fields UDM field is set to 51 - Message was written to Google Groups storage. Else, if this log field value is equal to 54 , then the additional.fields UDM field is set to 54 - Message was rejected by the Google Groups storage system. Else, if this log field value is equal to 55 , then the additional.fields UDM field is set to 55 - Message was re-inserted into Gmail by policies that modify the primary delivery route or envelope recipient. Else, if this log field value is equal to 68 , then the additional.fields UDM field is set to 68 - Message accepted by Gmail and prepared for delivery. Else, if this log field value is equal to 69 , then the additional.fields UDM field is set to 69 - A user changed the message's spam classification in Gmail. Else, if this log field value is equal to 70 , then the additional.fields UDM field is set to 70 - The message was reclassified as spam or phishing after it was delivered to Gmail. Else, if this log field value is equal to 71 , then the additional.fields UDM field is set to 71 - A user took an action in the inbox after receiving the message. Post-delivery actions include opening a message or clicking a link in a message or and downloading an attachment. BigQuery export doesn't provide details about the action. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.multiMsgValue[authenticated_domain].parameter.intValue[type] |
about.labels[authenticated_domain_type] (deprecated) |
If this log field value is equal to 1 , then the about.labels UDM field is set to 1 - SPF .Else, if this log field value is equal to 2 , then the about.labels UDM field is set to 2 - DKIM .Else, if this log field value is equal to 3 , then the about.labels UDM field is set to 3 - DKIM_PROXY .Else, if this log field value is equal to 4 , then the about.labels UDM field is set to 4 - XOAR_SPF .Else, if this log field value is equal to 5 , then the about.labels UDM field is set to 5 - XOAR_DKIM .Else, if this log field value is equal to 6 , then the about.labels UDM field is set to 6 - ARC_SPF .Else, if this log field value is equal to 7 , then the about.labels UDM field is set to 7 - ARC_DKIM . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.multiMsgValue[authenticated_domain].parameter.intValue[type] |
additional.fields[authenticated_domain_type] |
If this log field value is equal to 1 , then the additional.fields UDM field is set to 1 - SPF .Else, if this log field value is equal to 2 , then the additional.fields UDM field is set to 2 - DKIM .Else, if this log field value is equal to 3 , then the additional.fields UDM field is set to 3 - DKIM_PROXY .Else, if this log field value is equal to 4 , then the additional.fields UDM field is set to 4 - XOAR_SPF .Else, if this log field value is equal to 5 , then the additional.fields UDM field is set to 5 - XOAR_DKIM .Else, if this log field value is equal to 6 , then the additional.fields UDM field is set to 6 - ARC_SPF .Else, if this log field value is equal to 7 , then the additional.fields UDM field is set to 7 - ARC_DKIM . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[delivery_timestamp_usec] |
about.labels[delivery_timestamp_usec] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[delivery_timestamp_usec] |
additional.fields[delivery_timestamp_usec] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.multiMsgValue[detected_file_types].parameter.intValue[category] |
about.labels[detected_file_types_category] (deprecated) |
If this log field value is equal to 1 , then the about.labels UDM field is set to 1 - Unrecognized file type .Else, if this log field value is equal to 2 , then the about.labels UDM field is set to 2 - Microsoft Office documents, including word processing, spreadsheet, presentation, and database documents. Includes PDF files. The file might or might not be encrypted .Else, if this log field value is equal to 3 , then the about.labels UDM field is set to 3 - Video and multimedia, for example, MPEG, Quicktime, WMV .Else, if this log field value is equal to 4 , then the about.labels UDM field is set to 4 - Music and audio, for example, MP3, AAC, WAV .Else, if this log field value is equal to 5 , then the about.labels UDM field is set to 5 - Images, for example, JPEG, BMP, GIF .Else, if this log field value is equal to 6 , then the about.labels UDM field is set to 6 - Archives, for example, ZIP, TAR, TGZ .Else, if this log field value is equal to 7 , then the about.labels UDM field is set to 7 - Executables, for example EXE, COM, JS .Else, if this log field value is equal to 8 , then the about.labels UDM field is set to 8 - Office documents that are encrypted .Else, if this log field value is equal to 9 , then the about.labels UDM field is set to 9 - Office documents that are not encrypted . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.multiMsgValue[detected_file_types].parameter.intValue[category] |
additional.fields[detected_file_types_category] |
If this log field value is equal to 1 , then the additional.fields UDM field is set to 1 - Unrecognized file type .Else, if this log field value is equal to 2 , then the additional.fields UDM field is set to 2 - Microsoft Office documents, including word processing, spreadsheet, presentation, and database documents. Includes PDF files. The file might or might not be encrypted .Else, if this log field value is equal to 3 , then the additional.fields UDM field is set to 3 - Video and multimedia, for example, MPEG, Quicktime, WMV .Else, if this log field value is equal to 4 , then the additional.fields UDM field is set to 4 - Music and audio, for example, MP3, AAC, WAV .Else, if this log field value is equal to 5 , then the additional.fields UDM field is set to 5 - Images, for example, JPEG, BMP, GIF .Else, if this log field value is equal to 6 , then the additional.fields UDM field is set to 6 - Archives, for example, ZIP, TAR, TGZ .Else, if this log field value is equal to 7 , then the additional.fields UDM field is set to 7 - Executables, for example EXE, COM, JS .Else, if this log field value is equal to 8 , then the additional.fields UDM field is set to 8 - Office documents that are encrypted .Else, if this log field value is equal to 9 , then the additional.fields UDM field is set to 9 - Office documents that are not encrypted . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dkim_pass] |
about.labels[dkim_pass] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dkim_pass] |
additional.fields[dkim_pass] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dmarc_pass] |
about.labels[dmarc_pass] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dmarc_pass] |
additional.fields[dmarc_pass] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[dmarc_published_domain] |
about.labels[dmarc_published_domain] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[dmarc_published_domain] |
additional.fields[dmarc_published_domain] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[recipients] |
about.labels[exchange_journal_info_recipients] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[recipients] |
additional.fields[exchange_journal_info_recipients] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.value[rfc822_message_id] |
about.labels[exchange_journal_info_rfc822_message_id] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.value[rfc822_message_id] |
additional.fields[exchange_journal_info_rfc822_message_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.intValue[timestamp] |
about.labels[exchange_journal_info_timestamp] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.intValue[timestamp] |
additional.fields[exchange_journal_info_timestamp] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[unknown_recipients] |
about.labels[exchange_journal_info_unknown_recipients] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[unknown_recipients] |
additional.fields[exchange_journal_info_unknown_recipients] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[internal_message_id] |
about.labels[internal_message_id] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[internal_message_id] |
additional.fields[internal_message_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiStrValue[link_domain] |
about.labels[link_domain] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiStrValue[link_domain] |
additional.fields[link_domain] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[message_set].parameter.intValue[type] |
about.labels[message_set_type] (deprecated) |
If this log field value is equal to 1 , then the about.labels UDM field is set to 1 - Message is inbound (received from outside your domains). This message set doesn't appear with message set 10. Else, if this log field value is equal to 2 , then the about.labels UDM field is set to 2 - Message is outbound (sent to a recipient outside your domains). This message set doesn't appear with message set 10. Else, if this log field value is equal to 4 , then the about.labels UDM field is set to 4 - Message contains objectionable content, as defined by one of your policies. Else, if this log field value is equal to 6 , then the about.labels UDM field is set to 6 - Message triggered the walled garden rule you configured that restricts messages to authorized addresses or domains. Else, if this log field value is equal to 7 , then the about.labels UDM field is set to 7 - Gmail classified the message as spam. Else, if this log field value is equal to 8 , then the about.labels UDM field is set to 8 - Message being sent (outgoing message) .Else, if this log field value is equal to 9 , then the about.labels UDM field is set to 9 - Message being received (incoming message) .Else, if this log field value is equal to 10 , then the about.labels UDM field is set to 10 - Message that is internal to your domains .Else, if this log field value is equal to 11 , then the about.labels UDM field is set to 11 - Message has a sender or recipients outside your domains. Else, if this log field value is equal to 12 , then the about.labels UDM field is set to 12 - Message has some recipients inside your domain and some recipients outside your domain. This message set might appear when: Else, if this log field value is equal to 13 , then the about.labels UDM field is set to 13 - The type of the message set is unknown. Else, if this log field value is equal to 15 , then the about.labels UDM field is set to 15 - The policy being checked against is tied to a Gmail user. Else, if this log field value is equal to 18 , then the about.labels UDM field is set to 18 - Message doesn't have a default route. Else, if this log field value is equal to 19 , then the about.labels UDM field is set to 19 - The address list you configured for domain default routing matches the correspondent of the message. Else, if this log field value is equal to 20 , then the about.labels UDM field is set to 20 - Message is from an address in your blocked senders list. Else, if this log field value is equal to 21 , then the about.labels UDM field is set to 21 - Message was sent over TLS and the SSL certificate is valid. Else, if this log field value is equal to 22 , then the about.labels UDM field is set to 22 - Message was sent over TLS. Else, if this log field value is equal to 24 , then the about.labels UDM field is set to 24 - The recipient of this message is unknown. Else, if this log field value is equal to 25 , then the about.labels UDM field is set to 25 - Message is a non-delivery report responding to a message that was not delivered. Else, if this log field value is equal to 26 , then the about.labels UDM field is set to 26 - Message triggered a rerouting rule, which you configured in domain default routing. Else, if this log field value is equal to 27 , then the about.labels UDM field is set to 27 - Sender successfully passed SPF/DKIM/DMARC authentication. If the sender isn't authenticated, the sender domain is untrusted and the message is not considered internal. Else, if this log field value is equal to 28 , then the about.labels UDM field is set to 28 - Exchange journal is archiving the message to Google Vault. Else, if this log field value is equal to 29 , then the about.labels UDM field is set to 29 - Message was routed through SMTP relay. Else, if this log field value is equal to 30 , then the about.labels UDM field is set to 30 - A recipient of the message matched one of the enumerated recipients (instead of a regular expression pattern) you configured for domain routing, or domain default routing. Else, if this log field value is equal to 31 , then the about.labels UDM field is set to 31 - Message matched a domain default routing condition you configured. Else, if this log field value is equal to 32 , then the about.labels UDM field is set to 32 - Message was created from an Exchange journal message for archiving to Google Vault. Else, if this log field value is equal to 33 , then the about.labels UDM field is set to 33 - Message has to be transmitted through a secure connection, such as TLS. Else, if this log field value is equal to 34 , then the about.labels UDM field is set to 34 - The policy being checked against is tied to a group instead of an individual Gmail user. Else, if this log field value is equal to 35 , then the about.labels UDM field is set to 35 - Message could not be authenticated in SMTP relay because it has an empty SMTP envelope-from address or is possibly an Exchange Journal message. It will be checked later at SMTP RCPT command time. Else, if this log field value is equal to 36 , then the about.labels UDM field is set to 36 - Message has aggressive spam filtering enabled. Else, if this log field value is equal to 37 , then the about.labels UDM field is set to 37 - Message is authenticated for SMTP relay. Else, if this log field value is equal to 39 , then the about.labels UDM field is set to 39 - Sender is from an authenticated domain for relay. Else, if this log field value is equal to 40 , then the about.labels UDM field is set to 40 - Message is from a Google Workspace user in the domain being authenticated for relay. Else, if this log field value is equal to 41 , then the about.labels UDM field is set to 41 - Sender has successfully authenticated with SMTP AUTH, and Gmail is trying to authenticate SMTP relay for the sender's domain. Else, if this log field value is equal to 42 , then the about.labels UDM field is set to 42 - Message was sent from an address that isn't authenticated. Else, if this log field value is equal to 43 , then the about.labels UDM field is set to 43 - Message was rerouted through an alias table. Else, if this log field value is equal to 44 , then the about.labels UDM field is set to 44 - Message triggered a rule that changes the route of the mail flow. Else, if this log field value is equal to 45 , then the about.labels UDM field is set to 45 - Message is to a catch-all account and is being relayed to an on-premise server. System-of-record policies won't be applied to it. Else, if this log field value is equal to 46 , then the about.labels UDM field is set to 46 - Message bypassed the spam filter. Else, if this log field value is equal to 47 , then the about.labels UDM field is set to 47 - Message was detected to be spam by tag-and-deliver information in the inbound gateway settings. Else, if this log field value is equal to 48 , then the about.labels UDM field is set to 48 - Message was not checked for spam (by SMTP) due to a spam-override policy. Else, if this log field value is equal to 49 , then the about.labels UDM field is set to 49 - Always override spam rejection for the message. Else, if this log field value is equal to 50 , then the about.labels UDM field is set to 50 - Message matches a domain routing condition you configured. Else, if this log field value is equal to 51 , then the about.labels UDM field is set to 51 - Message triggered a rerouting rule that you configured for domain routing. Else, if this log field value is equal to 55 , then the about.labels UDM field is set to 55 - Message was created by the Exchange Journal generation setting. Else, if this log field value is equal to 57 , then the about.labels UDM field is set to 57 - Message was received from an inbound gateway rule that you configured. Else, if this log field value is equal to 60 , then the about.labels UDM field is set to 60 - Message is protected with Gmail confidential mode. Else, if this log field value is equal to 61 , then the about.labels UDM field is set to 61 - Message was caught by Security sandbox. Else, if this log field value is equal to 62 , then the about.labels UDM field is set to 62 - The address list you configured for domain default routing matches the SMTP envelope recipient instead of the correspondent of the message. Else, if this log field value is equal to 63 , then the about.labels UDM field is set to 63 - Message triggered a domain-level rerouting rule, which you configured for domain routing, or domain default routing . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[message_set].parameter.intValue[type] |
additional.fields[message_set_type] |
If this log field value is equal to 1 , then the additional.fields UDM field is set to 1 - Message is inbound (received from outside your domains). This message set doesn't appear with message set 10. Else, if this log field value is equal to 2 , then the additional.fields UDM field is set to 2 - Message is outbound (sent to a recipient outside your domains). This message set doesn't appear with message set 10. Else, if this log field value is equal to 4 , then the additional.fields UDM field is set to 4 - Message contains objectionable content, as defined by one of your policies. Else, if this log field value is equal to 6 , then the additional.fields UDM field is set to 6 - Message triggered the walled garden rule you configured that restricts messages to authorized addresses or domains. Else, if this log field value is equal to 7 , then the additional.fields UDM field is set to 7 - Gmail classified the message as spam. Else, if this log field value is equal to 8 , then the additional.fields UDM field is set to 8 - Message being sent (outgoing message) .Else, if this log field value is equal to 9 , then the additional.fields UDM field is set to 9 - Message being received (incoming message) .Else, if this log field value is equal to 10 , then the additional.fields UDM field is set to 10 - Message that is internal to your domains .Else, if this log field value is equal to 11 , then the additional.fields UDM field is set to 11 - Message has a sender or recipients outside your domains. Else, if this log field value is equal to 12 , then the additional.fields UDM field is set to 12 - Message has some recipients inside your domain and some recipients outside your domain. This message set might appear when: Else, if this log field value is equal to 13 , then the additional.fields UDM field is set to 13 - The type of the message set is unknown. Else, if this log field value is equal to 15 , then the additional.fields UDM field is set to 15 - The policy being checked against is tied to a Gmail user. Else, if this log field value is equal to 18 , then the additional.fields UDM field is set to 18 - Message doesn't have a default route. Else, if this log field value is equal to 19 , then the additional.fields UDM field is set to 19 - The address list you configured for domain default routing matches the correspondent of the message. Else, if this log field value is equal to 20 , then the additional.fields UDM field is set to 20 - Message is from an address in your blocked senders list. Else, if this log field value is equal to 21 , then the additional.fields UDM field is set to 21 - Message was sent over TLS and the SSL certificate is valid. Else, if this log field value is equal to 22 , then the additional.fields UDM field is set to 22 - Message was sent over TLS. Else, if this log field value is equal to 24 , then the additional.fields UDM field is set to 24 - The recipient of this message is unknown. Else, if this log field value is equal to 25 , then the additional.fields UDM field is set to 25 - Message is a non-delivery report responding to a message that was not delivered. Else, if this log field value is equal to 26 , then the additional.fields UDM field is set to 26 - Message triggered a rerouting rule, which you configured in domain default routing. Else, if this log field value is equal to 27 , then the additional.fields UDM field is set to 27 - Sender successfully passed SPF/DKIM/DMARC authentication. If the sender isn't authenticated, the sender domain is untrusted and the message is not considered internal. Else, if this log field value is equal to 28 , then the additional.fields UDM field is set to 28 - Exchange journal is archiving the message to Google Vault. Else, if this log field value is equal to 29 , then the additional.fields UDM field is set to 29 - Message was routed through SMTP relay. Else, if this log field value is equal to 30 , then the additional.fields UDM field is set to 30 - A recipient of the message matched one of the enumerated recipients (instead of a regular expression pattern) you configured for domain routing, or domain default routing. Else, if this log field value is equal to 31 , then the additional.fields UDM field is set to 31 - Message matched a domain default routing condition you configured. Else, if this log field value is equal to 32 , then the additional.fields UDM field is set to 32 - Message was created from an Exchange journal message for archiving to Google Vault. Else, if this log field value is equal to 33 , then the additional.fields UDM field is set to 33 - Message has to be transmitted through a secure connection, such as TLS. Else, if this log field value is equal to 34 , then the additional.fields UDM field is set to 34 - The policy being checked against is tied to a group instead of an individual Gmail user. Else, if this log field value is equal to 35 , then the additional.fields UDM field is set to 35 - Message could not be authenticated in SMTP relay because it has an empty SMTP envelope-from address or is possibly an Exchange Journal message. It will be checked later at SMTP RCPT command time. Else, if this log field value is equal to 36 , then the additional.fields UDM field is set to 36 - Message has aggressive spam filtering enabled. Else, if this log field value is equal to 37 , then the additional.fields UDM field is set to 37 - Message is authenticated for SMTP relay. Else, if this log field value is equal to 39 , then the additional.fields UDM field is set to 39 - Sender is from an authenticated domain for relay. Else, if this log field value is equal to 40 , then the additional.fields UDM field is set to 40 - Message is from a Google Workspace user in the domain being authenticated for relay. Else, if this log field value is equal to 41 , then the additional.fields UDM field is set to 41 - Sender has successfully authenticated with SMTP AUTH, and Gmail is trying to authenticate SMTP relay for the sender's domain. Else, if this log field value is equal to 42 , then the additional.fields UDM field is set to 42 - Message was sent from an address that isn't authenticated. Else, if this log field value is equal to 43 , then the additional.fields UDM field is set to 43 - Message was rerouted through an alias table. Else, if this log field value is equal to 44 , then the additional.fields UDM field is set to 44 - Message triggered a rule that changes the route of the mail flow. Else, if this log field value is equal to 45 , then the additional.fields UDM field is set to 45 - Message is to a catch-all account and is being relayed to an on-premise server. System-of-record policies won't be applied to it. Else, if this log field value is equal to 46 , then the additional.fields UDM field is set to 46 - Message bypassed the spam filter. Else, if this log field value is equal to 47 , then the additional.fields UDM field is set to 47 - Message was detected to be spam by tag-and-deliver information in the inbound gateway settings. Else, if this log field value is equal to 48 , then the additional.fields UDM field is set to 48 - Message was not checked for spam (by SMTP) due to a spam-override policy. Else, if this log field value is equal to 49 , then the additional.fields UDM field is set to 49 - Always override spam rejection for the message. Else, if this log field value is equal to 50 , then the additional.fields UDM field is set to 50 - Message matches a domain routing condition you configured. Else, if this log field value is equal to 51 , then the additional.fields UDM field is set to 51 - Message triggered a rerouting rule that you configured for domain routing. Else, if this log field value is equal to 55 , then the additional.fields UDM field is set to 55 - Message was created by the Exchange Journal generation setting. Else, if this log field value is equal to 57 , then the additional.fields UDM field is set to 57 - Message was received from an inbound gateway rule that you configured. Else, if this log field value is equal to 60 , then the additional.fields UDM field is set to 60 - Message is protected with Gmail confidential mode. Else, if this log field value is equal to 61 , then the additional.fields UDM field is set to 61 - Message was caught by Security sandbox. Else, if this log field value is equal to 62 , then the additional.fields UDM field is set to 62 - The address list you configured for domain default routing matches the SMTP envelope recipient instead of the correspondent of the message. Else, if this log field value is equal to 63 , then the additional.fields UDM field is set to 63 - Message triggered a domain-level rerouting rule, which you configured for domain routing, or domain default routing . |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_reason] |
about.labels[moderation_reason] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_reason] |
additional.fields[moderation_reason] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_status] |
about.labels[moderation_status] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_status] |
additional.fields[moderation_status] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[num_message_attachments] |
about.labels[num_message_attachments] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[num_message_attachments] |
additional.fields[num_message_attachments] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[sequence_number] |
about.labels[sequence_number] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[sequence_number] |
additional.fields[sequence_number] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[smime_content_type] |
about.labels[smime_content_type] (deprecated) |
If this log field value is equal to 0 , then the about.labels UDM field is set to 0 - Message does not have a recognized S/MIME Content-Type. Else, if this log field value is equal to 1 , then the about.labels UDM field is set to 1 - An S/MIME message with a detached signature Indicated by content type multipart/signed with parameter protocol=application/pkcs7-signature. Else, if this log field value is equal to 2 , then the about.labels UDM field is set to 2 - An S/MIME message with an opaque signature Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=signed-data. Else, if this log field value is equal to 3 , then the about.labels UDM field is set to 3 - An S/MIME message that is encrypted Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=enveloped-data. Else, if this log field value is equal to 4 , then the about.labels UDM field is set to 4 - An S/MIME message that is compressed Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=compressed-data. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[smime_content_type] |
additional.fields[smime_content_type] |
If this log field value is equal to 0 , then the additional.fields UDM field is set to 0 - Message does not have a recognized S/MIME Content-Type. Else, if this log field value is equal to 1 , then the additional.fields UDM field is set to 1 - An S/MIME message with a detached signature Indicated by content type multipart/signed with parameter protocol=application/pkcs7-signature. Else, if this log field value is equal to 2 , then the additional.fields UDM field is set to 2 - An S/MIME message with an opaque signature Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=signed-data. Else, if this log field value is equal to 3 , then the additional.fields UDM field is set to 3 - An S/MIME message that is encrypted Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=enveloped-data. Else, if this log field value is equal to 4 , then the additional.fields UDM field is set to 4 - An S/MIME message that is compressed Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=compressed-data. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_encrypt_message] |
about.labels[smime_encrypt_message] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_encrypt_message] |
additional.fields[smime_encrypt_message] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_extraction_success] |
about.labels[smime_extraction_success] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_extraction_success] |
additional.fields[smime_extraction_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_packaging_success] |
about.labels[smime_packaging_success] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_packaging_success] |
additional.fields[smime_packaging_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_sign_message] |
about.labels[smime_sign_message] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_sign_message] |
additional.fields[smime_sign_message] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[spf_pass] |
about.labels[spf_pass] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[spf_pass] |
additional.fields[spf_pass] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[tls_required_but_unavailable] |
about.labels[tls_required_but_unavailable] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[tls_required_but_unavailable] |
additional.fields[tls_required_but_unavailable] |
필드 매핑 참조: WORKSPACE_ALERTS 로그 유형에서 UDM 이벤트 유형으로
다음 표에는 WORKSPACE_ALERTS
로그 유형과 해당 UDM 이벤트 유형이 나와 있습니다.
Event Identifier | Event Type | Security Category |
---|---|---|
Customer takeout initiated |
STATUS_UPDATE |
|
Malware reclassification |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Misconfigured whitelist |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Phishing reclassification |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Suspicious message reported |
EMAIL_TRANSACTION |
MAIL_PHISHING |
User reported phishing |
EMAIL_TRANSACTION |
MAIL_PHISHING |
User reported spam spike |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Leaked password |
USER_LOGIN |
ACL_VIOLATION |
Suspicious login |
USER_LOGIN |
ACL_VIOLATION |
Suspicious login (less secure app) |
USER_LOGIN |
ACL_VIOLATION |
Suspicious programmatic login |
USER_LOGIN |
ACL_VIOLATION |
User suspended |
USER_UNCATEGORIZED |
ACL_VIOLATION |
User suspended (spam) |
USER_UNCATEGORIZED |
ACL_VIOLATION |
User suspended (spam through relay) |
USER_UNCATEGORIZED |
ACL_VIOLATION |
User suspended (suspicious activity) |
USER_UNCATEGORIZED |
ACL_VIOLATION |
Google Operations |
STATUS_UPDATE |
|
Configuration problem |
STATUS_UNCATEGORIZED |
|
Government attack warning |
STATUS_UNCATEGORIZED |
|
Device compromised |
GENERIC_EVENT |
|
Suspicious activity |
USER_UNCATEGORIZED |
|
AppMaker Default Cloud SQL setup |
USER_RESOURCE_ACCESS |
|
Activity Rule |
STATUS_UNCATEGORIZED / USER_UNCATEGORIZED / EMAIL_UNCATEGORIZED |
POLICY_VIOLATION |
Data Loss Prevention |
USER_UNCATEGORIZED |
POLICY_VIOLATION |
Apps outage |
STATUS_UPDATE |
|
Primary admin changed |
USER_UNCATEGORIZED |
|
SSO profile added |
USER_RESOURCE_CREATION |
|
SSO profile updated |
USER_RESOURCE_UPDATE_CONTENT |
|
SSO profile deleted |
USER_RESOURCE_DELETION |
|
Super admin password reset |
USER_CHANGE_PASSWORD |
|
User deleted |
USER_DELETION |
|
New user added |
USER_CREATION |
|
User password changed |
USER_CHANGE_PASSWORD |
|
Users Admin privilege revoked |
USER_CHANGE_PERMISSIONS |
|
Suspended user made active |
USER_UNCATEGORIZED |
|
User granted Admin privilege |
USER_CHANGE_PERMISSIONS |
|
User suspended (Administrator email alert) |
USER_UNCATEGORIZED |
|
Drive settings changed |
USER_RESOURCE_ACCESS |
|
Calendar settings changed |
USER_RESOURCE_ACCESS |
|
Reporting Rule |
STATUS_UPDATE |
필드 매핑 참조: WORKSPACE_ALERTS
다음 표에는 WORKSPACE_ALERTS
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
data.domainId.customerPrimaryDomain |
about.administrative_domain |
|
data.messages.attachmentsSha256Hash |
about.file.sha256 |
|
data.mergeInfo.newAlertId |
about.labels[new_alert_id] (deprecated) |
|
data.mergeInfo.newAlertId |
additional.fields[new_alert_id] |
|
data.mergeInfo.newIncidentTrackingId |
about.labels[new_incident_tracking_id] (deprecated) |
|
data.mergeInfo.newIncidentTrackingId |
additional.fields[new_incident_tracking_id] |
|
data.nextUpdateTime |
about.labels[next_update_time] (deprecated) |
|
data.nextUpdateTime |
additional.fields[next_update_time] |
|
data.resolutionTime |
about.labels[resolution_time] (deprecated) |
|
data.resolutionTime |
additional.fields[resolution_time] |
|
data.status |
about.labels[status] (deprecated) |
|
data.status |
additional.fields[status] |
|
data.incidentTrackingId |
about.labels[tracking_id] (deprecated) |
|
data.incidentTrackingId |
additional.fields[tracking_id] |
|
customerId |
about.resource.product_object_id |
If the customerId log field value is not empty, then the customerId log field is mapped to the about.resource.product_object_id UDM field.Else, the metadata.customerId log field is mapped to the about.resource.product_object_id UDM field. |
metadata.customerId |
about.resource.product_object_id |
If the customerId log field value is not empty, then the customerId log field is mapped to the about.resource.product_object_id UDM field.Else, the metadata.customerId log field is mapped to the about.resource.product_object_id UDM field. |
about.resource.resource_type |
The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION . | |
data.dashboardUri |
about.url |
|
data.attachmentData.csv.dataRows.entries |
additional.fields.entries |
|
data.attachmentData.csv.headers |
additional.fields.header |
|
event.idm.is_alert |
The event.idm.is_alert UDM field is set to TRUE . | |
event.idm.is_significant |
If the data.@type log field value is equal to ActivityRule and the metadata.severity log field value is equal to HIGH , then the event.idm.is_significant UDM field is set to true . | |
extensions.auth.mechanism |
If the data.@type log field value is equal to AccountWarning , then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD . | |
extensions.auth.type |
If the data.@type log field value is equal to AccountWarning , then the extensions.auth.type UDM field is set to SSO . | |
data.description |
metadata.description |
|
createTime |
metadata.event_timestamp |
|
data.@type |
metadata.product_event_type |
|
etag |
metadata.product_log_id |
If the etag log field value is not empty, then the etag log field is mapped to the metadata.product_log_id UDM field.Else, the alertId log field is mapped to the metadata.product_log_id UDM field. |
metadata.etag |
metadata.product_log_id |
If the metadata.etag log field value is not empty, then the metadata.etag log field is mapped to the metadata.product_log_id UDM field.Else, the alertId log field is mapped to the metadata.product_log_id UDM field. |
metadata.product_name |
The metadata.product_name UDM field is set to WORKSPACE_ALERTS . | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE . | |
data.maliciousEntity.fromHeader |
network.email.from |
|
data.messages.messageId |
network.email.mail_id |
|
data.messages.subjectText |
network.email.subject |
|
data.messages.recipient |
network.email.to |
|
data.ruleViolationInfo.recipients |
network.email.to |
If the data.ruleViolationInfo.recipients log field value matches the regular expression pattern ^.+@.+$ , then the data.ruleViolationInfo.recipients log field is mapped to the network.email.to UDM field. |
data.ruleViolationInfo.recipients |
additional.fields[recipients] |
If the data.ruleViolationInfo.recipients log field value is equal to anyone , then the data.ruleViolationInfo.recipients log field is mapped to the additional.fields UDM field. |
data.ruleViolationInfo.recipients |
target.domain.name |
If the data.ruleViolationInfo.recipients log field value matches the regular expression pattern ^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9](?:\.[a-zA-Z]{2,})+$ , then the first occurrence of the matching value in the data.ruleViolationInfo.recipients log field is mapped to the target.domain.name UDM field and the other occurrences are mapped to the additional.fields[domain_recipients] UDM field. |
data.sourceIp |
principal.ip |
|
data.loginDetails.ipAddress |
principal.ip |
|
data.maliciousEntity.displayName |
principal.labels[malicious_entity_display_name] (deprecated) |
|
data.maliciousEntity.displayName |
additional.fields[malicious_entity_display_name] |
|
data.requestInfo.appDeveloperEmail |
principal.user.email_addresses |
|
data.actorEmail |
principal.user.email_addresses |
|
data.ruleViolationInfo.triggeringUserEmail |
principal.user.email_addresses |
|
data.email |
principal.user.email_addresses |
|
data.domain |
security_result.about.administrative_domain |
|
metadata.assignee |
security_result.about.labels[assignee] (deprecated) |
|
metadata.assignee |
additional.fields[assignee] |
|
data.header |
security_result.about.labels[header] (deprecated) |
|
data.header |
additional.fields[header] |
|
data.ruleViolationInfo.suppressedActionTypes |
security_result.about.labels[suppressed_action_types] (deprecated) |
|
data.ruleViolationInfo.suppressedActionTypes |
additional.fields[suppressed_action_types] |
|
data.title |
security_result.about.labels[title] (deprecated) |
|
data.title |
additional.fields[title] |
|
alertId |
security_result.about.object_reference |
|
data.affectedUserEmails |
security_result.about.user.email_addresses |
|
data.ruleViolationInfo.triggeredActionTypes |
security_result.action_details |
|
security_result.action_type |
If the data.ruleViolationInfo.triggeredActionTypes log field value is equal to ACTION_TYPE_UNSPECIFIED , then the security_result.action_type UDM field is set to UNKNOWN_ACTION .If the data.ruleViolationInfo.triggeredActionTypes log field value is equal to DRIVE_BLOCK_EXTERNAL_SHARING , then the security_result.action_type UDM field is set to BLOCK .If the data.ruleViolationInfo.triggeredActionTypes log field value is equal to DRIVE_WARN_ON_EXTERNAL_SHARING or ALERT or RULE_ACTIVATE or RULE_DEACTIVATE , then the security_result.action_type UDM field is set to ALLOW . | |
security_result.category |
If the source log field value is equal to Gmail Phishing , then the security_result.category UDM field is set to MAIL_PHISHING .If the source log field value is equal to Google Identity , then the security_result.category UDM field is set to ACL_VIOLATION .If the source log field value is equal to Security Center rules or Data Loss Prevention , then the security_result.category UDM field is set to POLICY_VIOLATION . | |
source |
security_result.category_details |
|
data.actionNames |
security_result.detection_fields[action_names] |
|
data.alertDetails |
security_result.detection_fields[alert_details] |
|
data.createTime |
security_result.detection_fields[create_time] |
|
data.messages.date |
security_result.detection_fields[date] |
If the source log field value is equal to Gmail phishing , then the data.messages.date log field is mapped to the security_result.detection_fields UDM field. |
data.events.deviceCompromisedState |
security_result.detection_fields[device_compromised_state] |
|
data.displayName |
security_result.detection_fields[display_name] |
|
data.eventTime |
security_result.detection_fields[event_time] |
|
data.isInternal |
security_result.detection_fields[is_internal] |
|
data.loginDetails.loginTime |
security_result.detection_fields[login_time] |
|
data.messages.md5HashMessageBody |
security_result.detection_fields[md5_hash_message_body] |
If the source log field value is equal to Gmail phishing , then the data.messages.md5HashMessageBody log field is mapped to the security_result.detection_fields UDM field. |
data.messages.md5hashsubject |
security_result.detection_fields[md5_hash_subject] |
If the source log field value is equal to Gmail phishing , then the data.messages.md5hashsubject log field is mapped to the security_result.detection_fields UDM field. |
data.messages.messageBodySnippet |
security_result.detection_fields[message_body_snippet] |
|
metadata.status |
security_result.detection_fields[metadata_status] |
|
data.query |
security_result.detection_fields[query] |
|
securityInvestigationToolLink |
security_result.detection_fields[security_investigation_tool_link] |
|
startTime |
security_result.detection_fields[start_time] |
|
data.supersededAlerts |
security_result.detection_fields[superseded_alerts] |
|
data.supersedingAlert |
security_result.detection_fields[superseding_alert] |
|
data.systemActionType |
security_result.detection_fields[system_action_type] |
|
data.threshold |
security_result.detection_fields[threshold] |
|
data.triggerSource |
security_result.detection_fields[trigger_source] |
|
data.ruleViolationInfo.trigger |
security_result.detection_fields[trigger] |
|
data.updateTime |
security_result.detection_fields[update_time] |
|
data.windowSize |
security_result.detection_fields[windows_size] |
|
data.ruleViolationInfo.ruleInfo.resourceName |
security_result.rule_id |
|
data.ruleViolationInfo.matchInfo.userDefinedDetector.displayName |
security_result.rule_labels[detector_display_name] |
|
data.ruleViolationInfo.matchInfo.predefinedDetector.detectorName |
security_result.rule_labels[detector_name] |
|
data.ruleViolationInfo.matchInfo.userDefinedDetector.resourceName |
security_result.rule_labels[detector_resource_name] |
|
data.name |
security_result.rule_name |
|
data.ruleViolationInfo.ruleInfo.displayName |
security_result.rule_name |
|
metadata.severity |
security_result.severity |
|
type |
security_result.summary |
|
data.type |
security_result.summary |
If the type log field value is empty, then the data.type log field is mapped to the security_result.summary UDM field. |
security_result.alert_state |
The security_result.alert_state UDM field is set to ALERTING . | |
data.requestInfo.appKey |
target.application |
|
data.events.deviceId |
target.asset.asset_id |
|
data.events.deviceProperty |
target.asset.attribute.labels[device_property] |
|
data.events.iosVendorId |
target.asset.attribute.labels[ios_vendor_id] |
|
data.events.newValue |
target.asset.attribute.labels[new_value] |
|
data.events.oldValue |
target.asset.attribute.labels[old_value] |
|
data.events.resourceId |
target.asset.attribute.labels[resource_id] |
|
data.events.deviceModel |
target.asset.hardware.model |
|
data.events.serialNumber |
target.asset.hardware.serial_number |
|
data.events.deviceType |
target.asset.type |
|
data.primaryAdminChangedEvent.domain |
target.domain.name |
|
data.ssoProfileUpdatedEvent.inboundSsoProfileChanges |
target.labels[inbound_sso_profile_changes] (deprecated) |
|
data.ssoProfileUpdatedEvent.inboundSsoProfileChanges |
additional.fields[inbound_sso_profile_changes] |
|
data.requestInfo.numberOfRequests |
target.labels[number_of_requests] (deprecated) |
|
data.requestInfo.numberOfRequests |
additional.fields[number_of_requests] |
|
data.primaryAdminChangedEvent.previousAdminEmail |
target.labels[previous_admin_email] (deprecated) |
|
data.primaryAdminChangedEvent.previousAdminEmail |
additional.fields[previous_admin_email] |
|
data.products |
target.labels[product] (deprecated) |
|
data.products |
additional.fields[product] |
|
data.ruleViolationInfo.resourceInfo.resourceTitle |
target.labels[resource_title] (deprecated) |
|
data.ruleViolationInfo.resourceInfo.resourceTitle |
additional.fields[resource_title] |
|
data.takeoutRequestId |
target.labels[takeout_request_id] (deprecated) |
|
data.takeoutRequestId |
additional.fields[takeout_request_id] |
|
data.ruleViolationInfo.dataSource |
target.resource.name |
|
data.ssoProfileCreatedEvent.inboundSsoProfileName |
target.resource.name |
|
data.ssoProfileUpdatedEvent.inboundSsoProfileName |
target.resource.name |
|
data.ssoProfileDeletedEvent.inboundSsoProfileName |
target.resource.name |
|
data.ruleViolationInfo.resourceInfo.documentId |
target.resource.product_object_id |
|
target.resource.resource_type |
If the data.@type log field value is equal to DlpRuleViolation , then the target.resource.resource_type UDM field is set to STORAGE_OBJECT .If the data.@type log field value is equal to AppMakerSqlSetupNotification , then the target.resource.resource_type UDM field is set to DATABASE .If the data.type log field value is equal to SSO profile added or SSO profile updated or SSO profile deleted , then the target.resource.resource_type UDM field is set to SETTING . | |
data.maliciousEntity.entity.emailAddress |
target.user.email_addresses |
|
data.email |
target.user.email_addresses |
If the data.@type log field value is equal to StateSponsoredAttack , DeviceCompromised , or AccountWarning , then the data.email log field is mapped to the target.user.email_addresses UDM field.Else, the data.email log field is mapped to the principal.user.email_addresses UDM field. |
data.primaryAdminChangedEvent.updatedAdminEmail |
target.user.email_addresses |
|
data.superAdminPasswordResetEvent.userEmail |
target.user.email_addresses |
|
data.maliciousEntity.entity.displayName |
target.user.user_display_name |
|
data.ruleViolationInfo.triggeredActionInfo |
필드 매핑 참조: WORKSPACE_GROUPS
다음 표에는 WORKSPACE_GROUPS
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
adminCreated |
entity.group.attribute.labels[admin_created] |
If the adminCreated log field value is equal to true , then the admin_created.value UDM field is set to true .Else, the admin_created.value UDM field is set to false . |
description |
metadata.description |
|
directMembersCount |
entity.group.attribute.labels[direct_members_count] |
|
email |
entity.group.email_addresses |
|
nonEditableAliases |
entity.group.email_addresses |
|
aliases |
entity.group.email_addresses |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
id |
entity.group.product_object_id |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
name |
entity.group.group_display_name |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE . | |
metadata.product_name |
The metadata.product_name UDM field is set to WORKSPACE GROUPS . | |
metadata.entity_type |
The metadata.entity_type UDM field is set to GROUP . |
필드 매핑 참조: WORKSPACE_USERS
다음 표에는 WORKSPACE_USERS
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
addresses.country |
entity.user.personal_address.country_or_region |
|
addresses.countryCode |
entity.user.attribute.labels[addresses_country_code] |
|
addresses.customType |
entity.user.attribute.labels[addresses_custom_type] |
|
addresses.extendedAddress |
entity.user.attribute.labels[addresses_extended_address] |
|
addresses.formatted |
entity.user.office_address.name |
The addresses.formatted log field is mapped to the user.office_address.name UDM field if the following conditions are met:
|
addresses.locality |
entity.user.attribute.labels[addresses_locality] |
|
addresses.poBox |
entity.user.attribute.labels[addresses_pobox] |
|
addresses.postalCode |
entity.user.attribute.labels[addresses_postal_code] |
|
addresses.primary |
entity.user.attribute.labels[addresses_primary] |
|
addresses.region |
entity.user.attribute.labels[addresses_region] |
|
addresses.sourceIsStructured |
entity.user.attribute.labels[addresses_source_is_structured] |
|
addresses.streetAddress |
entity.user.attribute.labels[addresses_street_address] |
|
addresses.type |
entity.user.attribute.labels[addresses_type] |
|
agreedToTerms |
entity.user.attribute.labels[agreed_to_terms] |
|
aliases |
entity.user.attribute.labels[aliases_email] |
|
changePasswordAtNextLogin |
entity.user.attribute.labels[change_password_at_next_login] |
If the changePasswordAtNextLogin log field value is equal to true , then the change_password_at_next_login.value UDM field is set to true .Else, the change_password_at_next_login.value UDM field is set to false . |
creationTime |
entity.user.attribute.creation_time |
|
customerId |
entity.user.attribute.labels[customer_id] |
|
deletionTime |
entity.user.attribute.labels[deletion_time] |
|
emails.customType |
entity.user.attribute.labels[email_acustom_type] |
|
emails.primary |
entity.user.attribute.labels[email_primary] |
|
emails.type |
entity.user.attribute.labels[email_type] |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
externalIds.customType |
entity.user.attribute.labels[external_id_custom_type] |
|
externalIds.type |
entity.user.attribute.labels[external_id_type] |
|
externalIds.value |
entity.user.employee_id |
If the externalIds.type log field value is equal to organization , then the externalIds.value log field is mapped to the user.employee_id UDM field. |
gender.addressMeAs |
entity.user.attribute.labels[gender_address_me_as] |
|
gender.customGender |
entity.user.attribute.labels[custom_gender] |
|
gender.type |
entity.user.attribute.labels[gender] |
|
hashFunction |
entity.user.attribute.labels[hash_function] |
|
id |
entity.user.product_object_id |
|
ims.customProtocol |
entity.user.attribute.labels[ims_custom_protocol] |
|
ims.customType |
entity.user.attribute.labels[ims_custom_type] |
|
ims.im |
entity.user.attribute.labels[ims_im] |
|
ims.primary |
entity.user.attribute.labels[ims_primary] |
|
ims.protocol |
entity.user.attribute.labels[ims_protocol] |
|
ims.type |
entity.user.attribute.labels[ims_type] |
|
includeInGlobalAddressList |
entity.user.attribute.labels[included_in_global_address_list] |
If the includeInGlobalAddressList log field value is equal to true , then the included_in_global_address_list.value UDM field is set to true , else, then the included_in_global_address_list.value UDM field is set to false . |
ipWhitelisted |
entity.user.attribute.labels[ip_whitelisted] |
|
isAdmin |
entity.user.attribute.labels[is_admin] |
|
isDelegatedAdmin |
entity.user.attribute.labels[is_delegated_admin] |
|
user.attribute.roles.type |
If the isAdmin log field value or the isDelegatedAdmin log field value is equal to true , then the user.attribute.roles.type UDM field is set to ADMINISTRATOR . | |
isEnforcedIn2Sv |
entity.user.attribute.labels[is_enforced_in_2sv] |
If the isEnforcedIn2Sv log field value is equal to true , then the is_enforced_in_2sv.value UDM field is set to true , else, then the is_enforced_in_2sv.value UDM field is set to false . |
isEnrolledIn2Sv |
entity.user.attribute.labels[is_enrolled_in_2sv] |
If the isEnrolledIn2Sv log field value is equal to true , then the is_enrolled_in_2sv.value UDM field is set to true , else, then the is_enrolled_in_2sv.value UDM field is set to false . |
isMailboxSetup |
entity.user.attribute.labels[is_mailbox_setup] |
If the isMailboxSetup log field value is equal to true , then the is_mail_box_setup.value UDM field is set to true , else, then the is_mail_box_setup.value UDM field is set to false . |
keywords.customType |
entity.user.attribute.labels[keywords_custom_type] |
|
keywords.type |
entity.user.attribute.labels[keywords_type] |
|
keywords.value |
entity.user.attribute.labels[keywords_value] |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
languages.customLanguage |
entity.user.attribute.labels[language_custom_language] |
|
languages.languageCode |
entity.user.attribute.labels[language_code] |
|
languages.preference |
entity.user.attribute.labels[preferred_language] |
|
lastLoginTime |
entity.user.last_login_time |
|
locations.area |
entity.user.office_address.country_or_region |
|
locations.buildingId |
entity.user.attribute.labels[locations_buildingId] |
|
locations.customType |
entity.user.attribute.labels[locations_customType] |
|
locations.deskCode |
entity.user.officel_address.desk_name |
|
locations.floorName |
entity.user.office_address.floor_name |
|
locations.floorSection |
entity.user.attribute.labels[locations_floorSection] |
|
locations.type |
entity.user.attribute.labels[locations_type] |
|
name.familyName |
entity.user.last_name |
|
name.fullName |
entity.user.user_display_name |
|
name.givenName |
entity.user.first_name |
|
notes.contentType |
entity.user.attribute.labels[notes_content_type] |
|
notes.value |
entity.user.attribute.labels[notes_value] |
|
organizations.costCenter |
entity.user.attribute.labels[organization_cost_center] |
|
organizations.customType |
entity.user.attribute.labels[organization_custom_type] |
|
organizations.department |
entity.user.department |
The organizations.department log field is mapped to the user.department UDM field if the following conditions are met:
|
organizations.description |
entity.user.attribute.labels [organizations_description] |
|
organizations.domain |
entity.user.attribute.labels[organization_domain] |
|
organizations.fullTimeEquivalent |
entity.user.attribute.labels[organization_full_time_equivalent] |
|
organizations.location |
entity.user.attribute.labels[organization_location] |
|
organizations.name |
entity.user.attribute.labels[organization_name] |
|
organizations.primary |
entity.user.attribute.labels[organization_primary] |
|
organizations.symbol |
entity.user.attribute.labels[organization_symbol] |
|
organizations.title |
entity.user.title |
|
organizations.type |
entity.user.attribute.labels[organization_type] |
|
orgUnitPath |
entity.user.attribute.labels[org_unit_path] |
|
password |
entity.user.attribute.labels[password] |
|
phones.customType |
entity.user.attribute.labels[phone_custom_type] |
|
phones.primary |
entity.user.attribute.labels[phone_primary] |
|
phones.type |
entity.user.attribute.labels[phone_type] |
|
phones.value |
entity.user.phone_numbers |
If the phones.value log field value matches the regular expression pattern (^the , then the phones.value log field is mapped to the user.phone_numbers UDM field. |
recoveryPhone |
entity.user.phone_numbers |
|
posixAccounts.accountId |
entity.user.attribute.labels[posix_account_id] |
|
posixAccounts.gecos |
entity.user.attribute.labels[posix_account_gecos] |
|
posixAccounts.gid |
entity.user.group_identifiers |
|
posixAccounts.homeDirectory |
entity.user.attribute.labels[posix_account_home_directory] |
|
posixAccounts.operatingSystemType |
entity.platform |
If the posixAccounts.operatingSystemType log field value is equal to linux , then the entity.platform UDM field is set to LINUX .If the posixAccounts.operatingSystemType log field value is equal to windows , then the entity.platform UDM field is set to WINDOWS .Else, the entity.platform UDM field is set to UNKNOWN_PLATFORM . |
posixAccounts.primary |
entity.user.attribute.labels[posix_account_primary] |
|
posixAccounts.shell |
entity.user.attribute.labels[posix_account_shell] |
|
posixAccounts.systemId |
entity.asset.asset_id |
|
posixAccounts.uid |
entity.user.attribute.labels[posix_account_uid] |
|
posixAccounts.username |
entity.user.userid |
If the posixAccounts.username log field value is not empty, then the posixAccounts.username log field is mapped to the entity.user.userid UDM field. |
primaryEmail |
entity.user.email_addresses |
|
recoveryEmail |
entity.user.email_addresses |
|
nonEditableAliases |
entity.user.email_addresses |
|
emails.address |
entity.user.email_addresses |
If the emails.address log field value is not equal to primaryEmail , then the emails.address log field is mapped to the entity.user.email_addresses UDM field. |
relations.customType |
entity.user.attribute.labels[relations_custom_type] |
|
relations.type |
entity.user.attribute.labels[relation_type] |
|
relations.value |
entity.user.managers.email_addresses |
If the relation.type log field value is equal to manager , then the relations.value log field is mapped to the user.managers.email_addresses UDM field.Else, the relations.value log field is mapped to the user.attribute.labels UDM field. |
relations.value |
entity.user.attribute.labels[relations_type] |
If the relation.type log field value is equal to manager , then the relations.value log field is mapped to the user.managers.email_addresses UDM field.Else, the relations.value log field is mapped to the user.attribute.labels UDM field. |
sshPublicKeys.expirationTimeUsec |
entity.user.attribute.labels[ssh_key_expiration_timec] |
|
sshPublicKeys.fingerprint |
entity.user.attribute.labels[ssh_key_fingerprint] |
|
sshPublicKeys.key |
entity.user.attribute.labels[ssh_key] |
|
suspended |
entity.user.user_authentication_status |
If the suspended log field value is equal to true and the archived log field value is not equal to true , then the entity.user.user_authentication_status UDM field is set to SUSPENDED .If the archived log field value is equal to true , then the entity.user.user_authentication_status UDM field is set to DELETED .Else, the entity.user.user_authentication_status UDM field is set to ACTIVE . |
archived |
entity.user.user_authentication_status |
If the suspended log field value is equal to true and the archived log field value is not equal to true , then the entity.user.user_authentication_status UDM field is set to SUSPENDED .If the archived log field value is equal to true , then the entity.user.user_authentication_status UDM field is set to DELETED .Else, the entity.user.user_authentication_status UDM field is set to ACTIVE . |
suspensionReason |
entity.user.attribute.labels[suspension_reason] |
|
thumbnailPhotoEtag |
entity.user.attribute.labels[thumbnail_photo_etag] |
|
thumbnailPhotoUrl |
entity.url |
|
websites.customType |
entity.user.attribute.labels[websites_custom_type] |
|
websites.primary |
entity.user.attribute.labels[websites_primary] |
|
websites.type |
entity.user.attribute.labels[websites_type] |
|
websites.value |
entity.user.attribute.labels[websites_value] |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE . | |
metadata.product_name |
The metadata.product_name UDM field is set to Cloud Identity . | |
metadata.entity_type |
The metadata.entity_type UDM field is set to USER . |
필드 매핑 참조: WORKSPACE_MOBILE_DEVICES
다음 표에는 WORKSPACE_MOBILE_DEVICES
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
adbStatus |
entity.asset.attribute.labels[abd status] |
|
applications.displayName |
entity.asset.software.name |
|
applications.packageName |
entity.asset.attribute.labels[application_package_name] |
|
applications.permission |
entity.asset.software.permissions.name |
|
applications.versionCode |
entity.asset.attribute.labels[application_version_code] |
|
applications.versionName |
entity.asset.software.version |
|
basebandVersion |
entity.asset.attribute.labels[baseband_version] |
|
bootloaderVersion |
entity.asset.attribute.labels[bootloader_version] |
|
brand |
entity.asset.attribute.labels[brand] |
|
buildNumber |
entity.asset.attribute.labels[build_number] |
|
defaultLanguage |
entity.asset.attribute.labels[default_language] |
|
developerOptionsStatus |
entity.asset.attribute.labels[developer_options_status] |
|
deviceCompromisedStatus |
entity.asset.attribute.labels[device_compromised_status] |
|
deviceId |
entity.asset.asset_id |
|
devicePasswordStatus |
entity.asset.attribute.labels[device_password_status] |
|
email |
entity.user.email_addresses |
|
encryptionStatus |
entity.asset.attribute.labels[encryption_status] |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
firstSync |
entity.asset.attribute.labels[first_sync] |
|
hardware |
entity.asset.attribute.labels[hardware] |
|
hardwareId |
entity.asset.attribute.labels[hardware_id] |
|
imei |
entity.asset.asset_id |
|
deviceId |
entity.asset.asset_id |
If the imei log field value is empty, then the deviceId log field is mapped to the entity.asset.asset_id UDM field. |
kernelVersion |
entity.asset.attribute.labels[kernel_version] |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
lastSync |
entity.asset.attribute.labels[last_sync] |
|
managedAccountIsOnOwnerProfile |
entity.asset.attribute.labels[managed_account_is_on_owner_profile] |
|
manufacturer |
entity.asset.hardware.manufacturer |
|
meid |
entity.asset.attribute.labels[meid] |
|
model |
entity.asset.hardware.model |
|
name |
entity.user.user_display_name |
|
networkOperator |
entity.asset.attribute.labels[network_operator] |
|
os |
entity.asset.platform_software.platform |
If the os log field value matches iOS , then the entity.asset.platform_software.platform UDM field is set to IOS .If the os log field value matches Android , then the entity.asset.platform_software.platform UDM field is set to ANDROID .Else, the entity.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM . |
otherAccountsInfo[] |
entity.asset.attribute.labels[other_accounts_info] |
|
privilege |
entity.asset.attribute.labels[privilege] |
|
releaseVersion |
entity.asset.attribute.labels[release_version] |
|
resourceId |
entity.asset.product_object_id |
|
securityPatchLevel |
entity.asset.platform_software.platform_patch_level |
|
serialNumber |
entity.asset.hardware.serial_number |
|
status |
entity.user.user_authentication_status |
If the status log field value is equal to approved , then the entity.user.user_authentication_status UDM field is set to ACTIVE .If the status log field value is equal to unprovisined , then the entity.user.user_authentication_status UDM field is set to SUSPENDED . |
supportsWorkProfile |
entity.asset.attribute.labels[supports_work_profile] |
|
type |
entity.asset.attribute.labels[type] |
|
unknownSourcesStatus |
entity.asset.attribute.labels[unknown_sources_status] |
|
userAgent |
entity.asset.attribute.labels[user_agent] |
|
wifiMacAddress |
entity.asset.mac |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET . | |
metadata.product_name |
The metadata.product_name UDM field is set to WORKSPACE_MOBILE . | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE . | |
relations.entity_type |
The relations.entity_type UDM field is set to USER . | |
relations.relationship |
The relations.relationship UDM field is set to MEMBER . |
필드 매핑 참조: WORKSPACE_CHROMEOS
다음 표에는 WORKSPACE_CHROMEOS
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
activeTimeRanges.activeTime |
entity.asset.attribute.labels[active_time] |
|
activeTimeRanges.date |
entity.asset.attribute.labels[active_time_range_date] |
|
annotatedAssetId |
entity.asset.asset_id |
If the annotatedAssetId log field value is not empty, then the ASSET ID: annotatedAssetId log field is mapped to the entity.asset.asset_id UDM field. |
deviceId |
entity.asset.asset_id |
If the annotatedAssetId log field value is empty, then the CHROMEOS:deviceId log field is mapped to the entity.asset.asset_id UDM field. |
annotatedLocation |
entity.asset.location.name |
|
annotatedUser |
relations.entity.user.user_display_name |
If the annotatedUser log field value is not empty and the annotatedUser log field value does not match the regular expression @ , then the annotatedUser log field is mapped to the relations.entity.user.user_display_name UDM field. |
autoUpdateExpiration |
entity.asset.attribute.labels[auto_update_expiration] |
|
bootMode |
entity.asset.attribute.labels[boot_mode] |
|
cpuInfo.architecture |
entity.asset.attribute.labels[cpu_architecture] |
|
cpuInfo.logicalCpus.cStates.displayName |
entity.asset.attribute.labels[cpu_logical_cups_cstates_display_name] |
|
cpuInfo.logicalCpus.cStates.sessionDuration |
entity.asset.attribute.labels[cpu_logical_cups_cstates_session_duration] |
|
cpuInfo.logicalCpus.currentScalingFrequencyKhz |
entity.asset.attribute.labels[cpu_current_scaling_frequency] |
|
cpuInfo.logicalCpus.idleDuration |
entity.asset.attribute.labels[cpu_ideal_duration] |
|
cpuInfo.logicalCpus.maxScalingFrequencyKhz |
entity.asset.attribute.labels[cpu_max_scaling_frequency] |
|
cpuInfo.maxClockSpeedKhz |
entity.asset.attribute.labels[cpu_max_clock_speed] |
|
cpuInfo.model |
entity.asset.hardware.cpu_model |
|
cpuStatusReports.cpuTemperatureInfo.label |
entity.asset.attribute.labels[cpu_temperature_label] |
|
cpuStatusReports.cpuTemperatureInfo.temperature |
entity.asset.attribute.labels[cpu_temperature] |
|
cpuStatusReports.cpuUtilizationPercentageInfo |
entity.asset.attribute.labels[cpu_utilization_percentage_info] |
|
cpuStatusReports.reportTime |
entity.asset.attribute.labels[cpu_report_time] |
|
deviceFiles.createTime |
relations.entity.file.first_seen_time |
|
deviceFiles.downloadUrl |
relations.entity.file.full_path |
|
deviceFiles.name |
relations.entity.file.names |
|
deviceFiles.type |
relations.entity.file.mime_type |
|
relations.entity_type |
The relations.entity_type UDM field is set to FILE . | |
relations.relationship |
The relations.relationship UDM field is set to MEMBER . | |
deviceId |
entity.asset.product_object_id |
|
diskVolumeReports.volumeInfo.storageFree |
entity.asset.attribute.labels[volume_info_storage_free] |
|
diskVolumeReports.volumeInfo.storageTotal |
entity.asset.attribute.labels[volume_info_storage_total] |
|
diskVolumeReports.volumeInfo.volumeId |
entity.asset.attribute.labels[volume_id] |
|
dockMacAddress |
entity.asset.attribute.labels[dock_mac_address] |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
ethernetMacAddress0 |
entity.asset.attribute.labels[ethernet_mac_address] |
|
firmwareVersion |
entity.asset.attribute.labels[firmware_version] |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
lastEnrollmentTime |
entity.asset.last_discover_time |
|
lastKnownNetwork.ipAddress |
entity.asset.ip |
|
lastKnownNetwork.wanIpAddress |
entity.asset.nat_ip |
|
lastSync |
entity.asset.system_last_update_time |
|
macAddress |
entity.asset.mac |
|
ethernetMacAddress |
entity.asset.mac |
|
manufactureDate |
entity.asset.attribute.labels[manufacture_date] |
|
meid |
entity.asset.attribute.labels[meid] |
|
model |
entity.asset.hardware.model |
|
notes |
entity.asset.attribute.labels[notes] |
|
orderNumber |
entity.asset.attribute.labels[order_number] |
|
orgUnitId |
entity.asset.attribute.labels[org_unit_id] |
|
orgUnitPath |
entity.user.attribute.labels[org_unit_path] |
|
osVersion |
entity.asset.attribute.labels[os_version] |
|
platformVersion |
entity.asset.platform_software.platform_version |
|
annotatedUser |
entity.user.email_addresses |
If the annotatedUser log field value is not empty and the annotatedUser log field value matches the regular expression @ , then the annotatedUser log field is mapped to the entity.user.email_addresses UDM field. |
recentUsers.email |
entity.user.email_addresses |
|
recentUsers.type |
relations.entity.user.attribute.roles.name |
|
relations.entity.user.attribute.roles.description |
If the recentUsers.type log field value is equal to USER_TYPE_MANAGED , then the relations.entity.user.attribute.roles.description UDM field is set to The user is managed by the domain .Else, if the recentUsers.type log field value is equal to USER_TYPE_UNMANAGED , then the relations.entity.user.attribute.roles.description UDM field is set to The user is not managed by the domain . | |
screenshotFiles.createTime |
relations.entity.file.first_seen_time |
|
screenshotFiles.downloadUrl |
relations.entity.file.full_path |
|
screenshotFiles.name |
relations.entity.file.names |
|
screenshotFiles.type |
relations.entity.file.mime_type |
|
serialNumber |
entity.asset.hardware.serial_number |
|
status |
entity.asset.deployment_status |
If the status log field value is equal to DEPROVISIONED , then the entity.asset.deployment_status UDM field is set to DECOMMISSIONED .Else, the entity.asset.deployment_status UDM field is set to ACTIVE . |
supportEndDate |
entity.asset.attribute.labels[support_end_date] |
|
systemRamFreeReports.reportTime |
entity.asset.attribute.labels[system_ram_report_time] |
|
systemRamFreeReports.systemRamFreeInfo |
entity.asset.attribute.labels[system_ram_free_info] |
|
systemRamTotal |
entity.asset.hardware.ram |
|
tpmVersionInfo.family |
entity.asset.attribute.labels[tpm_ver_info_family] |
|
tpmVersionInfo.firmwareVersion |
entity.asset.attribute.labels[tpm_ver_info_firmware_version] |
|
tpmVersionInfo.manufacturer |
entity.asset.attribute.labels[tpm_ver_info_manufacturer] |
|
tpmVersionInfo.specLevel |
entity.asset.attribute.labels[tpm_ver_info_spec_level] |
|
tpmVersionInfo.tpmModel |
entity.asset.attribute.labels[tpm_ver_info_tpm_model] |
|
tpmVersionInfo.vendorSpecific |
entity.asset.attribute.labels[tpm_ver_info_vendor_specific] |
|
willAutoRenew |
entity.asset.attribute.labels[will_auto_renew] |
|
entity.asset.type |
The entity.asset.type UDM field is set to WORKSTATION . | |
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET . | |
metadata.product_name |
The metadata.product_name UDM field is set to ChromeOS . | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE . | |
relations.entity_type |
The relations.entity_type UDM field is set to USER . | |
relations.relationship |
The relations.relationship UDM field is set to MEMBER . |
필드 매핑 참조: WORKSPACE_PRIVILEGES
다음 표에는 WORKSPACE_PRIVILEGES
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping |
---|---|
roleAssignments.assignedTo |
metadata.product_entity_id |
roleAssignments.roleAssignmentId |
entity.user.attribute.labels[role_assignment_id] |
roleAssignments.roleDetails.roleDescription |
entity.user.attribute.roles.description |
roleAssignments.roleDetails.roleId |
entity.user.attribute.labels[role_details_role_id] |
roleAssignments.roleDetails.roleName |
entity.user.attribute.roles.name |
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.etag |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.isOuScopable |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.kind |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.privilegeName |
entity.user.attribute.labels[%{rolePrivilege.privilegeName}_CHILD_PRIVILEGES] |
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.serviceId |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.serviceName |
|
roleAssignments.roleDetails.rolePrivileges.details.etag |
entity.labels[etag] (deprecated) |
roleAssignments.roleDetails.rolePrivileges.details.etag |
additional.fields[etag] |
roleAssignments.roleDetails.rolePrivileges.details.isOuScopable |
entity.user.attribute.labels[is_ou_scopable] |
roleAssignments.roleDetails.rolePrivileges.details.kind |
entity.labels[kind] (deprecated) |
roleAssignments.roleDetails.rolePrivileges.details.kind |
additional.fields[kind] |
roleAssignments.roleDetails.rolePrivileges.details.privilegeName |
|
roleAssignments.roleDetails.rolePrivileges.details.serviceId |
|
roleAssignments.roleDetails.rolePrivileges.details.serviceName |
entity.user.attribute.labels[service_name] |
roleAssignments.roleDetails.rolePrivileges.privilegeName |
entity.user.attribute.permissions.name |
roleAssignments.roleDetails.rolePrivileges.serviceId |
entity.user.attribute.permissions.description |
roleAssignments.roleId |
entity.user.attribute.labels[role_id] |
roleAssignments.scopeType |
entity.user.attribute.labels[scope_type] |
userId |
entity.user.userid |
metadata.vendor_name | |
metadata.product_name | |
metadata.entity_type |