Collecter les journaux Google Workspace
Compatible avec:
Google SecOps
SIEM
Ce document explique comment collecter des journaux Google Workspace en configurant un flux Google Security Operations et comment les champs de journal sont mis en correspondance avec Google Security Operations Unified Modèle de données (UDM). Ce document liste également les types de journaux et d'événements compatibles avec Google Workspace.
Pour en savoir plus, consultez Ingestion de données dans Google Security Operations.
Un déploiement typique se compose de Google Workspace et du flux Google Security Operations configuré pour envoyer des journaux à Google Security Operations. Chaque déploiement client peut être différent et plus complexe.
Le déploiement contient les composants suivants:
Google Workspace Plate-forme Google Workspace à partir de laquelle vous collectez les journaux.
Flux Google Security Operations Le flux Google Security Operations qui récupère les journaux depuis Google Workspace et écrit des journaux sur Google Security Operations.
Opérations de sécurité Google Google Security Operations conserve et analyse les journaux de Google Workspace.
Un libellé d'ingestion identifie l'analyseur qui normalise les données de journal brutes au format UDM structuré. Les informations contenues dans ce document s'appliquent aux analyseurs Google Workspace. avec les étiquettes d'ingestion suivantes:
WORKSPACE_ACTIVITYWORKSPACE_ALERTSWORKSPACE_CHROMEOSWORKSPACE_GROUPSWORKSPACE_MOBILEWORKSPACE_PRIVILEGESWORKSPACE_USERS
Avant de commencer
Assurez-vous d'utiliser l'édition Google Workspace Business Standard ou Business Plus, car l'analyseur Google Workspace est compatible avec ces deux éditions.
Vérifiez que vous disposez d'un compte administrateur Google Workspace.
Activez les API suivantes dans votre projet Google Cloud :
Pour authentifier les API Google Workspace, créez un compte de service dans votre et notez l'ID numérique unique et l'adresse e-mail du compte de service. Pour en savoir plus sur la création d'un compte de service, consultez la section Créer et gérer des comptes de service.
Créez un utilisateur qui usurpe l'identité du compte de service, puis accordez-lui des droits :
- Connectez-vous à la console d'administration Google.
- Sélectionnez Directory > Users (Annuaire > Utilisateurs), puis cliquez sur Add new user (Ajouter un utilisateur).
- Saisissez les informations sur l'utilisateur.
- Cliquez sur Ajouter un utilisateur.
- Cliquez sur le lien de l'utilisateur que vous venez de créer, puis sur Rôles et droits d'administrateur.
- Cliquez sur Réduire.
- Cliquez sur Créer un rôle personnalisé.
- Cliquez sur Créer un rôle, puis donnez un nom à ce rôle.
- Accordez les droits suivants au rôle:
- Droits d'accès > Rapports
- Privilèges > Services > Centre d'alerte > Accès complet > Accès en lecture
- Droits > Services > Gestion des appareils mobiles > Gérer les appareils et les paramètres
- Droits > Services > Gestion de Chrome > Paramètres
- API Admin > Droits > Utilisateurs > Lire
- API Admin > Droits > Groupes > Lire
- Cliquez sur Continuer, puis sur Créer un rôle.
- Cliquez sur Attribuer aux utilisateurs.
- Sélectionnez l'utilisateur auquel attribuer le rôle.
- Cliquez sur Attribuer un rôle.
Créez des identifiants d'accès. Pour en savoir plus sur la création d'identifiants d'accès, consultez la section Créer une clé de compte de service.
Pour accéder aux données, autorisez la délégation au niveau du domaine pour le compte de service avec les champs d'application d'accès suivants :
https://www.googleapis.com/auth/admin.reports.audit.readonlyhttps://www.googleapis.com/auth/apps.alertshttps://www.googleapis.com/auth/admin.directory.device.chromeos.readonlyhttps://www.googleapis.com/auth/admin.directory.group.readonlyhttps://www.googleapis.com/auth/admin.directory.device.mobile.readonlyhttps://www.googleapis.com/auth/admin.directory.rolemanagement.readonlyhttps://www.googleapis.com/auth/admin.directory.user.readonly
Pour trouver l'ID client Google Workspace, dans la console d'administration Google, sélectionnez Compte > Paramètres du compte > Profil.
S'assurer que tous les systèmes de l'architecture de déploiement sont configurés dans le fuseau horaire UTC.
Vérifiez les types de journaux compatibles avec l'analyseur Google Security Operations. Pour plus d'informations sur les journaux Google Workspace compatibles, consultez Types de journaux Google Workspace compatibles.
Configurer un flux dans Google Security Operations pour ingérer des journaux Google Workspace
- Dans la barre de navigation, sélectionnez Settings (Paramètres) > SIEM Settings (Paramètres du SIEM) > Feeds (Flux).
- Cliquez sur Add New (Ajouter nouveau).
- Sélectionnez API tierce pour Type de source.
- Pour créer un flux pour les activités Workspace, sélectionnez Activités Workspace comme Type de journal.
- Cliquez sur Suivant.
Spécifiez les valeurs en fonction de la configuration Google Workspace que vous avez créée pour les champs suivants:
- Point de terminaison JWT OAuth. Point de terminaison contenant le jeton Web JSON OAuth.
Spécifiez la valeur
token_uride la clé JSON du compte de service. - Émetteur de revendications JWT. Il s'agit de l'ID client. Spécifiez la valeur
client_emailà partir de la clé JSON du compte de service. Par exemple,InsertServiceAccount@project.iam.gserviceaccount.com. - Objet des revendications JWT Indiquez l'adresse e-mail de l'utilisateur que vous avez créé dans la console d'administration Google Workspace.
- Audience des revendications JWT. Spécifiez la valeur
token_urià partir de la clé JSON du compte de service. Clé privée RSA Clé privée RSA au format PEM. La clé PEM est disponible dans le fichier de clé du compte de service. Lorsque vous saisissez la clé privée, incluez l'en-tête
BEGIN PRIVATE KEYet le pied de pageEND PRIVATE KEY, puis remplacez toutes les instances du jeton\npar une frappeEnterréelle dans la zone de texte.Numéro client Pour tous les types de journaux, à l'exception du type de journal "Alertes", le numéro client doit être précédé d'un "C" . Si le champ du numéro client ne contient pas un "C" de début puis ajoutez un "C" au début de la valeur .
Applications. Le champ Applications n'est obligatoire que lorsque vous créez un flux pour les activités Workspace.
- Point de terminaison JWT OAuth. Point de terminaison contenant le jeton Web JSON OAuth.
Spécifiez la valeur
Cliquez sur Next (Suivant), puis sur Submit (Envoyer).
Après avoir suivi la procédure de création d'un flux pour les activités Workspace, répétez les étapes de création d'un flux distinct pour chacun des types de journaux suivants.
Workspace AlertsWorkspace ChromeOS DevicesWorkspace GroupsWorkspace Mobile DevicesWorkspace PrivilegesWorkspace Users
Pour en savoir plus sur les flux Google Security Operations, consultez la documentation sur les flux Google Security Operations. Pour en savoir plus sur les exigences de chaque consultez la section Configuration du flux par type.
Si vous rencontrez des problèmes lors de la création de flux, contactez l'assistance Google Security Operations.
Types de journaux Google Workspace compatibles
Les sections suivantes répertorient les types de journaux compatibles avec l'analyseur Google Workspace :
WORKSPACE_ACTIVITY
Le tableau suivant répertorie le nom de l'application et les types d'événements compatibles pour le type de journal WORKSPACE_ACTIVITY.
| Nom de l'application | Type d'événement |
|---|---|
access_transparency
|
GSUITE_RESOURCE
|
chrome
|
CHROME_OS_ADD_REMOVE_USER_TYPE
|
DEVICE_BOOT_STATE_CHANGE_TYPE
|
|
CHROME_OS_LOGIN_LOGOUT_TYPE
|
|
CHROME_OS_REPORTING_DATA_LOST_TYPE
|
|
SAFE_BROWSING_PASSWORD_ALERT
|
|
DLP_EVENTS_TYPE
|
|
CONTENT_TRANSFER_TYPE
|
|
CONTENT_UNSCANNED_TYPE
|
|
EXTENSION_REQUEST_TYPE
|
|
LOGIN_EVENT_TYPE
|
|
MALWARE_TRANSFER_TYPE
|
|
PASSWORD_BREACH_TYPE
|
|
SENSITIVE_DATA_TRANSFER_TYPE
|
|
UNSAFE_SITE_VISIT_TYPE
|
|
context_aware_access
|
CONTEXT_AWARE_ACCESS_USER_EVENT
|
gplus
|
comment_change
|
plusone_change
|
|
poll_vote_change
|
|
post_change
|
|
data_studio
|
ACCESS
|
ACL_CHANGE
|
|
mobile
|
device_applications
|
device_updates
|
|
suspicious_activity
|
|
groups_enterprise
|
moderator_action
|
calendar
|
calendar_change
|
notification
|
|
subscription_change
|
|
event_change
|
|
interop
|
|
chat
|
user_action
|
gcp
|
CLOUD_OSLOGIN
|
drive
|
access
|
acl_change
|
|
pooled_quota_metadata
|
|
groups
|
acl_change
|
moderator_action
|
|
keep
|
user_action
|
meet
|
call
|
token
|
auth
|
rules
|
action_complete_type
|
rule_match_type
|
|
rule_trigger_type
|
|
saml
|
login
|
user_accounts
|
2sv_change
|
password_change
|
|
recovery_info_change
|
|
titanium_change
|
|
email_forwarding_change
|
|
login
|
2sv_change
|
password_change
|
|
recovery_info_change
|
|
account_warning
|
|
titanium_change
|
|
email_forwarding_change
|
|
jamboard
|
administrative_action
|
setting_change
|
|
status_change
|
|
admin
|
USER_SETTINGS
|
Pour en savoir plus sur les applications Google Workspace compatibles avec Google Security Operations, consultez la page Applications Google Workspace.
WORKSPACE_ALERTS
Voici la liste des types d'alerte pris en charge:
Customer takeout initiatedMalware reclassificationMisconfigured whitelistPhishing reclassificationSuspicious message reportedUser reported phishingUser reported spam spikeLeaked passwordSuspicious loginSuspicious login (less secure app)Suspicious programmatic loginUser suspendedUser suspended (spam)User suspended (spam through relay)User suspended (suspicious activity)Google OperationsConfiguration problemGovernment attack warningDevice compromisedSuspicious activityAppMaker Default Cloud SQL setupActivity RuleData Loss PreventionApps outagePrimary admin changedSSO profile addedSSO profile updatedSSO profile deletedSuper admin password reset
WORKSPACE_CHROMEOS
Pour en savoir plus sur le schéma de journal ChromeOS compatible, consultez Appareils ChromeOS.
WORKSPACE_GROUPS
Pour en savoir plus sur le schéma de journal des groupes compatibles, consultez group.
WORKSPACE_MOBILE
Pour en savoir plus sur les schémas de journaux mobiles compatibles, consultez mobile.
WORKSPACE_PRIVILEGES
Pour en savoir plus sur le schéma de journal des droits compatible, consultez la section Privilège.
WORKSPACE_USERS
Pour en savoir plus sur le schéma de journal des utilisateurs compatible, consultez users.
Documentation de référence sur le mappage de champs
Les sections suivantes expliquent comment l'analyseur Google Security Operations mappe les champs de journal Google Workspace aux champs du modèle de données unifié (UDM) de Google Security Operations. Les mappages de champs de cet analyseur restent les mêmes pour l'ingestion basée sur un flux et l'ingestion native.
Référence de mappage de champs : types de journaux WORKSPACE_ACTIVITY et type d'événement UDM
Le tableau suivant répertorie les types de journaux WORKSPACE_ACTIVITY et les types d'événements UDM correspondants.
| Workspace application | Event identifier | Event type |
|---|---|---|
access_transparency |
ACCESS |
USER_RESOURCE_ACCESS |
chrome |
CHROME_OS_ADD_USER |
USER_CREATION |
chrome |
CHROME_OS_REMOVE_USER |
USER_DELETION |
chrome |
DEVICE_BOOT_STATE_CHANGE |
SETTING_MODIFICATION |
chrome |
CHROME_OS_LOGIN_FAILURE_EVENT |
USER_LOGIN |
chrome |
CHROME_OS_LOGIN_LOGOUT_EVENT |
USER_LOGIN |
chrome |
CHROME_OS_LOGIN_EVENT |
USER_LOGIN |
chrome |
CHROME_OS_LOGOUT_EVENT |
USER_LOGOUT |
chrome |
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
chrome |
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
chrome |
PASSWORD_REUSE |
USER_UNCATEGORIZED |
chrome |
DLP_EVENT |
USER_UNCATEGORIZED |
chrome |
CONTENT_TRANSFER |
STATUS_UNCATEGORIZED |
chrome |
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
chrome |
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
chrome |
LOGIN_EVENT |
USER_LOGIN |
chrome |
MALWARE_TRANSFER |
SCAN_UNCATEGORIZED. The security category is |
chrome |
PASSWORD_BREACH |
USER_RESOURCE_ACCESS. The security category is |
chrome |
SENSITIVE_DATA_TRANSFER |
SCAN_UNCATEGORIZED |
chrome |
UNSAFE_SITE_VISIT |
NETWORK_UNCATEGORIZED. The security category is |
chrome |
BROWSER_CRASH |
STATUS_UNCATEGORIZED |
chrome |
BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
chrome |
CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
chrome |
CHROMEOS_AFFILIATED_UNLOCK_FAILURE |
USER_LOGIN |
chrome |
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
chrome |
CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
chrome |
CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
chrome |
CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
chrome |
CHROMEOS_UPDATE_FAILURE |
STATUS_UNCATEGORIZED |
chrome |
CHROMEOS_UPDATE_SUCCESS |
STATUS_UNCATEGORIZED |
chrome |
CHROME_OS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
chrome |
CHROME_OS_CRD_HOST_ENDED |
STATUS_STARTUP |
chrome |
CHROME_OS_CRD_HOST_STARTED |
STATUS_STARTUP |
chrome |
URL_FILTERING_INTERSTITIAL |
STATUS_UNCATEGORIZED |
context_aware_access |
ACCESS_DENY_EVENT |
USER_RESOURCE_ACCESS |
context_aware_access |
ACCESS_DENY_INTERNAL_ERROR_EVENT |
USER_RESOURCE_ACCESS |
context_aware_access |
MONITOR_MODE_ACCESS_DENY_EVENT |
USER_RESOURCE_ACCESS |
gplus |
create_comment |
USER_RESOURCE_CREATION |
gplus |
delete_comment |
USER_RESOURCE_DELETION |
gplus |
edit_comment |
USER_RESOURCE_UPDATE_CONTENT |
gplus |
add_plusone |
STATUS_UPDATE |
gplus |
remove_plusone |
STATUS_UPDATE |
gplus |
add_poll_vote |
STATUS_UPDATE |
gplus |
remove_poll_vote |
STATUS_UPDATE |
gplus |
create_post |
USER_RESOURCE_CREATION |
gplus |
delete_post |
USER_RESOURCE_DELETION |
gplus |
content_manager_delete_post |
USER_RESOURCE_DELETION |
gplus |
edit_post |
USER_RESOURCE_UPDATE_CONTENT |
data_studio |
ADD_REPORT_EMAIL_DELIVERY |
USER_UNCATEGORIZED |
data_studio |
CREATE |
USER_RESOURCE_CREATION |
data_studio |
DATA_EXPORT |
USER_RESOURCE_ACCESS |
data_studio |
DELETE |
USER_RESOURCE_DELETION |
data_studio |
DOWNLOAD_REPORT |
USER_UNCATEGORIZED |
data_studio |
EDIT |
USER_RESOURCE_UPDATE_CONTENT |
data_studio |
RESTORE |
USER_RESOURCE_CREATION |
data_studio |
STOP_REPORT_EMAIL_DELIVERY |
USER_UNCATEGORIZED |
data_studio |
TRASH |
USER_RESOURCE_DELETION |
data_studio |
UPDATE_REPORT_EMAIL_DELIVERY |
USER_UNCATEGORIZED |
data_studio |
VIEW |
USER_RESOURCE_ACCESS |
data_studio |
CHANGE_DATA_SOURCE_ACCESS_TYPE |
USER_RESOURCE_UPDATE_PERMISSIONS |
data_studio |
CHANGE_ASSET_LINK_SHARING_ACCESS_TYPE |
USER_RESOURCE_UPDATE_PERMISSIONS |
data_studio |
CHANGE_ASSET_LINK_SHARING_VISIBILITY |
USER_RESOURCE_UPDATE_PERMISSIONS |
data_studio |
CHANGE_USER_ACCESS |
USER_CHANGE_PERMISSIONS |
mobile |
APPLICATION_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
APPLICATION_REPORT_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_REGISTER_UNREGISTER_EVENT |
USER_RESOURCE_UPDATE_PERMISSIONS |
mobile |
ADVANCED_POLICY_SYNC_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_ACTION_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
DEVICE_COMPLIANCE_CHANGED_EVENT |
STATUS_UPDATE |
mobile |
OS_UPDATED_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
DEVICE_OWNERSHIP_CHANGE_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_SETTINGS_UPDATED_EVENT |
SETTING_MODIFICATION |
mobile |
APPLE_DEP_DEVICE_UPDATE_ON_APPLE_PORTAL_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_SYNC_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
RISK_SIGNAL_UPDATED_EVENT |
STATUS_UPDATE |
mobile |
ANDROID_WORK_PROFILE_SUPPORT_ENABLED_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_COMPROMISED_EVENT |
STATUS_UPDATE |
mobile |
FAILED_PASSWORD_ATTEMPTS_EVENT |
STATUS_UPDATE |
mobile |
SUSPICIOUS_ACTIVITY_EVENT |
STATUS_UPDATE |
groups_enterprise |
accept_invitation |
USER_UNCATEGORIZED |
groups_enterprise |
add_info_setting |
GROUP_MODIFICATION |
groups_enterprise |
add_member |
GROUP_MODIFICATION |
groups_enterprise |
add_member_role |
USER_CHANGE_PERMISSIONS |
groups_enterprise |
add_security_setting |
GROUP_MODIFICATION |
groups_enterprise |
add_service_account_permission |
USER_CHANGE_PERMISSIONS |
groups_enterprise |
approve_join_request |
USER_UNCATEGORIZED |
groups_enterprise |
ban_member_with_moderation |
GROUP_MODIFICATION |
groups_enterprise |
change_info_setting |
GROUP_MODIFICATION |
groups_enterprise |
change_security_setting |
GROUP_MODIFICATION |
groups_enterprise |
create_group |
GROUP_CREATION |
groups_enterprise |
create_namespace |
GROUP_UNCATEGORIZED |
groups_enterprise |
delete_group |
GROUP_DELETION |
groups_enterprise |
delete_namespace |
GROUP_UNCATEGORIZED |
groups_enterprise |
add_dynamic_group_query |
GROUP_UNCATEGORIZED |
groups_enterprise |
change_dynamic_group_query |
GROUP_MODIFICATION |
groups_enterprise |
invite_member |
GROUP_UNCATEGORIZED |
groups_enterprise |
join |
GROUP_MODIFICATION |
groups_enterprise |
add_membership_expiry |
GROUP_MODIFICATION |
groups_enterprise |
remove_membership_expiry |
GROUP_MODIFICATION |
groups_enterprise |
update_membership_expiry |
GROUP_MODIFICATION |
groups_enterprise |
reject_invitation |
USER_UNCATEGORIZED |
groups_enterprise |
reject_join_request |
USER_UNCATEGORIZED |
groups_enterprise |
remove_info_setting |
GROUP_MODIFICATION |
groups_enterprise |
remove_member |
GROUP_MODIFICATION |
groups_enterprise |
remove_member_role |
GROUP_MODIFICATION |
groups_enterprise |
remove_security_setting |
GROUP_MODIFICATION |
groups_enterprise |
remove_service_account_permission |
GROUP_MODIFICATION |
groups_enterprise |
request_to_join |
USER_UNCATEGORIZED |
groups_enterprise |
revoke_invitation |
USER_UNCATEGORIZED |
groups_enterprise |
unban_member |
GROUP_MODIFICATION |
calendar |
change_calendar_acls |
USER_CHANGE_PERMISSIONS |
calendar |
change_calendar_country |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
create_calendar |
USER_RESOURCE_CREATION |
calendar |
delete_calendar |
USER_RESOURCE_DELETION |
calendar |
change_calendar_description |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_calendar_location |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_calendar_timezone |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_calendar_title |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
notification_triggered |
USER_UNCATEGORIZED |
calendar |
add_subscription |
USER_UNCATEGORIZED |
calendar |
delete_subscription |
STATUS_UPDATE |
calendar |
create_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
delete_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
add_event_guest |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_guest_response_auto |
USER_UNCATEGORIZED |
calendar |
remove_event_guest |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_guest_response |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
remove_event_from_trash |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
restore_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_start_time |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_title |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
transfer_event_requested |
USER_UNCATEGORIZED |
calendar |
transfer_event_completed |
USER_UNCATEGORIZED |
calendar |
interop_freebusy_lookup_outbound_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_freebusy_lookup_inbound_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_availability_lookup_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_list_lookup_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_freebusy_lookup_outbound_unsuccessful |
USER_RESOURCE_ACCESS |
calendar |
interop_freebusy_lookup_inbound_unsuccessful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_availability_lookup_unsuccessful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_list_lookup_unsuccessful |
USER_RESOURCE_ACCESS |
chat |
add_room_member |
GROUP_MODIFICATION |
chat |
attachment_download |
FILE_UNCATEGORIZED |
chat |
attachment_upload |
FILE_UNCATEGORIZED |
chat |
block_room |
GROUP_UNCATEGORIZED |
chat |
block_user |
USER_UNCATEGORIZED |
chat |
direct_message_started |
USER_UNCATEGORIZED |
chat |
invite_accept |
USER_UNCATEGORIZED |
chat |
invite_decline |
USER_UNCATEGORIZED |
chat |
invite_send |
USER_UNCATEGORIZED |
chat |
message_edited |
USER_RESOURCE_UPDATE_CONTENT |
chat |
message_posted |
USER_RESOURCE_CREATION |
chat |
message_reported |
USER_UNCATEGORIZED |
chat |
message_deleted |
USER_RESOURCE_DELETION |
chat |
remove_room_member |
GROUP_MODIFICATION |
chat |
room_created |
GROUP_CREATED |
chat |
reaction_added |
USER_UNCATEGORIZED |
chat |
call_ended |
USER_UNCATEGORIZED |
chat |
presentation_started |
STATUS_UNCATEGORIZED |
chat |
invitation_sent |
STATUS_UNCATEGORIZED |
chat |
presentation_stopped |
STATUS_UNCATEGORIZED |
gcp |
IMPORT_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
gcp |
DELETE_POSIX_ACCOUNT |
USER_UNCATEGORIZED |
gcp |
DELETE_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
gcp |
GET_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
gcp |
GET_LOGIN_PROFILE |
USER_UNCATEGORIZED |
gcp |
UPDATE_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
drive |
add_to_folder |
USER_RESOURCE_CREATION |
drive |
approval_canceled |
USER_UNCATEGORIZED |
drive |
approval_comment_added |
USER_UNCATEGORIZED |
drive |
approval_completed |
USER_UNCATEGORIZED |
drive |
approval_decisions_reset |
USER_UNCATEGORIZED |
drive |
approval_due_time_change |
USER_UNCATEGORIZED |
drive |
approval_requested |
USER_UNCATEGORIZED |
drive |
approval_reviewer_change |
USER_UNCATEGORIZED |
drive |
approval_reviewer_responded |
USER_UNCATEGORIZED |
drive |
copy |
USER_RESOURCE_CREATION |
drive |
create |
USER_RESOURCE_CREATION |
drive |
delete |
USER_RESOURCE_DELETION |
drive |
download |
USER_RESOURCE_ACCESS |
drive |
email_as_attachment |
EMAIL_TRANSACTION |
drive |
edit |
USER_RESOURCE_UPDATE_CONTENT |
drive |
label_added |
USER_UNCATEGORIZED |
drive |
label_added_by_item_create |
USER_UNCATEGORIZED |
drive |
label_field_changed |
USER_UNCATEGORIZED |
drive |
label_removed |
USER_UNCATEGORIZED |
drive |
add_lock |
USER_UNCATEGORIZED |
drive |
move |
USER_UNCATEGORIZED |
drive |
preview |
USER_RESOURCE_ACCESS |
drive |
print |
USER_UNCATEGORIZED |
drive |
remove_from_folder |
USER_RESOURCE_DELETION |
drive |
rename |
USER_RESOURCE_UPDATE_CONTENT |
drive |
untrash |
USER_RESOURCE_CREATION |
drive |
sheets_import_range |
USER_RESOURCE_ACCESS |
drive |
source_copy |
USER_RESOURCE_UPDATE_CONTENT |
drive |
trash |
USER_RESOURCE_DELETION |
drive |
remove_lock |
USER_UNCATEGORIZED |
drive |
unmovable_item_reparented |
USER_UNCATEGORIZED |
drive |
upload |
USER_RESOURCE_CREATION |
drive |
view |
USER_RESOURCE_ACCESS |
drive |
connected_sheets_query |
USER_RESOURCE_ACCESS |
drive |
accept_suggestion |
USER_RESOURCE_UPDATE_CONTENT |
drive |
create_comment |
USER_RESOURCE_CREATION |
drive |
create_suggestion |
USER_RESOURCE_CREATION |
drive |
delete_comment |
USER_RESOURCE_DELETION |
drive |
delete_suggestion |
USER_RESOURCE_DELETION |
drive |
edit_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
expire_access_request |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
reassign_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
reject_suggestion |
USER_RESOURCE_UPDATE_CONTENT |
drive |
reopen_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
request_access |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
resolve_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
deny_access_request |
USER_UNCATEGORIZED |
drive |
download_forms_response |
USER_RESOURCE_ACCESS |
drive |
email_collaborators |
EMAIL_UNCATEGORIZED |
drive |
access_url |
USER_RESOURCE_ACCESS |
drive |
access_item_content |
USER_RESOURCE_ACCESS |
drive |
sheets_import_url |
USER_UNCATEGORIZED |
drive |
apply_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_apply_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_remove_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
publish_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_acl_editors |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_access_scope |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_access_scope_hierarchy_reconciled |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_visibility |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_visibility_hierarchy_reconciled |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
remove_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_membership_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_settings_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
sheets_import_range_access_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_user_access |
USER_CHANGE_PERMISSIONS |
drive |
change_user_access_hierarchy_reconciled |
USER_CHANGE_PERMISSIONS |
drive |
change_owner |
USER_CHANGE_PERMISSIONS |
drive |
publish_new_version |
USER_UNCATEGORIZED |
drive |
change_owner_hierarchy_reconciled |
USER_CHANGE_PERMISSIONS |
drive |
team_drive_membership_change |
USER_CHANGE_PERMISSIONS |
drive |
team_drive_settings_change |
USER_CHANGE_PERMISSIONS |
drive |
storage_usage_update |
USER_RESOURCE_ACCESS |
groups |
change_acl_permission |
GROUP_MODIFICATION |
groups |
accept_invitation |
USER_UNCATEGORIZED |
groups |
approve_join_request |
USER_UNCATEGORIZED |
groups |
join |
GROUP_MODIFICATION |
groups |
request_to_join |
USER_UNCATEGORIZED |
groups |
change_basic_setting |
GROUP_MODIFICATION |
groups |
create_group |
GROUP_CREATION |
groups |
delete_group |
GROUP_DELETION |
groups |
change_identity_setting |
GROUP_MODIFICATION |
groups |
add_info_setting |
GROUP_MODIFICATION |
groups |
change_info_setting |
GROUP_MODIFICATION |
groups |
remove_info_setting |
GROUP_MODIFICATION |
groups |
change_new_members_restrictions_setting |
GROUP_UNCATEGORIZED |
groups |
change_post_replies_setting |
GROUP_MODIFICATION |
groups |
change_spam_moderation_setting |
GROUP_MODIFICATION |
groups |
change_topic_setting |
GROUP_MODIFICATION |
groups |
moderate_message |
GROUP_MODIFICATION |
groups |
always_post_from_user |
USER_UNCATEGORIZED |
groups |
add_user |
GROUP_MODIFICATION |
groups |
ban_user_with_moderation |
GROUP_MODIFICATION |
groups |
revoke_invitation |
USER_UNCATEGORIZED |
groups |
invite_user |
USER_UNCATEGORIZED |
groups |
reject_join_request |
USER_UNCATEGORIZED |
groups |
reinvite_user |
USER_UNCATEGORIZED |
groups |
remove_user |
GROUP_MODIFICATION |
groups |
change_email_subscription_type |
GROUP_MODIFICATION |
groups |
unsubscribe_via_mail |
USER_UNCATEGORIZED |
keep |
deleted_attachment |
USER_UNCATEGORIZED |
keep |
uploaded_attachment |
USER_UNCATEGORIZED |
keep |
edited_note_content |
USER_RESOURCE_UPDATE_CONTENT |
keep |
created_note |
USER_RESOURCE_CREATION |
keep |
deleted_note |
USER_RESOURCE_DELETION |
keep |
modified_acl |
USER_RESOURCE_UPDATE_PERMISSIONS |
meet |
abuse_report_submitted |
USER_UNCATEGORIZED |
meet |
call_ended |
USER_UNCATEGORIZED |
meet |
livestream_watched |
USER_COMMUNICATION |
meet |
invitation_sent |
STATUS_UNCATEGORIZED |
meet |
presentation_started |
STATUS_UNCATEGORIZED |
meet |
presentation_stopped |
STATUS_UNCATEGORIZED |
meet |
knocking_denied |
STATUS_UNCATEGORIZED |
meet |
knocking_accepted |
STATUS_UNCATEGORIZED |
meet |
recording_activity |
STATUS_UNCATEGORIZED |
meet |
dialed_out |
STATUS_UNCATEGORIZED |
token |
activity |
USER_RESOURCE_ACCESS |
token |
authorize |
USER_RESOURCE_ACCESS |
token |
revoke |
USER_RESOURCE_UPDATE_PERMISSIONS |
rules |
action_complete |
USER_RESOURCE_ACCESS |
rules |
rule_match |
USER_RESOURCE_ACCESS |
rules |
rule_trigger |
USER_RESOURCE_ACCESS |
rules |
label_field_value_changed |
USER_RESOURCE_UPDATE_CONTENT |
rules |
label_applied |
USER_RESOURCE_UPDATE_CONTENT |
rules |
sharing_blocked |
USER_RESOURCE_UPDATE_CONTENT |
rules |
content_matched |
USER_RESOURCE_ACCESS |
rules |
content_unmatched |
USER_RESOURCE_ACCESS |
saml |
login_failure |
USER_LOGIN |
saml |
login_success |
USER_LOGIN |
user_accounts |
2sv_disable |
USER_UNCATEGORIZED |
user_accounts |
2sv_enroll |
USER_UNCATEGORIZED |
user_accounts |
password_edit |
USER_UNCATEGORIZED |
user_accounts |
recovery_email_edit |
USER_UNCATEGORIZED |
user_accounts |
recovery_phone_edit |
USER_UNCATEGORIZED |
user_accounts |
recovery_secret_qa_edit |
USER_UNCATEGORIZED |
user_accounts |
titanium_enroll |
USER_UNCATEGORIZED |
user_accounts |
titanium_unenroll |
USER_UNCATEGORIZED |
user_accounts |
email_forwarding_out_of_domain |
USER_UNCATEGORIZED |
jamboard |
DEVICE_LICENSE_ENROLLMENT_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_OTA_UPDATE_REQUESTED |
SETTING_MODIFICATION |
jamboard |
DEVICE_PROVISIONING_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_REBOOT_REQUESTED |
USER_UNCATEGORIZED |
jamboard |
EXPORT_JAMBOARD_FLEET |
USER_UNCATEGORIZED |
jamboard |
ADB_ENABLED_STATE_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_ADDITIONAL_IMES_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_LOGGING_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEMO_MODE_AVAILABILITY_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEMO_MODE_CHANGE |
SETTING_MODIFICATION |
jamboard |
FINGER_ERASING_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_LANGUAGE_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_LOCATION_CHANGE |
STATUS_UPDATE |
jamboard |
DEVICE_NAME_CHANGE |
STATUS_UPDATE |
jamboard |
DEVICE_NOTE_CHANGE |
STATUS_UPDATE |
jamboard |
DEVICE_PAIRING_CHANGE |
SETTING_MODIFICATION |
jamboard |
SCREENSAVER_TIMEOUT_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_SETTING_LOCKED |
SETTING_MODIFICATION |
jamboard |
DEVICE_SETTING_UNLOCKED |
SETTING_MODIFICATION |
jamboard |
VIDEOCONF_ENABLED_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_UPDATE |
STATUS_UPDATE |
login |
2sv_disable |
SERVICE_STOP |
login |
2sv_enroll |
SERVICE_START |
login |
password_edit |
USER_CHANGE_PASSWORD |
login |
recovery_email_edit |
USER_UNCATEGORIZED |
login |
recovery_phone_edit |
USER_UNCATEGORIZED |
login |
recovery_secret_qa_edit |
USER_UNCATEGORIZED |
login |
account_disabled_password_leak |
USER_UNCATEGORIZED |
login |
suspicious_login |
USER_LOGIN |
login |
suspicious_login_less_secure_app |
USER_LOGIN |
login |
suspicious_programmatic_login |
USER_LOGIN |
login |
account_disabled_generic |
USER_UNCATEGORIZED |
login |
account_disabled_spamming_through_relay |
USER_UNCATEGORIZED |
login |
account_disabled_spamming |
USER_UNCATEGORIZED |
login |
account_disabled_hijacked |
USER_UNCATEGORIZED |
login |
titanium_enroll |
USER_UNCATEGORIZED |
login |
titanium_unenroll |
USER_UNCATEGORIZED |
login |
gov_attack_warning |
STATUS_UNCATEGORIZED |
login |
email_forwarding_out_of_domain |
USER_UNCATEGORIZED |
login |
login_failure |
USER_LOGIN. The security category is |
login |
login_challenge |
USER_LOGIN |
login |
login_verification |
USER_LOGIN |
login |
logout |
USER_LOGOUT |
login |
login_success |
USER_LOGIN |
login |
risky_sensitive_action_allowed |
USER_LOGIN |
login |
risky_sensitive_action_blocked |
USER_LOGIN |
login |
blocked_sender |
STATUS_UNCATEGORIZED |
admin |
DELETE_2SV_SCRATCH_CODES |
USER_RESOURCE_DELETION |
admin |
GENERATE_2SV_SCRATCH_CODES |
USER_RESOURCE_CREATION |
admin |
REVOKE_3LO_DEVICE_TOKENS |
USER_RESOURCE_ACCESS |
admin |
REVOKE_3LO_TOKEN |
USER_RESOURCE_ACCESS |
admin |
ADD_RECOVERY_EMAIL |
USER_RESOURCE_CREATION |
admin |
ADD_RECOVERY_PHONE |
USER_RESOURCE_CREATION |
admin |
GRANT_ADMIN_PRIVILEGE |
USER_CHANGE_PERMISSIONS |
admin |
REVOKE_ADMIN_PRIVILEGE |
USER_CHANGE_PERMISSIONS |
admin |
REVOKE_ASP |
USER_CHANGE_PERMISSIONS |
admin |
TOGGLE_AUTOMATIC_CONTACT_SHARING |
SETTING_MODIFICATION |
admin |
BULK_UPLOAD |
USER_RESOURCE_CREATION |
admin |
BULK_UPLOAD_NOTIFICATION_SENT |
USER_UNCATEGORIZED |
admin |
CANCEL_USER_INVITE |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_CUSTOM_FIELD |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_EXTERNAL_ID |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_GENDER |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_IM |
USER_UNCATEGORIZED |
admin |
ENABLE_USER_IP_WHITELIST |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_KEYWORD |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_LANGUAGE |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_LOCATION |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_ORGANIZATION |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_PHONE_NUMBER |
USER_UNCATEGORIZED |
admin |
CHANGE_RECOVERY_EMAIL |
USER_UNCATEGORIZED |
admin |
CHANGE_RECOVERY_PHONE |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_RELATION |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_ADDRESS |
USER_UNCATEGORIZED |
admin |
CREATE_EMAIL_MONITOR |
SERVICE_CREATION |
admin |
CREATE_DATA_TRANSFER_REQUEST |
USER_UNCATEGORIZED |
admin |
GRANT_DELEGATED_ADMIN_PRIVILEGES |
USER_CHANGE_PERMISSIONS |
admin |
DELETE_ACCOUNT_INFO_DUMP |
USER_RESOURCE_DELETION |
admin |
DELETE_EMAIL_MONITOR |
SERVICE_DELETION |
admin |
DELETE_MAILBOX_DUMP |
USER_RESOURCE_DELETION |
admin |
DELETE_PROFILE_PHOTO |
USER_RESOURCE_DELETION |
admin |
CHANGE_DISPLAY_NAME |
USER_UNCATEGORIZED |
admin |
CHANGE_FIRST_NAME |
USER_UNCATEGORIZED |
admin |
GMAIL_RESET_USER |
USER_UNCATEGORIZED |
admin |
CHANGE_LAST_NAME |
USER_UNCATEGORIZED |
admin |
MAIL_ROUTING_DESTINATION_ADDED |
USER_RESOURCE_CREATION |
admin |
MAIL_ROUTING_DESTINATION_REMOVED |
USER_RESOURCE_DELETION |
admin |
ADD_NICKNAME |
USER_UNCATEGORIZED |
admin |
REMOVE_NICKNAME |
USER_UNCATEGORIZED |
admin |
CHANGE_PASSWORD |
USER_CHANGE_PASSWORD |
admin |
CHANGE_PASSWORD_ON_NEXT_LOGIN |
USER_CHANGE_PASSWORD |
admin |
DOWNLOAD_PENDING_INVITES_LIST |
STATUS_UNCATEGORIZED |
admin |
REMOVE_RECOVERY_EMAIL |
USER_RESOURCE_DELETION |
admin |
REMOVE_RECOVERY_PHONE |
USER_RESOURCE_DELETION |
admin |
REQUEST_ACCOUNT_INFO |
USER_UNCATEGORIZED |
admin |
REQUEST_MAILBOX_DUMP |
USER_UNCATEGORIZED |
admin |
RESEND_USER_INVITE |
USER_UNCATEGORIZED |
admin |
RESET_SIGNIN_COOKIES |
USER_RESOURCE_UPDATE_CONTENT |
admin |
SECURITY_KEY_REGISTERED_FOR_USER |
USER_RESOURCE_CREATION |
admin |
REVOKE_SECURITY_KEY |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
USER_INVITE |
USER_UNCATEGORIZED |
admin |
VIEW_TEMP_PASSWORD |
USER_UNCATEGORIZED |
admin |
TURN_OFF_2_STEP_VERIFICATION |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
UNBLOCK_USER_SESSION |
USER_UNCATEGORIZED |
admin |
UNMANAGED_USERS_BULK_UPLOAD |
USER_RESOURCE_CREATION |
admin |
DOWNLOAD_UNMANAGED_USERS_LIST |
USER_UNCATEGORIZED |
admin |
UPDATE_PROFILE_PHOTO |
USER_RESOURCE_UPDATE_CONTENT |
admin |
UNENROLL_USER_FROM_TITANIUM |
USER_UNCATEGORIZED |
admin |
ARCHIVE_USER |
USER_UNCATEGORIZED |
admin |
UPDATE_BIRTHDATE |
USER_UNCATEGORIZED |
admin |
CREATE_USER |
USER_CREATION |
admin |
DELETE_USER |
USER_DELETION |
admin |
DOWNGRADE_USER_FROM_GPLUS |
USER_CHANGE_PERMISSIONS |
admin |
USER_ENROLLED_IN_TWO_STEP_VERIFICATION |
USER_UNCATEGORIZED |
admin |
DOWNLOAD_USERLIST_CSV |
STATUS_UNCATEGORIZED |
admin |
MOVE_USER_TO_ORG_UNIT |
USER_UNCATEGORIZED |
admin |
USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD |
USER_UNCATEGORIZED |
admin |
RENAME_USER |
USER_RESOURCE_UPDATE_CONTENT |
admin |
UNENROLL_USER_FROM_STRONG_AUTH |
USER_UNCATEGORIZED |
admin |
SUSPEND_USER |
USER_UNCATEGORIZED |
admin |
UNARCHIVE_USER |
USER_UNCATEGORIZED |
admin |
UNDELETE_USER |
USER_UNCATEGORIZED |
admin |
UNSUSPEND_USER |
USER_UNCATEGORIZED |
admin |
UPGRADE_USER_TO_GPLUS |
USER_CHANGE_PERMISSIONS |
admin |
USERS_BULK_UPLOAD |
USER_RESOURCE_CREATION |
admin |
USERS_BULK_UPLOAD_NOTIFICATION_SENT |
USER_UNCATEGORIZED |
admin |
ASSIGN_ROLE |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
CREATE_ROLE |
USER_RESOURCE_CREATION |
admin |
UNASSIGN_ROLE |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
AUTHORIZE_API_CLIENT_ACCESS |
USER_RESOURCE_ACCESS |
admin |
ADD_TRUSTED_DOMAINS |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_DOMAIN_DEFAULT_TIMEZONE |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_DOMAIN_DEFAULT_LOCALE |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CREATE_ALERT |
USER_RESOURCE_CREATION |
admin |
REMOVE_APPLICATION |
USER_RESOURCE_DELETION |
admin |
ADD_APPLICATION |
USER_RESOURCE_CREATION |
admin |
REMOVE_API_CLIENT_ACCESS |
USER_RESOURCE_DELETION |
admin |
CHANGE_SSO_SETTINGS |
SETTING_MODIFICATION |
admin |
ALERT_CENTER_VIEW |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_LIST_FEEDBACK |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_GET_SIT_LINK |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_LIST_CHANGE |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_LIST_RELATED_ALERTS |
STATUS_UNCATEGORIZED |
admin |
EMAIL_LOG_SEARCH |
EMAIL_UNCATEGORIZED |
admin |
CHANGE_EMAIL_SETTING |
SETTING_MODIFICATION |
admin |
CREATE_GMAIL_SETTING |
SETTING_MODIFICATION |
admin |
CHANGE_GMAIL_SETTING |
SETTING_MODIFICATION |
admin |
DELETE_GMAIL_SETTING |
SETTING_MODIFICATION |
admin |
RELEASE_FROM_QUARANTINE |
EMAIL_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_QUERY |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_ACTION |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_OBJECT_CREATE_DRAFT_INVESTIGATION |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_ACTION_COMPLETION |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_EXPORT_QUERY |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_ACTION_CANCELLATION |
STATUS_UNCATEGORIZED |
admin |
CHANGE_GROUP_SETTING |
GROUP_MODIFICATION |
admin |
ADD_GROUP_MEMBER |
GROUP_MODIFICATION |
admin |
CREATE_GROUP |
GROUP_CREATION |
admin |
REMOVE_GROUP_MEMBER |
GROUP_MODIFICATION |
admin |
UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS |
GROUP_MODIFICATION |
admin |
UPDATE_GROUP_MEMBER |
GROUP_MODIFICATION |
admin |
DELETE_GROUP |
GROUP_DELETION |
admin |
USER_LICENSE_ASSIGNMENT |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
USER_LICENSE_REVOKE |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
SECURITY_CHART_DRILLDOWN |
STATUS_UNCATEGORIZED |
admin |
SYSTEM_DEFINED_RULE_UPDATED |
SETTING_MODIFICATION |
admin |
CUSTOMER_USER_DEVICE_DELETION_EVENT |
USER_RESOURCE_DELETION |
admin |
ADD_MOBILE_APPLICATION_TO_WHITELIST |
USER_RESOURCE_UPDATE_CONTENT |
admin |
REMOVE_MOBILE_APPLICATION_FROM_WHITELIST |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_MOBILE_APPLICATION_SETTINGS |
SETTING_MODIFICATION |
admin |
ACTION_REQUESTED |
USER_UNCATEGORIZED |
admin |
CREATE_APPLICATION_SETTING |
SETTING_CREATION |
admin |
CHANGE_APPLICATION_SETTING |
SETTING_MODIFICATION |
admin |
CREATE_SAML2_SERVICE_PROVIDER_CONFIG |
SETTING_CREATION |
admin |
DELETE_SAML2_SERVICE_PROVIDER_CONFIG |
SETTING_DELETION |
admin |
TOGGLE_SERVICE_ENABLED |
SETTING_MODIFICATION |
admin |
CREATE_ORG_UNIT |
USER_RESOURCE_CREATION |
admin |
MOVE_ORG_UNIT |
USER_RESOURCE_UPDATE_CONTENT |
admin |
EDIT_ORG_UNIT_NAME |
USER_RESOURCE_UPDATE_CONTENT |
admin |
REMOVE_ORG_UNIT |
USER_RESOURCE_DELETION |
admin |
UNASSIGN_CUSTOM_LOGO |
USER_RESOURCE_UPDATE_CONTENT |
admin |
ASSIGN_CUSTOM_LOGO |
USER_RESOURCE_UPDATE_CONTENT |
admin |
EDIT_ORG_UNIT_DESCRIPTION |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_DOCS_SETTING |
SETTING_MODIFICATION |
admin |
CHANGE_CALENDAR_SETTING |
SETTING_MODIFICATION |
admin |
SESSION_CONTROL_SETTINGS_CHANGE |
SETTING_MODIFICATION |
admin |
DISALLOW_SERVICE_FOR_OAUTH2_ACCESS |
SETTING_MODIFICATION |
admin |
ALLOW_STRONG_AUTHENTICATION |
SETTING_MODIFICATION |
admin |
ENFORCE_STRONG_AUTHENTICATION |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_FREQUENCY |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION |
SETTING_MODIFICATION |
admin |
CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_START_DATE |
SETTING_MODIFICATION |
admin |
WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED |
SETTING_MODIFICATION |
admin |
ADD_TO_BLOCKED_OAUTH2_APPS |
STATUS_UPDATE |
admin |
ADD_TO_TRUSTED_OAUTH2_APPS |
STATUS_UPDATE |
admin |
GENERATE_CERTIFICATE |
USER_RESOURCE_CREATION |
admin |
ENABLE_DIRECTORY_SYNC |
SETTING_MODIFICATION |
admin |
CHANGE_DEVICE_STATE |
STATUS_UPDATE |
admin |
UPDATE_ACCESS_LEVEL_V2 |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
UPDATE_AUTO_PROVISIONED_USER |
STATUS_UPDATE |
admin |
SECURITY_CENTER_RULE_THRESHOLD_TRIGGER |
STATUS_UPDATE |
gmail |
EMAIL_TRANSACTION |
Documentation de référence sur le mappage de champs: WORKSPACE_ACTIVITY-Champs communs
Le tableau suivant répertorie les champs courants du type de journal WORKSPACE_ACTIVITY et les champs UDM correspondants.
| Log field | UDM mapping | Logic |
|---|---|---|
actor.callerType |
target.user.attribute.labels[caller_type] |
If the event.name log field value is equal to one of the following values, then the actor.callerType log field is mapped to the target.user.attribute.labels UDM field:
|
actor.callerType |
principal.user.attribute.labels[caller_type] |
If the event.name log field value is not equal to one of the following values, then the actor.callerType log field is mapped to the principal.user.attribute.labels UDM field:
If the id.applicationName log field value is equal to gmail, then principal.user.attribute.labels.key UDM field is set to actor_caller_type and actor.callerType log field is mapped to principal.user.attribute.labels.value UDM field. |
actor.email |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the actor.email log field is mapped to the target.user.email_addresses UDM field:
If the id.applicationName log field value is equal to gmail, then actor.email log field is mapped to principal.user.email_addresses UDM field. |
actor.email |
principal.user.email_addresses |
If the event.name log field value is not equal to one of the following values, then the actor.email log field is mapped to the principal.user.email_addresses UDM field:
|
actor.email |
security_result.about.email |
|
actor.key |
target.user.attribute.labels[actor_key] |
If the event.name log field value is equal to one of the following values, then the actor.key log field is mapped to the target.user.attribute.labels[actor_key] UDM field:
|
actor.key |
principal.user.attribute.labels[actor_key] |
If the event.name log field value is not equal to one of the following values, then the actor.key log field is mapped to the principal.user.attribute.labels[actor_key] UDM field:
|
actor.key |
target.user.userid |
The actor.key log field is mapped to the target.user.userid UDM field if the following conditions are met:
|
actor.key |
principal.user.userid |
The actor.key log field is mapped to the principal.user.userid UDM field if the following conditions are met:
|
actor.profileId |
target.user.product_object_id |
If the event.name log field value is equal to one of the following values, then the actor.profileId log field is mapped to the target.user.product_object_id UDM field:
|
actor.profileId |
principal.user.product_object_id |
If the event.name log field value is not equal to one of the following values, then the actor.profileId log field is mapped to the principal.user.product_object_id UDM field:
|
etag |
metadata.product_log_id |
|
events.name |
metadata.product_event_type |
|
events.type |
security_result.category_details |
|
id.applicationName |
metadata.product_name |
|
id.customerId |
about.resource.product_object_id |
|
id.time |
metadata.event_timestamp |
|
id.uniqueQualifier |
metadata.product_log_id |
|
ipAddress |
principal.ip |
|
kind |
about.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
ownerDomain |
target.administrative_domain |
If the target.resource log field value is not empty, then the ownerDomain log field is mapped to the target.administrative_domain UDM field.If the principal.resource log field value is not empty, then the ownerDomain log field is mapped to the principal.administrative_domainIf the id.applicationName log field value is equal to gmail, then ownerDomain log field is mapped to principal.administrative_domain UDM field. |
about.resource.resource_type |
The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION. | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. |
|
actor.gaiaId |
principal.user.product_object_id |
If the event.name log field value is not equal to one of the following values, then the actor.gaiaId log field is mapped to the principal.user.product_object_id UDM field:
|
actor.gaiaId |
target.user.product_object_id |
If the event.name log field value is equal to one of the following values, then the actor.gaiaId log field is mapped to the target.user.product_object_id UDM field:
|
actor.orgunitPath |
principal.user.attribute.labels[org_unit_path] |
If the event.name log field value is not equal to one of the following values, then the actor.orgunitPath log field is mapped to the principal.user.attribute.labels[org_unit_path] UDM field:
|
actor.orgunitPath |
target.user.attribute.labels[org_unit_path] |
If the event.name log field value is equal to one of the following values, then the actor.orgunitPath log field is mapped to the target.user.attribute.labels[org_unit_path] UDM field:
|
actor.groupId |
principal.user.group_identifiers |
If the event.name log field value is not equal to one of the following values, then the actor.groupId log field is mapped to the principal.user.group_identifiers UDM field:
|
actor.groupId |
target.user.group_identifiers |
If the event.name log field value is equal to one of the following values, then the actor.groupId log field is mapped to the target.user.group_identifiers UDM field:
|
Documentation de référence sur le mappage de champs: WORKSPACE_Activity
Le tableau suivant répertorie les champs de journal du type de journal WORKSPACE_ACTIVITY et
les champs UDM correspondants.
| Workspace application | Log field | UDM mapping | Logic |
|---|---|---|---|
access_transparency |
ACCESS_APPROVAL_REQUEST_IDS |
about.labels [access_approval_request_ids] (deprecated) |
|
access_transparency |
ACCESS_APPROVAL_REQUEST_IDS |
additional.fields [access_approval_request_ids] |
|
access_transparency |
ACCESS_MANAGEMENT_POLICY |
about.labels [access_management_policy] (deprecated) |
|
access_transparency |
ACCESS_MANAGEMENT_POLICY |
additional.fields [access_management_policy] |
|
access_transparency |
ACTOR_HOME_OFFICE |
principal.user.office_address.country_or_region |
If the event.name log field value is equal to ACCESS, then the ACTOR_HOME_OFFICE log field is mapped to the principal.user.office_address.country_or_region UDM field. |
access_transparency |
GSUITE_PRODUCT_NAME |
target.application |
If the event.name log field value is equal to ACCESS, then the GSUITE_PRODUCT_NAME log field is mapped to the target.application UDM field. |
access_transparency |
JUSTIFICATIONS |
about.labels [justifications] (deprecated) |
If the event.name log field value is equal to ACCESS, then the JUSTIFICATIONS log field is mapped to the about.labels UDM field. |
access_transparency |
JUSTIFICATIONS |
additional.fields [justifications] |
If the event.name log field value is equal to ACCESS, then the JUSTIFICATIONS log field is mapped to the additional.fields UDM field. |
access_transparency |
LOG_ID |
about.labels [logid] (deprecated) |
If the event.name log field value is equal to ACCESS, then the LOG_ID log field is mapped to the about.labels UDM field. |
access_transparency |
LOG_ID |
additional.fields [logid] |
If the event.name log field value is equal to ACCESS, then the LOG_ID log field is mapped to the additional.fields UDM field. |
access_transparency |
ON_BEHALF_OF |
about.labels [on_behalf_of] (deprecated) |
If the event.name log field value is equal to ACCESS, then the ON_BEHALF_OF log field is mapped to the about.labels UDM field. |
access_transparency |
ON_BEHALF_OF |
additional.fields [on_behalf_of] |
If the event.name log field value is equal to ACCESS, then the ON_BEHALF_OF log field is mapped to the additional.fields UDM field. |
access_transparency |
OWNER_EMAIL |
target.user.email_addresses |
If the event.name log field value is equal to ACCESS, then the OWNER_EMAIL log field is mapped to the target.user.email_addresses UDM field. |
access_transparency |
RESOURCE_NAME |
target.resource.name |
If the event.name log field value is equal to ACCESS, then the RESOURCE_NAME log field is mapped to the target.resource.name UDM field. |
access_transparency |
TICKETS |
about.labels [tickets] (deprecated) |
|
access_transparency |
TICKETS |
additional.fields [tickets] |
|
chrome |
DEVICE_NAME |
target.asset.attribute.labels [device_name] |
If the event.name log field value is equal to one of the following values, then the DEVICE_NAME log field is mapped to the target.asset.attribute.labels UDM field:
|
chrome |
DEVICE_PLATFORM |
target.asset.platform_software.platform |
If the DEVICE_PLATFORM log field value matches windows, then the target.asset.platform_software.platform UDM field is set to WINDOWS.If the DEVICE_PLATFORM log field value matches mac, then the target.asset.platform_software.platform UDM field is set to MAC.If the DEVICE_PLATFORM log field value matches linux, then the target.asset.platform_software.platform UDM field is set to LINUX.Else, the target.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
chrome |
DEVICE_USER |
principal.user.user_display_name |
If the event.name log field value is equal to LOGIN_EVENT, then the DEVICE_USER log field is mapped to the principal.user.user_display_name UDM field. |
chrome |
LOGIN_USER_NAME |
target.user.user_display_name |
If the event.name log field value is equal to LOGIN_EVENT, then the LOGIN_USER_NAME log field is mapped to the target.user.user_display_name UDM field. |
chrome |
DEVICE_USER |
target.user.user_display_name |
If the event.name log field value is equal to one of the following values, then the DEVICE_USER log field is mapped to the target.user.user_display_name UDM field:
If the event.name log field value is equal to LOGIN_EVENT, then the LOGIN_USER_NAME log field is mapped to the target.user.user_display_name UDM field. |
chrome |
PROFILE_USER_NAME |
target.user.attribute.labels [profile_user_name] |
If the event.name log field value is equal to one of the following values, then the PROFILE_USER_NAME log field is mapped to the target.user.attribute.labels UDM field:
|
chrome |
DIRECTORY_DEVICE_ID |
about.labels [directory_device_id] (deprecated) |
If the event.name log field value is equal to one of the following values, then the DIRECTORY_DEVICE_ID log field is mapped to the about.labels UDM field:
|
chrome |
DIRECTORY_DEVICE_ID |
additional.fields [directory_device_id] |
If the event.name log field value is equal to one of the following values, then the DIRECTORY_DEVICE_ID log field is mapped to the additional.fields UDM field:
|
chrome |
DEVICE_ID |
target.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the DEVICE_ID log field is mapped to the target.asset.asset_id UDM field:
|
chrome |
VIRTUAL_DEVICE_ID |
about.labels [virtual_device_id] (deprecated) |
If the event.name log field value is equal to one of the following values, then the VIRTUAL_DEVICE_ID log field is mapped to the about.labels UDM field:
|
chrome |
VIRTUAL_DEVICE_ID |
additional.fields [virtual_device_id] |
If the event.name log field value is equal to one of the following values, then the VIRTUAL_DEVICE_ID log field is mapped to the additional.fields UDM field:
|
chrome |
EVENT_REASON |
security_result.summary |
If the event.name log field value is equal to one of the following values, then the EVENT_REASON log field is mapped to the security_result.summary UDM field:
|
chrome |
EVENT_RESULT |
security_result.action_details |
If the event.name log field value is equal to one of the following values, then the EVENT_RESULT log field is mapped to the security_result.action_details UDM field:
|
chrome |
security_result.action |
The security_result.action UDM field is set to ALLOW. | |
chrome |
TIMESTAMP |
about.labels [timestamp] (deprecated) |
If the event.name log field value is equal to one of the following values, then the TIMESTAMP log field is mapped to the about.labels UDM field:
|
chrome |
TIMESTAMP |
additional.fields [timestamp] |
If the event.name log field value is equal to one of the following values, then the TIMESTAMP log field is mapped to the additional.fields UDM field:
|
chrome |
BROWSER_VERSION |
target.resource.attribute.labels [browser_version] |
If the event.name log field value is equal to one of the following values, then the BROWSER_VERSION log field is mapped to the target.resource.attribute.labels UDM field:
|
chrome |
LOGIN_FAILURE_REASON |
security_result.description |
|
chrome |
USER_AGENT |
network.http.user_agent |
If the event.name log field value is equal to one of the following values, then the USER_AGENT log field is mapped to the network.http.user_agent UDM field:
|
chrome |
URL |
target.url |
If the event.name log field value is equal to one of the following values, then the URL log field is mapped to the about.url UDM field:
|
chrome |
SCAN_ID |
about.labels [scan_id] (deprecated) |
If the event.name log field value is equal to one of the following values, then the SCAN_ID log field is mapped to the about.labels UDM field:
|
chrome |
SCAN_ID |
additional.fields [scan_id] |
If the event.name log field value is equal to one of the following values, then the SCAN_ID log field is mapped to the additional.fields UDM field:
|
chrome |
REMOVE_USER_REASON |
security_result.detection_fields [remove_user_reason] |
If the event.name log field value is equal to CHROME_OS_REMOVE_USER, then the REMOVE_USER_REASON log field is mapped to the security_result.detection_fields UDM field. |
chrome |
NEW_BOOT_MODE |
target.asset.attribute.labels [new_boot_mode] |
|
chrome |
PREVIOUS_BOOT_MODE |
target.asset.attribute.labels [previous_boot_mode] |
|
chrome |
CLIENT_TYPE |
target.resource.attribute.labels [client_type] |
|
chrome |
TRIGGER_USER |
security_result.about.labels [trigger_user] (deprecated) |
|
chrome |
TRIGGER_USER |
additional.fields [trigger_user] |
|
chrome |
TRIGGER_DESTINATION |
security_result.about.labels [trigger_destination] (deprecated) |
|
chrome |
TRIGGER_DESTINATION |
additional.fields [trigger_destination] |
|
chrome |
TRIGGER_SOURCE |
security_result.about.labels [trigger_source] (deprecated) |
|
chrome |
TRIGGER_SOURCE |
additional.fields [trigger_source] |
|
chrome |
TRIGGER_TYPE |
security_result.about.labels [trigger_type] (deprecated) |
|
chrome |
TRIGGER_TYPE |
additional.fields [trigger_type] |
|
chrome |
TRIGGERED_RULES_REASON |
security_result.about.labels [triggered_rules_reason] (deprecated) |
|
chrome |
TRIGGERED_RULES_REASON |
additional.fields [triggered_rules_reason] |
|
chrome |
CONTENT_HASH |
about.labels [content_hash] (deprecated) |
|
chrome |
CONTENT_HASH |
additional.fields [content_hash] |
|
chrome |
CONTENT_NAME |
about.labels [content_name] (deprecated) |
|
chrome |
CONTENT_NAME |
additional.fields [content_name] |
|
chrome |
CONTENT_SIZE |
about.labels [content_size] (deprecated) |
|
chrome |
CONTENT_SIZE |
additional.fields [content_size] |
|
chrome |
CONTENT_TYPE |
about.labels [content_type] (deprecated) |
|
chrome |
CONTENT_TYPE |
additional.fields [content_type] |
|
chrome |
APP_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the APP_NAME log field is mapped to the target.application UDM field:
|
chrome |
PRODUCT_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the PRODUCT_NAME log field is mapped to the target.application UDM field:
Else, the PRODUCT_NAME log field is mapped to the target.labels UDM field. |
chrome |
PRODUCT_NAME |
target.labels [product_name] (deprecated) |
If the event.name log field value is equal to one of the following values, then the PRODUCT_NAME log field is mapped to the target.application UDM field:
Else, the PRODUCT_NAME log field is mapped to the target.labels UDM field. |
chrome |
PRODUCT_NAME |
additional.fields [product_name] |
If the event.name log field value is equal to one of the following values, then the PRODUCT_NAME log field is mapped to the target.application UDM field:
Else, the PRODUCT_NAME log field is mapped to the additional.fields UDM field. |
chrome |
ORG_UNIT_NAME |
about.labels [org_unit_name] (deprecated) |
If the event.name log field value is equal to EXTENSION_REQUEST, then the ORG_UNIT_NAME log field is mapped to the about.labels UDM field. |
chrome |
ORG_UNIT_NAME |
additional.fields [org_unit_name] |
If the event.name log field value is equal to EXTENSION_REQUEST, then the ORG_UNIT_NAME log field is mapped to the additional.fields UDM field. |
chrome |
USER_JUSTIFICATION |
principal.user.attribute.labels [user_justification] |
|
chrome |
FEDERATED_ORIGIN |
security_result.about.labels [federated_origin] (deprecated) |
|
chrome |
FEDERATED_ORIGIN |
additional.fields [federated_origin] |
|
chrome |
IS_FEDERATED |
security_result.about.labels [is_federated] (deprecated) |
|
chrome |
IS_FEDERATED |
additional.fields [is_federated] |
|
chrome |
EVIDENCE_LOCKER_FILEPATH |
security_result.about.labels [evidence_locker_filepath] (deprecated) |
|
chrome |
EVIDENCE_LOCKER_FILEPATH |
additional.fields [evidence_locker_filepath] |
|
| Google Chrome | CONNECTION_TYPE |
about.labels[connection_type] (deprecated) |
|
| Google Chrome | CONNECTION_TYPE |
additional.fields[connection_type] |
|
| Google Chrome | PREVIOUS_OS_VERSION |
target.asset.attribute.labels[previous_os_version] |
|
| Google Chrome | VENDOR_ID |
src.labels[vendor_id] (deprecated) |
|
| Google Chrome | VENDOR_ID |
additional.fields[vendor_id] |
|
| Google Chrome | LOCALIZED_URL_CATEGORY |
about.labels[localized_url_category] (deprecated) |
|
| Google Chrome | LOCALIZED_URL_CATEGORY |
additional.fields[localized_url_category] |
|
| Google Chrome | VENDOR_NAME |
src.labels[vendor_name] (deprecated) |
|
| Google Chrome | VENDOR_NAME |
additional.fields[vendor_name] |
|
| Google Chrome | SESSION_ID |
network.session_id |
|
| Google Chrome | APP_ID |
target.resource.product_object_id |
If the event.name log field value is equal to BROWSER_EXTENSION_INSTALL, then the APP_ID log field is mapped to the target.resource.product_object_id UDM field. |
| Google Chrome | CURRENT_OS_VERSION |
target.asset.platform_software.platform_version |
|
| Google Chrome | PRODUCT_ID |
target.resource.product_object_id |
If the events.name log field value contains one of the following values, then the PRODUCT_ID log field is mapped to the target.resource.product_object_id UDM field.
Else, the PRODUCT_ID log field is mapped to the target.labels UDM field. |
| Google Chrome | PRODUCT_ID |
target.labels[product_id] (deprecated) |
If the events.name log field value contains one of the following values, then the PRODUCT_ID log field is mapped to the target.resource.product_object_id UDM field.
Else, the PRODUCT_ID log field is mapped to the target.labels UDM field. |
| Google Chrome | PRODUCT_ID |
additional.fields[product_id] |
If the events.name log field value contains one of the following values, then the PRODUCT_ID log field is mapped to the target.resource.product_object_id UDM field.
Else, the PRODUCT_ID log field is mapped to the additional.fields UDM field. |
| Google Chrome | UNLOCK_TYPE |
target.labels[unlock_type] (deprecated) |
|
| Google Chrome | UNLOCK_TYPE |
additional.fields[unlock_type] |
|
| Google Chrome | REPORT_ID |
target.labels[report_id] (deprecated) |
|
| Google Chrome | REPORT_ID |
additional.fields[report_id] |
|
| Google Chrome | CHANNEL |
target.labels[channel] (deprecated) |
|
| Google Chrome | CHANNEL |
additional.fields[channel] |
|
| Google Chrome | TAB_URL |
additional.fields[tab_url] |
|
context_aware_access |
CAA_ACCESS_LEVEL_APPLIED |
security_result.about.labels [caa_access_level_applied] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_APPLIED log field is mapped to the security_result.about.labels UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_APPLIED |
additional.fields [caa_access_level_applied] |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_APPLIED log field is mapped to the additional.fields UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_SATISFIED |
security_result.about.labels [caa_access_level_satisfied] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_SATISFIED log field is mapped to the security_result.about.labels UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_SATISFIED |
additional.fields [caa_access_level_satisfied] |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_SATISFIED log field is mapped to the additional.fields UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_UNSATISFIED |
security_result.about.labels [caa_access_level_unsatisfied] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_UNSATISFIED log field is mapped to the security_result.about.labels UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_UNSATISFIED |
additional.fields [caa_access_level_unsatisfied] |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_UNSATISFIED log field is mapped to the additional.fields UDM field. |
context_aware_access |
CAA_APPLICATION |
target.resource.name |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_APPLICATION log field is mapped to the target.resource.name UDM field. |
context_aware_access |
target.resource.resource_type |
If the event.name log field value is equal to DEVICE_SETTINGS_UPDATED_EVENT, then the target.resource.resource_type UDM field is set to SETTING.Else, the target.resource.resource_type UDM field is set to DEVICE. | |
context_aware_access |
CAA_DEVICE_ID |
principal.asset.asset_id |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_DEVICE_ID log field is mapped to the principal.asset.asset_id UDM field. |
context_aware_access |
CAA_DEVICE_STATE |
principal.labels [caa_device_state] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_DEVICE_STATE log field is mapped to the principal.labels UDM field. |
context_aware_access |
CAA_DEVICE_STATE |
additional.fields [caa_device_state] |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_DEVICE_STATE log field is mapped to the additional.fields UDM field. |
context_aware_access |
BLOCKED_API_ACCESS |
additional.fields [blocked_api_access] |
|
gplus |
attachment_type |
target.resource.attribute.labels [attachment_type] |
If the event.name log field value is equal to one of the following values, then the attachment_type log field is mapped to the target.resource.attribute.labels UDM field:
|
gplus |
comment_resource_name |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the comment_resource_name log field is mapped to the target.resource.product_object_id UDM field:
|
gplus |
post_resource_name |
target.resource_ancestors.product_object_id |
If the event.name log field value is equal to one of the following values, then the post_resource_name log field is mapped to the target.resource_ancestors.product_object_id UDM field:
|
gplus |
post_permalink |
target.resource_ancestors.attribute.labels [post_permalink] |
|
gplus |
post_visibility |
target.resource_ancestors.attribute.labels [post_visibility] |
|
gplus |
plusone_context |
target.resource_ancestors.attribute.labels [plusone_context] |
|
gplus |
post_author_name |
target.user.user_display_name |
If the event.name log field value is equal to content_manager_delete_post, then the post_resource_name log field is mapped to the target.user.user_display_name UDM field. |
data_studio |
ASSET_ID |
principal.resource.product_object_id |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_ID log field is mapped to the principal.resource.product_object_id UDM field.Else, the ASSET_ID log field is mapped to the target.resource.product_object_id UDM field. |
data_studio |
ASSET_NAME |
principal.resource.name |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_NAME log field is mapped to the principal.resource.name UDM field.Else, the ASSET_NAME log field is mapped to the target.resource.name UDM field. |
data_studio |
ASSET_TYPE |
principal.resource.resource_subtype |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_TYPE log field is mapped to the principal.resource.resource_subtype UDM field.Else, the ASSET_TYPE log field is mapped to the target.resource.resource_subtype UDM field. |
data_studio |
ASSET_ID |
target.resource.product_object_id |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_ID log field is mapped to the principal.resource.product_object_id UDM field.Else, the ASSET_ID log field is mapped to the target.resource.product_object_id UDM field. |
data_studio |
ASSET_NAME |
target.resource.name |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_NAME log field is mapped to the principal.resource.name UDM field.Else, the ASSET_NAME log field is mapped to the target.resource.name UDM field. |
data_studio |
ASSET_TYPE |
target.resource.resource_subtype |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_TYPE log field is mapped to the principal.resource.resource_subtype UDM field.Else, the ASSET_TYPE log field is mapped to the target.resource.resource_subtype UDM field. |
data_studio |
CONNECTOR_TYPE |
target.resource.attribute.labels[connector_type] |
|
data_studio |
EMBEDDED_IN_REPORT_ID |
target.resource.attribute.labels[embedded_in_report_id] |
|
data_studio |
OWNER_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is not equal to the OWNER_EMAIL, then the OWNER_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
data_studio |
TARGET_USER_EMAIL |
target.user.email_addresses |
|
data_studio |
PRIOR_VISIBILITY |
target.resource.attribute.labels [prior_visibility] |
|
data_studio |
VISIBILITY |
target.resource.attribute.labels [visibility] |
|
data_studio |
NEW_VALUE |
target.resource.attribute.labels [new_value] |
|
data_studio |
OLD_VALUE |
target.resource.attribute.labels [old_value] |
|
data_studio |
TARGET_DOMAIN |
target.domain.name [ target_domain] |
|
data_studio |
DATA_EXPORT_TYPE |
target.resource.attribute.labels [data_export_type] |
|
mobile |
target.resource.resource_type |
The target.resource.resource_type UDM field is set to DEVICE. | |
mobile |
ACCOUNT_STATE |
target.resource.attribute.labels [account_state] |
|
mobile |
ACTION_EXECUTION_STATUS |
target.resource.attribute.labels [account_execution_status] |
|
mobile |
ACTION_ID |
target.resource.attribute.labels [action_id] |
|
mobile |
ACTION_TYPE |
target.resource.attribute.labels [action_type] |
|
mobile |
APK_SHA256_HASH |
target.resource.attribute.labels [apk_sha256_hash] |
|
mobile |
APPLICATION_ID |
target.resource.attribute.labels [application_id] |
|
mobile |
APPLICATION_MESSAGE |
target.resource.attribute.labels [application_message] |
|
mobile |
APPLICATION_REPORT_KEY |
target.resource.attribute.labels [application_report_key] |
|
mobile |
APPLICATION_REPORT_SEVERITY |
target.resource.attribute.labels [application_report_severity] |
|
mobile |
APPLICATION_STATE |
target.resource.attribute.labels [application_state] |
|
mobile |
APPLICATION_REPORT_TIMESTAMP |
target.resource.attribute.labels [application_report_timestamp] |
|
mobile |
BASIC_INTEGRITY |
target.resource.attribute.labels [basic_integrity] |
|
mobile |
CTS_PROFILE_MATCH |
target.resource.attribute.labels [cts_profile_match] |
|
mobile |
DEVICE_COMPLIANCE |
target.resource.attribute.labels [device_compliance] |
|
mobile |
DEVICE_COMPROMISED_STATE |
about.target.resource.attribute.labels [device_compromised_state] |
|
mobile |
DEVICE_DEACTIVATION_REASON |
target.resource.attribute.labels [device_deactivation_reason] |
|
mobile |
DEVICE_ID |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the DEVICE_ID log field is mapped to the target.resource.product_object_id UDM field:
|
mobile |
NEW_DEVICE_ID |
target.resource.attribute.labels [new_device_id] |
If the NEW_DEVICE_ID log field value is not empty, then the NEW_DEVICE_ID log field is mapped to the target.resource.product_object_id UDM field. |
mobile |
DEVICE_MODEL |
target.resource.attribute.labels [device_model] |
|
mobile |
DEVICE_OWNERSHIP |
target.resource.attribute.labels [device_ownership] |
|
mobile |
DEVICE_PROPERTY |
target.resource.attribute.labels [device_property] |
|
mobile |
DEVICE_SETTING |
target.resource.attribute.labels [device_setting] |
|
mobile |
DEVICE_STATUS_ON_APPLE_PORTAL |
target.resource.attribute.labels [device_status_on_apple_portal] |
|
mobile |
DEVICE_TYPE |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the DEVICE_TYPE log field is mapped to the target.resource.resource_subtype UDM field:
|
mobile |
FAILED_PASSWD_ATTEMPTS |
target.resource.attribute.labels [failed_passwd_attempts] |
|
mobile |
IOS_VENDOR_ID |
target.resource.attribute.labels [ios_vendor_id] |
|
mobile |
NEW_VALUE |
target.resource.attribute.labels [new_value] |
|
mobile |
OLD_VALUE |
target.resource.attribute.labels [old_value] |
|
mobile |
OS_EDITION |
target.resource.attribute.labels [os_edition] |
|
mobile |
OS_PROPERTY |
target.resource.attribute.labels [os_property] |
|
mobile |
OS_VERSION |
target.resource.attribute.labels [os_version] |
|
mobile |
PHA_CATEGORY |
security_results.detection_fields |
|
mobile |
POLICY_NAME |
security_result.about.labels [policy_name] (deprecated) |
|
mobile |
POLICY_NAME |
additional.fields [policy_name] |
|
mobile |
POLICY_SYNC_RESULT |
security_result.about.labels [policy_sync_result] (deprecated) |
|
mobile |
POLICY_SYNC_RESULT |
additional.fields [policy_sync_result] |
|
mobile |
POLICY_SYNC_TYPE |
security_result.about.labels [policy_sync_type] (deprecated) |
|
mobile |
POLICY_SYNC_TYPE |
additional.fields [policy_sync_type] |
|
mobile |
RESOURCE_ID |
target.resource.attribute.labels |
If the event.name log field value is equal to one of the following values, then the RESOURCE_ID log field is mapped to the target.resource.attribute.labels UDM field:
|
mobile |
REGISTER_PRIVILEGE |
security_result.about.labels [register_privilege] (deprecated) |
|
mobile |
REGISTER_PRIVILEGE |
additional.fields |
|
mobile |
RISK_SIGNAL |
security_result.about.labels [risk_signal] (deprecated) |
|
mobile |
RISK_SIGNAL |
additional.fields [risk_signal] |
|
mobile |
SECURITY_EVENT_ID |
security_result.about.labels [security_event_id] (deprecated) |
If the event.name log field value is equal to APPLICATION_EVENT, then the SECURITY_EVENT_ID log field is mapped to the security_result.about.labels UDM field. |
mobile |
SECURITY_EVENT_ID |
additional.fields |
If the event.name log field value is equal to APPLICATION_EVENT, then the SECURITY_EVENT_ID log field is mapped to the additional.fields UDM field. |
mobile |
SECURITY_PATCH_LEVEL |
security_result.about.labels [security_patch_level] (deprecated) |
If the event.name log field value is equal to one of the following values, then the SECURITY_PATCH_LEVEL log field is mapped to the security_result.about.labels UDM field:
|
mobile |
SECURITY_PATCH_LEVEL |
additional.fields [security_patch_level] |
If the event.name log field value is equal to one of the following values, then the SECURITY_PATCH_LEVEL log field is mapped to the additional.fields UDM field:
|
mobile |
SERIAL_NUMBER |
target.resource.attribute.labels [serial_number] |
|
mobile |
USER_EMAIL |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the USER_EMAIL log field is mapped to the target.user.email_addresses UDM field:
|
mobile |
VALUE |
security_result.about.labels [value] (deprecated) |
|
mobile |
VALUE |
additional.fields [value] |
|
mobile |
WINDOWS_SYNCML_POLICY_STATUS_CODE |
security_result.about.labels [windows_syncml_policy_status_code] (deprecated) |
|
mobile |
WINDOWS_SYNCML_POLICY_STATUS_CODE |
additional.fields [windows_syncml_policy_status_code] |
|
mobile |
LAST_SYNC_AUDIT_DATE |
target.resource.attribute.labels[LAST_SYNC_AUDIT_DATE] |
|
groups_enterprise |
dynamic_group_query |
target.group.attribute.labels [dynamic_group_query] |
|
groups_enterprise |
group_id |
target.user.group_identifiers |
If the event.name log field value is equal to one of the following values, then the group_id log field is mapped to the target.user.group_identifiers UDM field:
|
groups_enterprise |
info_setting |
target.group.attribute.labels [info_setting] |
|
groups_enterprise |
member_id |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the member_id log field is mapped to the target.user.email_addresses UDM field:
|
groups_enterprise |
member_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to one of the following values, then the member_role log field is mapped to the target.user.attribute.roles.name UDM field:
|
groups_enterprise |
member_type |
target.user.attribute.labels[member_type] |
|
groups_enterprise |
membership_expiry |
target.group.attribute.labels [membership_query] |
|
groups_enterprise |
namespace |
target.group.group_display_name |
|
groups_enterprise |
new_value |
target.group.attribute.labels [new_value] |
|
groups_enterprise |
old_value |
target.group.attribute.labels [old_value] |
|
groups_enterprise |
value |
target.group.attribute.labels [value] |
|
groups_enterprise |
security_setting |
target.group.attribute.labels [security_setting] |
|
calendar |
access_level |
security_result.about.labels [access_level] (deprecated) |
|
calendar |
access_level |
additional.fields [access_level] |
|
calendar |
api_kind |
target.resource.attribute.labels [api_kind] |
|
calendar |
calendar_country |
target.resource.attribute.labels [calendar_country] |
If the event.name log field value is equal to change_calendar_country, then the calendar_country log field is mapped to the target.resource.attribute.labels UDM field. |
calendar |
calendar_description |
target.resource.attribute.labels [calendar_description] |
|
calendar |
calendar_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the calendar_id log field is mapped to the target.resource.product_object_id UDM field:
transfer_event_requestedtransfer_event_completed |
calendar |
calendar_location |
target.resource.attribute.labels [calendar_location] |
|
calendar |
calendar_timezone |
target.resource.attribute.labels [calendar_timezone] |
|
calendar |
calendar_title |
target.resource.name |
If the event.name log field value is equal to change_calendar_title, then the calendar_title log field is mapped to the target.resource.name UDM field. |
calendar |
end_time |
target.resource.attribute.labels [end_time] |
|
calendar |
start_time |
target.resource.attribute.labels [start_time] |
|
calendar |
event_guest |
target.labels [event_guest] (deprecated) |
|
calendar |
event_guest |
additional.fields [event_guest] |
|
calendar |
event_id |
target.resource.attribute.labels [event_id] |
If the event.name log field value is equal to one of the following values, then the event_id log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
event_response_status |
target.resource.attribute.labels [event_response_status] |
|
calendar |
event_title |
target.resource.attribute.labels [event_title] |
If the event.name log field value is equal to one of the following values, then the event_title log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
old_event_title |
target.resource.attribute.labels [old_event_title] |
|
calendar |
grantee_email |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the grantee_email log field is mapped to the target.user.email_addresses UDM field:
|
calendar |
interop_error_code |
security_result.action_details |
If the event.name log field value is equal to one of the following values, then the interop_error_code log field is mapped to the security_result.action_details UDM field:
|
calendar |
notification_message_id |
target.resource.attribute.labels [notification_message_id] |
If the event.name log field value is equal to one of the following values, then the notification_message_id log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
notification_method |
target.resource.attribute.labels [notification_method] |
If the event.name log field value is equal to one of the following values, then the notification_method log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
notification_type |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the notification_type log field is mapped to the target.resource.resource_subtype UDM field:
|
calendar |
organizer_calendar_id |
principal.user.attribute.labels[organizer_calendar_id] |
If the event.name log field value is equal to one of the following values, then the organizer_calendar_id log field is mapped to the principal.user.attribute.labels[organizer_calendar_id] UDM field:
|
calendar |
recipient_email |
principal.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the recipient_email log field is mapped to the principal.user.email_addresses UDM field:
|
calendar |
remote_ews_url |
security_result.about.labels [remote_ews_url] (deprecated) |
|
calendar |
remote_ews_url |
additional.fields [remote_ews_url] |
|
calendar |
requested_period_end |
security_result.about.labels [requested_period_end] (deprecated) |
|
calendar |
requested_period_end |
additional.fields [requested_period_end] |
|
calendar |
requested_period_start |
security_result.about.labels [requested_period_start] (deprecated) |
|
calendar |
requested_period_start |
additional.fields [requested_period_start] |
|
calendar |
subscriber_calendar_id |
principal.user.attribute.labels[subscriber_calendar_id] |
|
calendar |
user_agent |
network.http.user_agent |
|
calendar |
target_calendar_id |
target.resource.attribute.labels [target_calendar_id] |
|
calendar |
user_agent |
network.http.user_agent |
|
calendar |
target_calendar_id |
target.resource.attribute.labels [target_calendar_id] |
|
calendar |
client_side_encrypted |
target.resource.attribute.labels [client_side_encrypted] |
|
calendar |
is_recurring |
target.resource.attribute.labels [is_recurring] |
|
calendar |
recurring |
target.resource.attribute.labels [recurring] |
|
chat |
actor |
principal.user.email_addresses |
The event.name log field is mapped to the principal.user.email_addresses UDM field if the following conditions are met:
|
chat |
attachment_hash |
target.file.sha256 |
If the event.name log field value is equal to one of the following values, then the attachment_hash log field is mapped to the target.file.sha256 UDM field:
|
chat |
attachment_name |
target.file.names |
If the event.name log field value is equal to one of the following values, then the attachment_name log field is mapped to the target.file.names UDM field:
|
chat |
attachment_url |
target.file.full_path |
If the event.name log field value is equal to attachment_download, then the attachment_url log field is mapped to the target.file.full_path UDM field. |
chat |
dlp_scan_status |
security_result.action_details |
If the event.name log field value is equal to one of the following values, then the dlp_scan_status log field is mapped to the security_result.action_details UDM field:
|
chat |
message_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the message_id log field is mapped to the target.resource.product_object_id UDM field:
|
chat |
conference_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the message_id log field is mapped to the target.resource.product_object_id UDM field:
|
chat |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the target.resource.resource_subtype UDM field is set to Google Chat - Message:
| |
chat |
report_type |
target.resource.attribute.labels [report_type] |
|
chat |
room_id |
target.group.product_object_id |
If the event.name log field value is equal to one of the following values, then the room_id log field is mapped to the target.group.product_object_id UDM field:
|
chat |
dm_id |
about.labels [dm_id] (deprecated) |
If the event.name log field value is equal to direct_message_started, then the about.labels UDM field is set to dm_id. |
chat |
dm_id |
additional.fields [dm_id] |
If the event.name log field value is equal to direct_message_started, then the additional.fields UDM field is set to dm_id. |
chat |
target_users |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the target_users log field is mapped to the target.user.email_addresses UDM field:
|
chat |
retention_state |
target.user.attribute.labels[retention_state] |
|
chat |
room_name |
target.group.group_display_name |
|
chat |
timestamp_ms |
target.resource.attribute.labels [timestamp_ms] |
|
chat |
external_room |
about.labels[external_room] (deprecated) |
|
chat |
external_room |
additional.fields[external_room] |
|
chat |
device_type |
principal.asset.attribute.labels [device_type] |
|
chat |
identifier_type |
principal.user.attribute.labels [identifier_type] |
|
chat |
location_region |
principal.user.attribute.labels [location_region] |
|
chat |
identifier |
principal.user.userid |
|
chat |
display_name |
principal.user.user_display_name |
|
chat |
location_country |
principal.location.country_or_region |
|
chat |
product_type |
principal.resource.resource_subtype |
|
chat |
ip_address |
target.ip |
|
chat |
target_user_count |
target.user.attribute.labels[target_user_count] |
|
chat |
duration_seconds |
target.resource.attribute.labels [duration_seconds] |
|
chat |
meeting_code |
target.resource.attribute.labels[meeting_code] |
|
chat |
organizer_email |
about.user.email_addresses |
|
chat |
network_estimated_upload_kbps_mean |
additional.fields [network_estimated_upload_kbps_mean] |
|
chat |
video_recv_fps_mean |
additional.fields [video_recv_fps_mean] |
|
chat |
screencast_send_fps_mean |
additional.fields [screencast_send_fps_mean] |
|
chat |
audio_recv_packet_loss_max |
additional.fields [audio_recv_packet_loss_max] |
|
chat |
video_send_long_side_median_pixels |
additional.fields [video_send_long_side_median_pixels] |
|
chat |
screencast_recv_packet_loss_mean |
additional.fields [screencast_recv_packet_loss_mean] |
|
chat |
video_recv_packet_loss_mean |
additional.fields [video_recv_packet_loss_mean] |
|
chat |
video_recv_long_side_median_pixels |
additional.fields [video_recv_long_side_median_pixels] |
|
chat |
video_send_packet_loss_mean |
additional.fields [video_send_packet_loss_mean] |
|
chat |
audio_send_packet_loss_max |
additional.fields [audio_send_packet_loss_max] |
|
chat |
video_recv_short_side_median_pixels |
additional.fields [video_recv_short_side_median_pixels] |
|
chat |
screencast_recv_bitrate_kbps_mean |
additional.fields [screencast_recv_bitrate_kbps_mean] |
|
chat |
calendar_event_id |
additional.fields [calendar_event_id] |
|
video_send_fps_mean |
additional.fields [video_send_fps_mean] |
target |
|
chat |
audio_recv_packet_loss_mean |
additional.fields [audio_recv_packet_loss_mean] |
|
chat |
video_recv_seconds |
additional.fields [video_recv_seconds] |
|
chat |
video_send_packet_loss_max |
additional.fields [video_send_packet_loss_max] |
|
chat |
network_recv_jitter_msec_max |
additional.fields [network_recv_jitter_msec_max] |
|
chat |
network_recv_jitter_msec_mean |
additional.fields [network_recv_jitter_msec_mean] |
|
chat |
audio_send_seconds |
additional.fields [audio_send_seconds] |
|
chat |
screencast_send_long_side_median_pixels |
additional.fields [screencast_send_long_side_median_pixels] |
|
chat |
screencast_recv_seconds |
additional.fields [screencast_recv_seconds] |
|
chat |
screencast_recv_long_side_median_pixels |
additional.fields [screencast_recv_long_side_median_pixels] |
|
chat |
screencast_send_bitrate_kbps_mean |
additional.fields [screencast_send_bitrate_kbps_mean] |
|
chat |
screencast_send_packet_loss_max |
additional.fields [screencast_send_packet_loss_max] |
|
chat |
video_send_bitrate_kbps_mean |
additional.fields [video_send_bitrate_kbps_mean] |
|
chat |
screencast_send_seconds |
additional.fields [screencast_send_seconds] |
|
chat |
audio_send_bitrate_kbps_mean |
additional.fields [audio_send_bitrate_kbps_mean] |
|
chat |
screencast_recv_fps_mean |
additional.fields [screencast_recv_fps_mean] |
|
chat |
audio_recv_seconds |
additional.fields [audio_recv_seconds] |
|
chat |
video_recv_packet_loss_max |
additional.fields [video_recv_packet_loss_max] |
|
chat |
screencast_send_packet_loss_mean |
additional.fields [screencast_send_packet_loss_mean] |
|
chat |
network_transport_protocol |
additional.fields [network_transport_protocol] |
|
chat |
screencast_recv_short_side_median_pixels |
additional.fields [screencast_recv_short_side_median_pixels] |
|
chat |
screencast_send_short_side_median_pixels |
additional.fields [screencast_send_short_side_median_pixels] |
|
chat |
screencast_recv_packet_loss_max |
additional.fields [screencast_recv_packet_loss_max] |
|
chat |
is_external |
additional.fields [is_external] |
|
chat |
video_send_short_side_median_pixels |
additional.fields [video_send_short_side_median_pixels] |
|
chat |
endpoint_id |
additional.fields [endpoint_id] |
|
chat |
network_estimated_download_kbps_mean |
additional.fields [network_estimated_download_kbps_mean] |
|
chat |
network_send_jitter_msec_mean |
additional.fields [network_send_jitter_msec_mean] |
|
chat |
video_send_seconds |
additional.fields [video_send_seconds] |
|
chat |
network_rtt_msec_mean |
additional.fields [network_rtt_msec_mean] |
|
chat |
network_congestion |
additional.fields [network_congestion] |
|
chat |
audio_send_packet_loss_mean |
additional.fields [audio_send_packet_loss_mean] |
|
chat |
action_time |
additional.fields [action_time] |
|
gcp |
USER_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is empty, then the USER_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
drive |
actor_is_collaborator_account |
about.labels [actor_is_collaborator_account] (deprecated) |
|
drive |
actor_is_collaborator_account |
additional.fields [actor_is_collaborator_account] |
|
drive |
added_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to shared_drive_membership_change, then the added_role log field is mapped to the target.user.attribute.roles.name UDM field. |
drive |
requested_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to request_access, then the requested_role log field is mapped to the target.user.attribute.roles.name UDM field. |
drive |
billable |
about.labels [billable] (deprecated) |
|
drive |
billable |
additional.fields [billable] |
|
drive |
copy_type |
about.labels [copy_type] (deprecated) |
|
drive |
copy_type |
additional.fields [copy_type] |
|
drive |
destination_folder_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the destination_folder_id log field is mapped to the target.resource.product_object_id UDM field:
|
drive |
doc_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the doc_id log field is mapped to the target.resource.product_object_id UDM field:
|
drive |
destination_folder_title |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the destination_folder_title log field is mapped to the target.resource.name UDM field:
|
drive |
doc_title |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the doc_title log field is mapped to the target.resource.name UDM field:
|
drive |
doc_id |
src.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the doc_id log field is mapped to the src.resource.product_object_id UDM field:
|
drive |
doc_title |
src.resource.name |
If the event.name log field value is equal to one of the following values, then the doc_title log field is mapped to the src.resource.name UDM field:
|
drive |
doc_type |
target.resource.attribute.labels[doc_type] |
If the event.name log field value is equal to one of the following values, then the doc_type log field is mapped to the target.resource.attribute.labels[doc_type] UDM field:
|
drive |
doc_type |
src.resource.attribute.labels [doc_type] |
If the event.name log field value is equal to one of the following values, then the doc_type log field is mapped to the src.resource.attribute.labels [doc_type] UDM field:
|
drive |
field |
target.resource.attribute.labels [field] |
|
drive |
field_id |
target.resource.attribute.labels [field_id] |
|
drive |
is_encrypted |
target.labels [is_encrypted] (deprecated) |
|
drive |
is_encrypted |
additional.fields [is_encrypted] |
|
drive |
label |
target.resource.attribute.labels [label] |
|
drive |
label_title |
target.resource.attribute.labels [label_title] |
|
drive |
membership_change_type |
about.labels [membership_change_type] (deprecated) |
|
drive |
membership_change_type |
additional.fields [membership_change_type] |
|
drive |
new_publish_visibility |
target.resource.attribute.labels [new_publish_visibility] |
|
drive |
new_value |
target.resource.attribute.labels [new_value] |
|
drive |
new_value_id |
target.resource.attribute.labels [new_value_id] |
|
drive |
new_settings_state |
about.labels [new_settings_state] (deprecated) |
|
drive |
new_settings_state |
additional.fields [new_settings_state] |
|
drive |
old_settings_state |
about.labels [old_settings_state] (deprecated) |
|
drive |
old_settings_state |
additional.fields [old_settings_state] |
|
drive |
old_publish_visibility |
target.resource.attribute.labels [old_publish_visibility] |
|
drive |
old_value |
target.resource.attribute.labels [old_value] |
|
drive |
old_value_id |
target.resource.attribute.labels [old_value_id] |
|
drive |
old_visibility |
target.resource.attribute.labels [old_visibility] |
|
drive |
originating_app_id |
about.labels [originating_app_id] (deprecated) |
|
drive |
originating_app_id |
additional.fields [originating_app_id] |
|
drive |
owner |
target.resource.attribute.labels[owner] |
|
drive |
owner_is_shared_drive |
target.resource.attribute.labels [owner_is_shared_drive] |
|
drive |
primary_event |
about.labels [primary_event] (deprecated) |
|
drive |
primary_event |
additional.fields [primary_event] |
|
drive |
reason |
security_result.summary |
If the event.name log field value is equal to one of the following values, then the reason log field is mapped to the security_result.summary UDM field:
|
drive |
removed_role |
target.user.attribute.labels [removed_role] and target.user.roles.description |
If the removed_role log field value is equal to commenter,
then the target.user.roles.description UDM field is set to Team Drive role Commenter.
If the removed_role log field value is equal to content_manager,
then the target.user.roles.description UDM field is set to Team Drive role Content manager.
If the removed_role log field value is equal to editor,
then the target.user.roles.description UDM field is set to Team Drive role Contributor.
If the removed_role log field value is equal to none,
then the target.user.roles.description UDM field is set to No role in Team Drive.
If the removed_role log field value is equal to organizer,
then the target.user.roles.description UDM field is set to Team Drive role Manager.
If the removed_role log field value is equal to viewer,
then the target.user.roles.description UDM field is set to Team Drive role Viewer. |
drive |
target_domain |
target.domain.name |
If the event.name log field value is equal to one of the following values, then the target_domain log field is mapped to the target.domain.name UDM field:
|
drive |
target_user |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the target_user log field is mapped to the target.user.email_addresses UDM field:
|
drive |
target_user |
additional.fields[target_user] |
|
drive |
new_owner |
target.user.email_addresses |
The new_owner log field is mapped to the target.user.email_addresses UDM field if the following conditions are met:
Else, the new_owner log field is mapped to the target.user.attribute.labels UDM field. |
drive |
target |
target.user.email_addresses |
If the event.name log field value matches the regular expression pattern ^.+@.+$, then the target log field is mapped to the target.user.email_addresses UDM field. |
drive |
target |
target.user.attribute.labels[target] |
If the event.name log field value does not match the regular expression pattern ^.+@.+$, then the target log field is mapped to the target.user.attribute.labels[target] UDM field. |
drive |
recipients |
target.user.email_addresses |
If the event.name log field value is equal to email_collaborators, then the recipients log field is mapped to the target.user.email_addresses UDM field. |
drive |
shared_drive_id |
target.resource_ancestors.product_object_id |
|
drive |
shared_drive_settings_change_type |
about.labels [shared_drive_settings_change_type] (deprecated) |
|
drive |
shared_drive_settings_change_type |
additional.fields [shared_drive_settings_change_type] |
|
drive |
sheets_import_range_recipient_doc |
target.resource.attribute.labels [sheets_import_range_recipient_doc] |
|
drive |
source_folder_id |
principal.resource.id |
If the event.name log field value is equal to one of the following values, then the source_folder_id log field is mapped to the principal.resource.id UDM field:
|
drive |
source_folder_title |
principal.resource.name |
If the event.name log field value is equal to one of the following values, then the source_folder_title log field is mapped to the principal.resource.name UDM field:
|
drive |
storage_entity_id |
about.labels [storage_entity_id] (deprecated) |
|
drive |
storage_entity_id |
additional.fields [storage_entity_id] |
|
drive |
storage_usage_in_bytes |
about.labels [storage_usage_in_bytes] (deprecated) |
|
drive |
storage_usage_in_bytes |
additional.fields [storage_usage_in_bytes] |
|
drive |
visibility |
target.resource.attribute.labels [visibility] |
|
drive |
visibility_change |
target.resource.attribute.labels [visibility_change] |
|
drive |
team_drive_id |
target.group.product_object_id |
|
drive |
owner_is_team_drive |
target.resource.attribute.labels [owner_is_team_drive] |
|
drive |
data_connection_id |
about.labels[data_connection_id] (deprecated) |
|
drive |
data_connection_id |
additional.fields[data_connection_id] |
|
drive |
delegating_principal |
about.user.email_addresses |
If the actor.email log field value is not equal to delegating_principal,
then the delegating_principal log field is mapped to about.user.email_addresses UDM field. |
drive |
execution_id |
about.labels[execution_id] (deprecated) |
|
drive |
execution_id |
additional.fields[execution_id] |
|
drive |
execution_trigger |
about.labels[execution_trigger] (deprecated) |
|
drive |
execution_trigger |
additional.fields[execution_trigger] |
|
drive |
query_type |
about.labels[query_type] (deprecated) |
|
drive |
query_type |
additional.fields[query_type] |
|
drive |
owner_team_drive_id |
target.resource.attribute.labels[owner_team_drive_id] |
|
drive |
new_owner_is_team_drive |
target.resource.attribute.labels [new_owner_is_team_drive] |
|
drive |
new_owner_team_drive_id |
target.resource.attribute.labels[new_owner_team_drive_id] |
|
drive |
owner_shared_drive_id |
target.resource.attribute.labels[owner_shared_drive_id] |
|
drive |
dlp_info |
target.resource.attribute.labels[dlp_info] |
|
drive |
team_drive_settings_change_type |
target.resource.attribute.labels[team_drive_settings_change_type] |
|
drive |
accessed_url |
target.url |
|
drive |
script_id |
additional.fields[script_id] |
|
drive |
additional.fields[script_id] |
additional.fields[api_method] |
|
keep |
attachment_name |
target.resource.attribute.labels [attachment_name] |
If the event.name log field value is equal to one of the following values, then the attachment_name log field is mapped to the target.resource.attribute.labels UDM field:
|
keep |
note_name |
target.url |
If the event.name log field value is equal to one of the following values, then the note_name log field is mapped to the target.url UDM field:
|
keep |
owner_email |
principal.user.email_addresses |
If the actor.email log field value is empty, then the owner_email log field is mapped to the principal.user.email_addresses UDM field. |
keep |
target.resource_subtype |
The target.resource_subtype UDM field is set to keep. | |
meet |
action_description |
security_result.action_details |
If the event.name log field value is equal to abuse_report_submitted, then the action_description log field is mapped to the security_result.action_details UDM field. |
meet |
action_reason |
security_result.summary |
|
meet |
conference_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the conference_id log field is mapped to the target.resource.product_object_id UDM field:
|
meet |
calendar_event_id |
target.labels [calendar_event_id] (deprecated) |
|
meet |
calendar_event_id |
additional.fields [calendar_event_id] |
|
meet |
device_type |
principal.asset.attribute.labels [device_type] |
|
meet |
display_name |
principal.user.user_display_name |
If the event.name log field value is equal to one of the following values, then the display_name log field is mapped to the principal.user.user_display_name UDM field:
|
meet |
target_display_names |
target.user.user_display_name |
If the event.name log field value is equal to abuse_report_submitted, then the target_display_name log field is mapped to the target.user.user_display_name UDM field. |
meet |
duration_seconds |
target.resource.attribute.labels [duration_seconds] |
|
meet |
end_of_call_rating |
target.resource.attribute.labels [end_of_call_rating] |
|
meet |
endpoint_id |
security_result.about.labels [endpoint_id] (deprecated) |
|
meet |
endpoint_id |
additional.fields [endpoint_id] |
|
meet |
identifier |
principal.user.userid |
If the event.name log field value is equal to one of the following values, then the identifier log field is mapped to the principal.user.userid UDM field:
|
meet |
identifier_type |
principal.user.attribute.labels [identifier_type] |
|
meet |
ip_address |
target.ip |
If the ipAddress log field value is empty, then the ip_address log field is mapped to the target.ip UDM field. |
meet |
is_external |
principal.labels [is_external] (deprecated) |
|
meet |
is_external |
additional.fields [is_external] |
|
meet |
livestream_view_page_id |
target.resource.attribute.labels [livestream_view_page_id] |
|
meet |
location_country |
principal.location.country_or_region |
If the event.name log field value is equal to call_ended, then the location_country log field is mapped to the principal.location.country_or_region UDM field. |
meet |
location_region |
principal.user.attribute.labels [location_region] |
If the event.name log field value is equal to call_ended, then the location_region log field is mapped to the principal.location.country_or_region UDM field. |
meet |
meeting_code |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the meeting_code log field is mapped to the target.resource.product_object_id UDM field:
|
meet |
organizer_email |
about.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the organizer_email log field is mapped to the about.user.email_addresses UDM field:
|
meet |
product_type |
principal.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the product_type log field is mapped to the principal.resource.resource_subtype UDM field:
|
meet |
target_email |
target.user.email_addresses |
If the event.name log field value is equal to abuse_report_submitted, then the target_email log field is mapped to the target.user.email_addresses UDM field. |
meet |
target_phone_number |
target.user.phone_numbers |
If the event.name log field value is equal to abuse_report_submitted, then the target_phone_number log field is mapped to the target.user.phone_numbers UDM field. |
meet |
audio_recv_packet_loss_max |
about.labels [audio_recv_packet_loss_max] (deprecated) |
|
meet |
audio_recv_packet_loss_max |
additional.fields [audio_recv_packet_loss_max] |
|
meet |
audio_recv_packet_loss_mean |
about.labels [audio_recv_packet_loss_mean] (deprecated) |
|
meet |
audio_recv_packet_loss_mean |
additional.fields [audio_recv_packet_loss_mean] |
|
meet |
audio_recv_seconds |
about.labels [audio_recv_seconds] (deprecated) |
|
meet |
audio_recv_seconds |
additional.fields [audio_recv_seconds] |
|
meet |
audio_send_bitrate_kbps_mean |
about.labels [audio_send_bitrate_kbps_mean] (deprecated) |
|
meet |
audio_send_bitrate_kbps_mean |
additional.fields [audio_send_bitrate_kbps_mean] |
|
meet |
audio_send_packet_loss_max |
about.labels [audio_send_packet_loss_max] (deprecated) |
|
meet |
audio_send_packet_loss_max |
additional.fields [audio_send_packet_loss_max] |
|
meet |
audio_send_packet_loss_mean |
about.labels [audio_send_packet_loss_mean] (deprecated) |
|
meet |
audio_send_packet_loss_mean |
additional.fields [audio_send_packet_loss_mean] |
|
meet |
audio_send_seconds |
about.labels [audio_send_seconds] (deprecated) |
|
meet |
audio_send_seconds |
additional.fields [audio_send_seconds] |
|
meet |
network_congestion |
about.labels [network_congestion] (deprecated) |
|
meet |
network_congestion |
additional.fields [network_congestion] |
|
meet |
network_estimated_download_kbps_mean |
about.labels [network_estimated_download_kbps_mean] (deprecated) |
|
meet |
network_estimated_download_kbps_mean |
additional.fields [network_estimated_download_kbps_mean] |
|
meet |
network_estimated_upload_kbps_mean |
about.labels [network_estimated_upload_kbps_mean] (deprecated) |
|
meet |
network_estimated_upload_kbps_mean |
additional.fields [network_estimated_upload_kbps_mean] |
|
meet |
network_recv_jitter_msec_max |
about.labels [network_recv_jitter_msec_max] (deprecated) |
|
meet |
network_recv_jitter_msec_max |
additional.fields [network_recv_jitter_msec_max] |
|
meet |
network_recv_jitter_msec_mean |
about.labels [network_recv_jitter_msec_mean] (deprecated) |
|
meet |
network_recv_jitter_msec_mean |
additional.fields [network_recv_jitter_msec_mean] |
|
meet |
network_rtt_msec_mean |
about.labels [network_rtt_msec_mean] (deprecated) |
|
meet |
network_rtt_msec_mean |
additional.fields [network_rtt_msec_mean] |
|
meet |
network_send_jitter_msec_mean |
about.labels [network_send_jitter_msec_mean] (deprecated) |
|
meet |
network_send_jitter_msec_mean |
additional.fields [network_send_jitter_msec_mean] |
|
meet |
network_transport_protocol |
about.labels [network_transport_protocol] (deprecated) |
|
meet |
network_transport_protocol |
additional.fields [network_transport_protocol] |
|
meet |
screencast_recv_bitrate_kbps_mean |
about.labels [screencast_recv_bitrate_kbps_mean] (deprecated) |
|
meet |
screencast_recv_bitrate_kbps_mean |
additional.fields [screencast_recv_bitrate_kbps_mean] |
|
meet |
screencast_recv_fps_mean |
about.labels [screencast_recv_fps_mean] (deprecated) |
|
meet |
screencast_recv_fps_mean |
additional.fields [screencast_recv_fps_mean] |
|
meet |
screencast_recv_long_side_median_pixels |
about.labels [screencast_recv_long_side_median_pixels] (deprecated) |
|
meet |
screencast_recv_long_side_median_pixels |
additional.fields [screencast_recv_long_side_median_pixels] |
|
meet |
screencast_recv_packet_loss_max |
about.labels [screencast_recv_packet_loss_max] (deprecated) |
|
meet |
screencast_recv_packet_loss_max |
additional.fields [screencast_recv_packet_loss_max] |
|
meet |
screencast_recv_packet_loss_mean |
about.labels [screencast_recv_packet_loss_mean] (deprecated) |
|
meet |
screencast_recv_packet_loss_mean |
additional.fields [screencast_recv_packet_loss_mean] |
|
meet |
screencast_recv_seconds |
about.labels [screencast_recv_seconds] (deprecated) |
|
meet |
screencast_recv_seconds |
additional.fields [screencast_recv_seconds] |
|
meet |
screencast_recv_short_side_median_pixels |
about.labels [screencast_recv_short_side_median_pixels] (deprecated) |
|
meet |
screencast_recv_short_side_median_pixels |
additional.fields [screencast_recv_short_side_median_pixels] |
|
meet |
screencast_send_bitrate_kbps_mean |
about.labels [screencast_send_bitrate_kbps_mean] (deprecated) |
|
meet |
screencast_send_bitrate_kbps_mean |
additional.fields [screencast_send_bitrate_kbps_mean] |
|
meet |
screencast_send_fps_mean |
about.labels [screencast_send_fps_mean] (deprecated) |
|
meet |
screencast_send_fps_mean |
additional.fields [screencast_send_fps_mean] |
|
meet |
screencast_send_long_side_median_pixels |
about.labels [screencast_send_long_side_median_pixels] (deprecated) |
|
meet |
screencast_send_long_side_median_pixels |
additional.fields [screencast_send_long_side_median_pixels] |
|
meet |
screencast_send_packet_loss_max |
about.labels [screencast_send_packet_loss_max] (deprecated) |
|
meet |
screencast_send_packet_loss_max |
additional.fields [screencast_send_packet_loss_max] |
|
meet |
screencast_send_packet_loss_mean |
about.labels [screencast_send_packet_loss_mean] (deprecated) |
|
meet |
screencast_send_packet_loss_mean |
additional.fields [screencast_send_packet_loss_mean] |
|
meet |
screencast_send_seconds |
about.labels [screencast_send_seconds] (deprecated) |
|
meet |
screencast_send_seconds |
additional.fields [screencast_send_seconds] |
|
meet |
screencast_send_short_side_median_pixels |
about.labels [screencast_send_short_side_median_pixels] (deprecated) |
|
meet |
screencast_send_short_side_median_pixels |
additional.fields [screencast_send_short_side_median_pixels] |
|
meet |
video_recv_fps_mean |
about.labels [video_recv_fps_mean] (deprecated) |
|
meet |
video_recv_fps_mean |
additional.fields [video_recv_fps_mean] |
|
meet |
video_recv_long_side_median_pixels |
about.labels [video_recv_long_side_median_pixels] (deprecated) |
|
meet |
video_recv_long_side_median_pixels |
additional.fields [video_recv_long_side_median_pixels] |
|
meet |
video_recv_packet_loss_max |
about.labels [video_recv_packet_loss_max] (deprecated) |
|
meet |
video_recv_packet_loss_max |
additional.fields [video_recv_packet_loss_max] |
|
meet |
video_recv_packet_loss_mean |
about.labels [video_recv_packet_loss_mean] (deprecated) |
|
meet |
video_recv_packet_loss_mean |
additional.fields [video_recv_packet_loss_mean] |
|
meet |
video_recv_seconds |
about.labels [video_recv_seconds] (deprecated) |
|
meet |
video_recv_seconds |
additional.fields [video_recv_seconds] |
|
meet |
video_recv_short_side_median_pixels |
about.labels [video_recv_short_side_median_pixels] (deprecated) |
|
meet |
video_recv_short_side_median_pixels |
additional.fields [video_recv_short_side_median_pixels] |
|
meet |
video_send_bitrate_kbps_mean |
about.labels [video_send_bitrate_kbps_mean] (deprecated) |
|
meet |
video_send_bitrate_kbps_mean |
additional.fields [video_send_bitrate_kbps_mean] |
|
meet |
video_send_fps_mean |
about.labels [video_send_fps_mean] (deprecated) |
|
meet |
video_send_fps_mean |
additional.fields [video_send_fps_mean] |
|
meet |
video_send_long_side_median_pixels |
about.labels [video_send_long_side_median_pixels] (deprecated) |
|
meet |
video_send_long_side_median_pixels |
additional.fields [video_send_long_side_median_pixels] |
|
meet |
video_send_packet_loss_max |
about.labels [video_send_packet_loss_max] (deprecated) |
|
meet |
video_send_packet_loss_max |
additional.fields [video_send_packet_loss_max] |
|
meet |
video_send_packet_loss_mean |
about.labels [video_send_packet_loss_mean] (deprecated) |
|
meet |
video_send_packet_loss_mean |
additional.fields [video_send_packet_loss_mean] |
|
meet |
video_send_seconds |
about.labels [video_send_seconds] (deprecated) |
|
meet |
video_send_seconds |
additional.fields [video_send_seconds] |
|
meet |
video_send_short_side_median_pixels |
about.labels [video_send_short_side_median_pixels] (deprecated) |
|
meet |
video_send_short_side_median_pixels |
additional.fields [video_send_short_side_median_pixels] |
|
meet |
action_time |
about.labels[action_time] (deprecated) |
|
meet |
action_time |
additional.fields[action_time] |
|
meet |
target_user_count |
target.user.attribute.labels[target_user_count] |
|
meet |
streaming_session_state |
about.labels[streaming_session_state] (deprecated) |
|
meet |
streaming_session_state |
additional.fields[streaming_session_state] |
|
login |
affected_email_address |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the affected_email_address log field is mapped to the target.user.email_addresses UDM field:
|
login |
login_timestamp |
security_result.detection_fields [login_timestamp] |
|
login |
is_second_factor |
about.labels[is_2sv] (deprecated) |
|
login |
is_second_factor |
additional.fields[is_2sv] |
|
login |
is_suspicious |
about.labels[is_suspicious] (deprecated) |
|
login |
is_suspicious |
additional.fields[is_suspicious] |
|
login |
login_failure_type |
scurity_result.summary |
|
login |
login_challenge_status |
about.labels[login_challenge_status] (deprecated) |
|
login |
login_challenge_status |
additional.fields[login_challenge_status] |
|
login |
login_challenge_method |
security_result.detection_fields [login_challenge_method] |
|
login |
login_challenge_method |
security_result.detection_fields [login_challenge_method_attempts_count] |
|
login |
login_type |
security_result.detection_fields [login_type] |
|
login |
sensitive_action_name |
security_result.action_details [sensitive_action_name] |
|
login |
extensions.auth.mechanism |
If the param.value log field value is equal to google_password, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD.Else, the extensions.auth.mechanism UDM field is set to MECHANISM_UNSPECIFIED. | |
login |
extensions.auth.type |
If the param.value log field value is equal to google_password, then the extensions.auth.type UDM field is set to SSO. | |
login |
security_result.action |
If the event.name log field value is equal to one of the following values, then the security_result.action UDM field is set to BLOCK:
| |
token |
api_name |
about.resource.attribute.labels [api_name] |
|
token |
app_name |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the app_name log field is mapped to the target.resource.name UDM field:
|
token |
client_id |
principal.asset.attribute.labels [client_id] |
If the event.name log field value is equal to one of the following values, then the client_id log field is mapped to the principal.asset.attribute.labels UDM field:
|
token |
client_type |
principal.asset.attribute.labels [client_type] |
|
token |
method_name |
target.resource.attribute.labels [method_name] |
|
token |
num_response_bytes |
target.resource.attribute.labels [num_response_bytes] |
|
token |
product_bucket |
target.resource.attribute.labels product_bucket] |
|
token |
scope |
target.resource.attribute.labels [scope] |
|
token |
scope_data |
target.resource.attribute.labels [scope_data] |
|
token |
rejection_type |
target.resource.attribute.labels [rejection_type] |
|
rules |
actions |
security_result.action_details [actions] |
|
rules |
triggered_actions |
security_result.action_details [actions] |
|
rules |
actor_ip_address |
principal.ip |
If the ipAddress log field value is equal to empty, then the actor_ip_address log field is mapped to the principal.ip UDM field. |
rules |
application |
target.resource.attribute.labels[application] |
|
rules |
conference_id |
target.resource.attribute.labels [conference_id] |
|
rules |
data_source |
security_result.detection_fields [data_source] |
|
rules |
device_id |
target.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the device_id log field is mapped to the target.asset.asset_id UDM field:
|
rules |
device_type |
target.asset.attribute.labels[device_type] |
|
rules |
drive_shared_drive_id |
target.resource.attribute.labels[drive_shared_drive_id] |
|
rules |
evaluation_context |
about.labels [evaluation_context] (deprecated) |
|
rules |
evaluation_context |
additional.fields [evaluation_context] |
|
rules |
has_alert |
security_result.about.labels [has_alert] (deprecated) |
|
rules |
has_alert |
additional.fields [has_alert] |
|
rules |
has_content_match |
security_result.about.labels [has_content_match] (deprecated) |
|
rules |
has_content_match |
additional.fields [has_content_match] |
|
rules |
matched_detectors |
security_result.detection_fields [matched_detectors] |
|
rules |
matched_templates |
security_result.detection_fields [matched_templates] |
|
rules |
matched_threshold |
security_result.detection_fields [matched_threshold] |
|
rules |
matched_trigger |
security_result.detection_fields [matched_trigger] |
|
rules |
mobile_device_type |
target.asset.category |
If the event.name log field value is equal to rule_match, then the mobile_device_type log field is mapped to the target.asset.category UDM field. |
rules |
mobile_ios_vendor_id |
target.asset.attribute.labels [mobile_ios_vendor_id] |
|
rules |
resource_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the resource_id log field is mapped to the target.resource.product_object_id UDM field:
|
rules |
resource_name |
target.resource.name |
If the event.name log field value is equal to rule_match, then the resource_name log field is mapped to the target.resource.name UDM field. |
rules |
resource_title |
target.labels [resource_title] (deprecated) |
|
rules |
resource_title |
additional.fields [resource_title] |
|
rules |
resource_owner_email |
principal.user.email_addresses |
If the actor.email log field value is not equal to resource_owner_email, then the principal.user.email_addresses UDM field is set to resource_owner_email. |
rules |
resource_recipients |
principal.user.email_addresses |
If the actor.email log field value is not equal to resource_recipients, then the principal.user.email_addresses UDM field is set to resource_recipients. |
rules |
resource_recipients_omitted_count |
target.labels [resource_recipients_omitted_count] (deprecated) |
|
rules |
resource_recipients_omitted_count |
additional.fields [resource_recipients_omitted_count] |
|
rules |
resource_type |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the resource_type log field is mapped to the target.resource.resource_subtype UDM field:
|
rules |
rule_name |
security_result.rule_name |
If the event.name log field value is equal to one of the following values, then the rule_name log field is mapped to the security_result.rule_name UDM field:
|
rules |
rule_id |
security_result.rule_id |
If the event.name log field value is equal to rule_match, then the rule_id log field is mapped to the security_result.rule_id UDM field. |
rules |
rule_resource_name |
security_result.rule_labels [rule_resource_name] |
|
rules |
rule_type |
security_result.rule_type |
If the event.name log field value is equal to one of the following values, then the rule_type log field is mapped to the security_result.rule_type UDM field:
|
rules |
rule_update_time_usec |
security_result.rule_labels [rule_update_time_usec] |
|
rules |
scan_type |
security_result.about.labels [scan_type] (deprecated) |
|
rules |
scan_type |
additional.fields [scan_type] |
|
rules |
severity |
security_result.severity |
If the event.name log field value is equal to one of the following values, then the severity log field is mapped to the security_result.severity UDM field:
|
rules |
space_id |
target.resource.attribute.labels [space_id] |
|
rules |
space_type |
target.resource.attribute.labels [space_type] |
|
rules |
suppressed_actions |
security_result.about.labels [suppressed_actions] (deprecated) |
|
rules |
suppressed_actions |
additional.fields [suppressed_actions] |
|
rules |
label_field |
target.resource.attribute.labels [label_field] |
|
rules |
label_title |
target.resource.attribute.labels [label_title] |
|
rules |
new_value |
target.resource.attribute.labels [new_value] |
|
rules |
old_value |
target.resource.attribute.labels [old_value] |
|
rules |
blocked_recipients |
target.user.email_addresses |
|
rules |
snippets |
target.resource.attribute.labels [snippets] |
|
saml |
application_name |
target.application |
If the event.name log field value is equal to one of the following values, then the application_name log field is mapped to the target.application UDM field:
|
saml |
device_id |
principal.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the device_id log field is mapped to the principal.asset.assetid UDM field:
|
saml |
failure_type |
security_result.summary |
If the event.name log field value is equal to login_failure, then the failure_type log field is mapped to the security_result.summary UDM field. |
saml |
initiated_by |
security_result.detection_fields[initiated_by] |
If the event.name log field value is equal to one of the following values, then the initiated_by log field is mapped to the security_result.detection_fields UDM field:
|
saml |
orgunit_path |
target.user.attribute.labels [orgunit_path] |
If the event.name log field value is equal to one of the following values, then the orgunit_path log field is mapped to the target.user.attribute.labels UDM field:
|
saml |
saml_second_level_status_code |
security_result.about.labels [saml_second_level_status_code] (deprecated) |
|
saml |
saml_second_level_status_code |
additional.fields [saml_second_level_status_code] |
|
saml |
saml_status_code |
security_result.about.labels [saml_status_code] (deprecated) |
|
saml |
saml_status_code |
additional.fields [saml_status_code] |
|
saml |
security_result.action |
If the event.name log field value is equal to login_failure, then the security_result.action UDM field is set to BLOCK. | |
user_accounts |
email_forwarding_destination_address |
target.user.email_addresses |
|
groups |
acl_permission |
target.group.attribute.roles.name |
If the event.name log field value is equal to change_acl_permission, then the acl_permission log field is mapped to the target.group.attribute.roles.name UDM field. |
groups |
basic_setting |
target.group.attribute.labels [basic_setting] |
|
groups |
group_email |
target.group.email_addresses |
If the event.name log field value is equal to one of the following values, then the group_email log field is mapped to the target.group.email_addresses UDM field:
|
groups |
identity_setting |
target.group.attribute.labels [identity_setting] |
|
groups |
info_setting |
target.group.attribute.labels [info_setting] |
|
groups |
message_id |
network.email.mail_id |
If the event.name log field value is equal to moderate_message, then the message_id log field is mapped to the network.email.mail_id UDM field. |
groups |
message_moderation_action |
target.group.attribute.labels [message_moderation_action] |
|
groups |
member_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to add_user, then the member_role log field is mapped to the target.user.attribute.roles.name UDM field. |
groups |
new_members_restrictions_setting |
target.group.attribute.labels [new_members_restrictions_setting] |
|
groups |
new_value |
target.group.attribute.labels [new_value] |
|
groups |
new_value_repeated |
target.group.attribute.labels [new_value_repeated] |
|
groups |
old_value |
target.group.attribute.labels [old_value] |
|
groups |
old_value_repeated |
target.group.attribute.labels [old_value_repeated] |
|
groups |
post_replies_setting |
target.group.attribute.labels [post_replies_setting] |
|
groups |
spam_moderation_setting |
target.group.attribute.labels [spam_moderation_setting] |
|
groups |
status |
target.group.attribute.labels[status] |
|
groups |
topic_setting |
target.group.attribute.labels [topic_setting] |
|
groups |
user_email |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the user_email log field is mapped to the target.user.email_addresses UDM field:
|
groups |
user_email |
principal.user.email_addresses |
If the event.name log field value is equal to unsubscribe_via_mail and the actor.email log field value is not equal to the user_email, then the user_email log field is mapped to the principal.user.email_addresses UDM field. |
groups |
value |
target.group.attribute.labels [value_of_info_setting] |
|
admin |
USER_EMAIL |
src.user.email_addresses |
If the event.name log field value is equal to CREATE_DATA_TRANSFER_REQUEST, then the USER_EMAIL log field is mapped to the src.user.email_addresses UDM field. |
admin |
USER_EMAIL |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the USER_EMAIL log field is mapped to the target.user.email_addresses UDM field:
|
admin |
DESTINATION_USER_EMAIL |
target.user.email_addresses |
|
admin |
DEVICE_ID |
target.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the DEVICE_ID log field is mapped to the target.asset.asset_id UDM field:
|
admin |
DEVICE_TYPE |
target.platform |
If the DEVICE_TYPE log field value matches the regular expression pattern (?i)windows, then the target.platform UDM field is set to WINDOWS.Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)mac, then the target.platform UDM field is set to MAC.
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)linux, then the target.platform UDM field is set to LINUX.
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)ios, then the target.platform UDM field is set to IOS.
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)android, then the target.platform UDM field is set to ANDROID.
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)chrome, then the target.platform UDM field is set to CHROME_OS. |
admin |
APP_ID |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the APP_ID log field is mapped to the target.resource.name UDM field:
|
admin |
NEW_VALUE |
target.resource.name |
If the event.name log field value is equal to MAIL_ROUTING_DESTINATION_ADDED, then the NEW_VALUE log field is mapped to the target.resource.name UDM field. |
admin |
SETTING_NAME |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the SETTING_NAME log field is mapped to the target.resource.name UDM field:
|
admin |
CERTIFICATE_NAME |
target.resource.name |
If the event.name log field value is equal to GENERATE_CERTIFICATE, then the CERTIFICATE_NAME log field is mapped to the target.resource.name UDM field. |
admin |
ACCESS_LEVEL_NAME |
target.resource.name |
If the event.name log field value is equal to UPDATE_ACCESS_LEVEL_V2, then the ACCESS_LEVEL_NAME log field is mapped to the target.resource.name UDM field. |
admin |
ASP_ID |
target.labels [asp_id] (deprecated) |
|
admin |
ASP_ID |
additional.fields [asp_id] |
|
admin |
NEW_VALUE |
target.resource.attribute.labels [new_value] |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the target.resource.attribute.labels UDM field:
|
admin |
NEW_VALUE |
target.labels [new_value] (deprecated) |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the target.labels UDM field:
|
admin |
NEW_VALUE |
additional.fields [new_value] |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the additional.fields UDM field:
|
admin |
NEW_VALUE |
target.user.attribute.labels [new_value] |
|
admin |
NEW_VALUE |
target.user.user_display_name |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the target.user.user_display_name UDM field:
|
admin |
NEW_VALUE |
target.user.first_name |
If the event.name log field value is equal to CHANGE_FIRST_NAME, then the NEW_VALUE log field is mapped to the target.user.first_name UDM field. |
admin |
NEW_VALUE |
target.user.last_name |
If the event.name log field value is equal to CHANGE_LAST_NAME, then the NEW_VALUE log field is mapped to the target.user.last_name UDM field. |
admin |
OLD_VALUE |
target.resource.attribute.labels [old_value] |
If the event.name log field value is equal to one of the following values, then the OLD_VALUE log field is mapped to the target.resource.attribute.labels UDM field:
|
admin |
OLD_VALUE |
target.labels [old_value] (deprecated) |
If the event.name log field value is equal to one of the following values, then the OLD_VALUE log field is mapped to the target.labels UDM field:
|
admin |
OLD_VALUE |
additional.fields [old_value] |
If the event.name log field value is equal to one of the following values, then the OLD_VALUE log field is mapped to the additional.fields UDM field:
|
admin |
OLD_VALUE |
target.user.attribute.labels [old_value] |
|
admin |
BULK_UPLOAD_FAIL_USERS_NUMBER |
target.user.attribute.labels [bulk_upload_fail_users_number] |
|
admin |
BULK_UPLOAD_TOTAL_USERS_NUMBER |
target.user.attribute.labels [bulk_upload_total_users_number] |
|
admin |
SYSTEM_DEFINED_RULE_NAME |
security_result.rule_name |
If the event.name log field value is equal to SYSTEM_DEFINED_RULE_UPDATED, then the SYSTEM_DEFINED_RULE_NAME log field is mapped to the security_result.rule_name UDM field. |
admin |
ALERT_NAME |
security_result.rule_name |
|
admin |
SECURITY_CENTER_RULE_NAME |
security_result.rule_name |
|
admin |
DOMAIN_NAME |
target.domain.name |
|
admin |
USER_CUSTOM_FIELD |
target.user.attribute.labels [user_custom_field] |
|
admin |
BEGIN_DATE_TIME |
target.resource.attribute.labels [begin_date_time] |
|
admin |
EMAIL_MONITOR_DEST_EMAIL |
target.resource.attribute.labels [email_monitor_dest_email] |
|
admin |
EMAIL_MONITOR_LEVEL_CHAT |
target.resource.attribute.labels [email_monitor_level_chat] |
|
admin |
EMAIL_MONITOR_LEVEL_DRAFT_EMAIL |
target.resource.attribute.labels [email_monitor_level_draft_email] |
|
admin |
EMAIL_MONITOR_LEVEL_INCOMING_EMAIL |
target.resource.attribute.labels [email_monitor_level_incoming_email] |
|
admin |
EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL |
target.resource.attribute.labels [email_monitor_level_outgoing_email] |
|
admin |
END_DATE_TIME |
target.resource.attribute.labels [end_date_time] |
|
admin |
APPLICATION_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the APPLICATION_NAME log field is mapped to the target.application UDM field:
|
admin |
SERVICE_NAME |
target.application |
If the event.name log field value is equal to TOGGLE_SERVICE_ENABLED, then the SERVICE_NAME log field is mapped to the target.application UDM field. |
admin |
REAUTH_APPLICATION |
target.application |
If the event.name log field value is equal to SESSION_CONTROL_SETTINGS_CHANGE, then the REAUTH_APPLICATION log field is mapped to the target.application UDM field. |
admin |
OAUTH2_SERVICE_NAME |
target.application |
If the event.name log field value is equal to DISALLOW_SERVICE_FOR_OAUTH2_ACCESS, then the OAUTH2_SERVICE_NAME log field is mapped to the target.application UDM field. |
admin |
OAUTH2_APP_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the OAUTH2_APP_NAME log field is mapped to the target.application UDM field:
|
admin |
REQUEST_ID |
target.labels [request_id] (deprecated) |
|
admin |
REQUEST_ID |
additional.fields [request_id] |
|
admin |
GMAIL_RESET_REASON |
security_result.summary |
|
admin |
USER_NICKNAME |
target.user.attribute.labels[nickname] |
|
admin |
EMAIL_EXPORT_INCLUDE_DELETED |
target.resource.attribute.labels [email_export_include_deleted] |
|
admin |
EMAIL_EXPORT_PACKAGE_CONTENT |
target.resource.attribute.labels [email_export_package_content] |
|
admin |
SEARCH_QUERY_FOR_DUMP |
target.resource.attribute.labels [search_query_for_dump] |
|
admin |
BIRTHDATE |
target.user.attribute.labels [birthdate] |
|
admin |
ORG_UNIT_NAME |
target.labels[org_unit_name] (deprecated) |
If the event.name log field value is equal to one of the following values, then the ORG_UNIT_NAME log field is mapped to the target.labels UDM field:
|
admin |
ORG_UNIT_NAME |
additional.fields[org_unit_name] |
If the event.name log field value is equal to one of the following values, then the ORG_UNIT_NAME log field is mapped to the additional.fields UDM field:
|
admin |
ORG_UNIT_NAME |
about.labels[org_unit_name] (deprecated) |
|
admin |
ORG_UNIT_NAME |
additional.fields[org_unit_name] |
|
admin |
ROLE_ID |
target.resource.attribute.labels[role_id] |
|
admin |
ROLE_NAME |
target.resource.attribute.roles.name |
|
admin |
API_SCOPES |
target.user.attribute.labels[api_scopes] |
|
admin |
API_CLIENT_NAME |
target.user.userid |
If the API_CLIENT_NAME log field value matches the regular expression ^(.){1,256}$, then the API_CLIENT_NAME log field is mapped to the target.user.userid UDM field. |
admin |
API_CLIENT_NAME |
target.user.attribute.labels[api_client_name] |
If the API_CLIENT_NAME log field value doesn't match the regular expression ^(.){1,256}$, then the API_CLIENT_NAME log field is mapped to the target.user.attribute.labels[api_client_name] UDM field. |
admin |
EMAIL_LOG_SEARCH_END_DATE |
about.labels[email_log_search_end_date] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_END_DATE |
additional.fields[email_log_search_end_date] |
|
admin |
EMAIL_LOG_SEARCH_MSG_ID |
network.email.mail_id |
|
admin |
EMAIL_LOG_SEARCH_RECIPIENT |
network.email.to |
|
admin |
EMAIL_LOG_SEARCH_SENDER |
network.email.from |
|
admin |
EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP |
about.labels[email_log_search_smtp_recipient_ip] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP |
additional.fields[email_log_search_smtp_recipient_ip] |
|
admin |
EMAIL_LOG_SEARCH_SMTP_SENDER_IP |
about.labels[email_log_search_smtp_sender_ip] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_SMTP_SENDER_IP |
additional.fields[email_log_search_smtp_sender_ip] |
|
admin |
EMAIL_LOG_SEARCH_START_DATE |
about.labels[email_log_search_start_date] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_START_DATE |
additional.fields[email_log_search_start_date] |
|
admin |
ALERT_ID |
security_result.detection_fields[alert_id] |
|
admin |
INVESTIGATION_DATA_SOURCE |
security_result.detection_fields[investigation_data_source] |
|
admin |
INVESTIGATION_QUERY |
security_result.detection_fields[investigation_query] |
|
admin |
GROUP_EMAIL |
target.group.email_addresses |
|
admin |
PRODUCT_NAME |
target.resource.attribute.labels[product_name] |
|
admin |
INVESTIGATION_ACTION |
security_result.detection_fields[investigation_action] |
|
admin |
INVESTIGATION_ENTITY_IDS |
security_result.detection_fields[investigation_entity_ids] |
|
admin |
INVESTIGATION_OBJECT_IDENTIFIER |
security_result.detection_fields[investigation_object_identifier] |
|
admin |
INVESTIGATION_URL_DISPLAY_TEXT |
security_result.detection_fields[investigation_display_text] |
|
admin |
CHART_NAME |
about.labels [chart_name] (deprecated) |
|
admin |
CHART_NAME |
additional.fields [chart_name] |
|
admin |
CHART_FILTERS |
about.labels [chart_filters] (deprecated) |
|
admin |
CHART_FILTERS |
additional.fields [chart_filters] |
|
admin |
START_DATE |
about.labels [start_date] (deprecated) |
|
admin |
START_DATE |
additional.fields [start_date] |
|
admin |
END_DATE |
about.labels [end_date] (deprecated) |
|
admin |
END_DATE |
additional.fields [end_date] |
|
admin |
target.resource.resource_type |
If the event.name log field value is not equal to one of the following values, then the target.resource.resource_type UDM field is set to SETTING:
If the event.name log field value is equal to GENERATE_CERTIFICATE, then the target.resource.resource_type UDM field is set to CREDENTIAL. | |
admin |
SYSTEM_DEFINED_RULE_ACTION_STATUS_CHANGE |
security_result.rule_labels[system_defined_rule_action_status_change] |
|
admin |
SYSTEM_DEFINED_RULE_ACTION_SEVERITY_CHANGE |
security_result.rule_labels[system_defined_rule_action_severity_change] |
|
admin |
SYSTEM_DEFINED_RULE_ACTION_RECEIVERS_CHANGE |
security_result.rule_labels[system_defined_rule_action_receivers_change] |
|
admin |
COMPANY_DEVICE_ID |
target.asset_id |
|
admin |
APPLICATION_ENABLED |
target.labels[application_enabled] (deprecated) |
|
admin |
APPLICATION_ENABLED |
additional.fields[application_enabled] |
|
admin |
DISTRIBUTION_ENTITY_NAME |
target.labels[distribution_entity_name] (deprecated) |
|
admin |
DISTRIBUTION_ENTITY_NAME |
additional.fields[distribution_entity_name] |
|
admin |
DISTRIBUTION_ENTITY_TYPE |
target.labels[distribution_entity_type] (deprecated) |
|
admin |
DISTRIBUTION_ENTITY_TYPE |
additional.fields[distribution_entity_type] |
|
admin |
MOBILE_APP_PACKAGE_ID |
target.labels[mobile_app_package_id] (deprecated) |
|
admin |
MOBILE_APP_PACKAGE_ID |
additional.fields[mobile_app_package_id] |
|
admin |
APPLICATION_EDITION |
target.labels[application_edition] (deprecated) |
|
admin |
APPLICATION_EDITION |
additional.fields[application_edition] |
|
admin |
REAUTH_SETTING_NEW |
target.labels[reauth_setting_new] (deprecated) |
|
admin |
REAUTH_SETTING_NEW |
additional.fields[reauth_setting_new] |
|
admin |
REAUTH_SETTING_OLD |
target.labels[reauth_setting_old] (deprecated) |
|
admin |
REAUTH_SETTING_OLD |
additional.fields[reauth_setting_old] |
|
admin |
ALLOWED_TWO_STEP_VERIFICATION_METHOD |
target.labels[allowed_2sv_method] (deprecated) |
|
admin |
ALLOWED_TWO_STEP_VERIFICATION_METHOD |
additional.fields[allowed_2sv_method] |
|
admin |
CERTIFICATE_TYPE |
target.resource.resource_subtype |
|
admin |
SAML2_SERVICE_PROVIDER_ENTITY_ID |
about.labels[saml2_service_provider_entity_id] (deprecated) |
|
admin |
SAML2_SERVICE_PROVIDER_ENTITY_ID |
additional.fields[saml2_service_provider_entity_id] |
|
admin |
SAML2_SERVICE_PROVIDER_NAME |
about.labels[saml2_service_provider_name] (deprecated) |
|
admin |
SAML2_SERVICE_PROVIDER_NAME |
additional.fields[saml2_service_provider_name] |
|
admin |
SERVICE_ACCOUNT_EMAIL |
about.user.email_addresses |
|
admin |
about.user.account_type |
If the event.name log field value is equal to ENABLE_DIRECTORY_SYNC and the SERVICE_ACCOUNT_EMAIL log field value is not empty, then the about.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE. |
|
admin |
DEVICE_NEW_STATE |
target.asset.attribute.labels[device_new_state] |
|
admin |
DEVICE_PREVIOUS_STATE |
target.asset.attribute.labels[device_previous_state] |
|
admin |
DEVICE_SERIAL_NUMBER |
target.asset.hardware.serial_number |
|
admin |
INVESTIGATION_ACTION_NUM_ATTEMPTED |
security_result.detection_fields[investigation_action_num_attempt] |
|
admin |
INVESTIGATION_ACTION_NUM_SUCCESS |
security_result.detection_fields[investigation_action_num_success] |
|
admin |
INVESTIGATION_ACTION_NUM_FAILED |
security_result.detection_fields[investigation_action_num_failed] |
|
admin |
INVESTIGATION_ACTION_IDENTIFIER |
security_result.detection_fields[investigation_action_identifier] |
|
admin |
INVESTIGATION_ACTION_ID |
security_result.detection_fields[investigation_action_id] |
|
admin |
SETTING_DESCRIPTION |
target.resource.attribute.labels[setting_description] |
|
admin |
USER_DEFINED_SETTING_NAME |
target.resource.attribute.labels[user_defined_setting_name] |
|
admin |
ACTION_TYPE |
security_result.action_details |
|
admin |
security_result.action |
If the ACTION_TYPE log field value is equal to BLOCK, then the security_result.action UDM field is set to BLOCK.Else, the security_result.action UDM field is set to ALLOW. |
|
admin |
ACTION_ID |
security_result.detection_fields[action_id] |
|
admin |
OAUTH2_APP_ID |
additional.fields [oauth2_app_id] |
|
admin |
OAUTH2_APP_TYPE |
additional.fields [oauth2_app_type] |
|
admin |
ACCESS_LEVEL_TITLE |
target.resource.attribute.labels [access_level_title] |
|
admin |
ACCESS_LEVEL_CURR_STATE |
target.resource.attribute.labels [access_level_curr_state] |
|
admin |
ACCESS_LEVEL_PREV_STATE |
target.resource.attribute.labels [access_level_prev_state] |
|
admin |
AUTH_PRINCIPLE_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is not equal to the AUTH_PRINCIPLE_EMAIL, then the AUTH_PRINCIPLE_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
admin |
INVESTIGATION_ADMIN_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is not equal to the INVESTIGATION_ADMIN_EMAIL, then the INVESTIGATION_ADMIN_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
admin |
target.resource.resource_type |
If the event.name log field value is equal to UPDATE_ACCESS_LEVEL_V2, then the target.resource.resource_type UDM field is set to ACCESS_POLICY. |
|
admin |
APP_RESOURCE_ID | additional.fields [app_resource_id] |
|
admin |
SECURITY_CENTER_RULE_TRIGGER_WINDOW | security_result.rule_labels[security_center_rule_trigger_window] |
|
admin |
SECURITY_CENTER_RULE_CONDITION | security_result.rule_labels[security_center_rule_condition] |
|
admin |
SECURITY_CENTER_RULE_THRESHOLD | security_result.rule_labels[security_center_rule_threshold] |
|
admin |
SECURITY_CENTER_RULE_TIME_FRAME | security_result.rule_labels[security_center_rule_time_frame] |
|
admin |
SECURITY_CENTER_RULE_ACTION | security_result.rule_labels[security_center_rule_action] |
|
admin |
QUARANTINE_NAME | additional.fields[quarantine_name] |
|
jamboard |
CURRENT_JAMBOARD_NAME |
target.asset.attribute.labels [current_jamboard_name] |
If the event.name log field value is equal to one of the following values, then the CURRENT_JAMBOARD_NAME log field is mapped to the target.asset.attribute.labels UDM field:
|
jamboard |
JAMBOARD_ID |
target.asset.asset_id |
|
jamboard |
LICENSE_ENROLLMENT_STATE |
target.asset.attribute.labels [license_enrollment_state] |
|
jamboard |
PROVISION_STATE |
target.asset.attribute.labels [provision_state] |
|
jamboard |
ON_OFF |
target.asset.attribute.labels [on_off] |
|
jamboard |
NEW_ADDITIONAL_IMES |
target.asset.attribute.labels [new_additional_imes] |
|
jamboard |
OLD_ADDITIONAL_IMES |
target.asset.attribute.labels [old_additional_imes] |
|
jamboard |
NEW_DEMO_MODE_AVAILABILITY |
target.asset.attribute.labels [new_demo_mode_availability] |
|
jamboard |
OLD_DEMO_MODE_AVAILABILITY |
target.asset.attribute.labels [old_demo_mode_availability] |
|
jamboard |
NEW_LANGUAGE |
target.asset.attribute.labels [new_language] |
|
jamboard |
OLD_LANGUAGE |
target.asset.attribute.labels [old_language] |
|
jamboard |
NEW_LOCATION |
target.asset.location.name |
If the event.name log field value is equal to DEVICE_LOCATION_CHANGE, then the NEW_LOCATION log field is mapped to the target.asset.location.name UDM field. |
jamboard |
OLD_LOCATION |
target.asset.attribute.labels [old_location] |
|
jamboard |
OLD_JAMBOARD_NAME |
target.asset.attribute.labels [old_jamboard_name] |
|
jamboard |
NEW_NOTE |
target.resource.attribute.labels [new_note] |
|
jamboard |
OLD_NOTE |
target.resource.attribute.labels [old_note] |
|
jamboard |
DEVICE_TYPE |
target.asset.attribute.labels [device_type] |
|
jamboard |
NEW_DEVICE |
target.asset.attribute.labels [new_device] |
|
jamboard |
OLD_DEVICE |
target.asset.attribute.labels [old_device] |
|
jamboard |
NEW_TIMEOUT_VALUE |
target.asset.attribute.labels [new_timeout_value] |
|
jamboard |
OLD_TIMEOUT_VALUE |
target.asset.attribute.labels [old_timeout_value] |
|
jamboard |
JAMBOARD_SETTING |
target.asset.attribute.labels [jamboard_setting] |
|
jamboard |
COMPONENT |
target.asset.attribute.labels [component] |
|
jamboard |
NEW_VERSION |
target.asset.software.version |
If the event.name log field value is equal to DEVICE_UPDATE, then the NEW_VERSION log field is mapped to the target.asset.software.version UDM field. |
jamboard |
OLD_VERSION |
target.asset.attribute.labels [old_version] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[description] |
metadata.description |
|
gmail |
events.parameters[delivery].msgValue[event_info].parameter.intValue[timestamp_usec] |
metadata.event_timestamp |
|
gmail |
events.parameters[delivery].msgValue[event_info].parameter.intValue[mail_event_type] |
metadata.product_event_type |
|
gmail |
id.applicationName |
metadata.product_name |
|
gmail |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Workspace. | |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[rfc2822_message_id] |
network.email.mail_id |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[subject] |
network.email.subject |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[payload_size] |
network.sent_bytes |
|
gmail |
events.parameters[delivery].msgValue[event_info].parameter.intValue[elapsed_time_usec] |
network.session_duration |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_tls_state] |
network.smtp.is_tls |
If this log field value is equal to 0, then the network.smtp.is_tls UDM field is set to false.Else, if this log field value is equal to 1, then the network.smtp.is_tls UDM field is set to true. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[address] |
network.smtp.rcpt_to |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_response_reason] |
network.smtp.server_response |
If this log field value is equal to 1, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Default reason messages are rejected or accepted.Else, if this log field value is equal to 3, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Malware.Else, if this log field value is equal to 4, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - DMARC policy.Else, if this log field value is equal to 5, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Unsupported attachment (by Gmail).Else, if this log field value is equal to 6, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Receive limit exceeded.Else, if this log field value is equal to 7, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Account over quota.Else, if this log field value is equal to 8, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Bad PTR record.Else, if this log field value is equal to 9, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Recipient doesn't exist.Else, if this log field value is equal to 10, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Customer policy.Else, if this log field value is equal to 12, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - RFC violation.Else, if this log field value is equal to 13, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Blatant spam.Else, if this log field value is equal to 14, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Denial of service.Else, if this log field value is equal to 15, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Malicious or spammy links.Else, if this log field value is equal to 16, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Low IP reputation.Else, if this log field value is equal to 17, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Low domain reputation.Else, if this log field value is equal to 18, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - IP listed in public Real-time Blackhole List (RBL).Else, if this log field value is equal to 19, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Temporarily rejected due to DoS limits.Else, if this log field value is equal to 20, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Permanently rejected due to DoS limits. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_tls_cipher] |
network.tls.cipher |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_tls_version] |
network.tls.version |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[client_host_zone] |
principal.administrative_domain |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[service] |
principal.application |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.value[customer_domain] |
principal.domain.name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[client_ip] |
principal.ip |
|
gmail |
actor.gaiaId |
principal.labels[actor_gaiaid] (deprecated) |
|
gmail |
actor.gaiaId |
additional.fields[actor_gaiaid] |
|
gmail |
actor.orgunitPath |
principal.labels[actor_orgunitpath] (deprecated) |
|
gmail |
actor.orgunitPath |
additional.fields[actor_orgunitpath] |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.multiIntValue[gaia_ids] |
principal.labels[message_owner_gaia_id] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.multiIntValue[gaia_ids] |
additional.fields[message_owner_gaia_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[selector] |
principal.labels[source_selector] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[selector] |
additional.fields[source_selector] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[from_header_address],events.parameters[delivery].msgValue[message_owner].parameter.multiStrValue[addresses] |
principal.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[address] |
principal.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.multiStrValue[addresses] |
principal.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[from_header_displayname] |
principal.user.user_display_name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.intValue[user_id] |
principal.user.userid |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[flattened_destinations] |
target.labels[flattened_destinations] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[flattened_destinations] |
additional.fields[flattened_destinations] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[service] |
target.application |
This log field is mapped to target.application UDM field when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to the about.application. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.intValue[rcpt_response] |
target.labels[destination_rcpt_response] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_rcpt_response, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_rcpt_response. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.intValue[rcpt_response] |
additional.fields[destination_rcpt_response] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[selector] |
target.labels[destination_selector] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_selector, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_selector. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[selector] |
additional.fields[destination_selector] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_decryption_success] |
target.labels[destination_smime_decryption_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_decryption_success, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_decryption_success. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_decryption_success] |
additional.fields[destination_smime_decryption_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_extraction_success] |
target.labels[destination_smime_extraction_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_extraction_success, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_extraction_success. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_extraction_success] |
additional.fields[destination_smime_extraction_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_parsing_success] |
target.labels[destination_smime_parsing_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_parsing_success, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_parsing_success. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_parsing_success] |
additional.fields[destination_smime_parsing_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_signature_verification_success] |
target.labels[destination_smime_signature_verification_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_signature_verification_success, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_signature_verification_success. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_signature_verification_success] |
additional.fields[destination_smime_signature_verification_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[address] |
target.user.email_addresses |
This log field is mapped to target.user.email_addresses UDM field when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to the about.user.email_addresses. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.intValue[user_id] |
target.user.userid |
This log field is mapped to target.user.userid UDM field when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to the about.user.userid. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_out_remote_host] |
intermediary.hostname |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[host_name] |
intermediary.hostname |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[failed_smtp_out_connect_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_in_connect_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_out_connect_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_user_agent_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[job_name] |
intermediary.labels[job_name] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[job_name] |
additional.fields[job_name] |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[server_type] |
intermediary.labels[server_type] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[server_type] |
additional.fields[server_type] |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[service_pool] |
intermediary.labels[service_pool] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[service_pool] |
additional.fields[service_pool] |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[task_number] |
intermediary.labels[task_number] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[task_number] |
additional.fields[task_number] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.value[policy_holder_address] |
security_result.about.user.email_addresses |
If this log field value doesn't match the regular expression ^.+@.+$, then it is mapped to the security_result.about.administrative_domain UDM field.Else, it is mapped to the security_result.about.administrative_domain UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.value[policy_holder_email] |
security_result.about.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.intValue[policy_holder_user_id] |
security_result.about.user.userid |
|
gmail |
security_result.action |
If the events.parameters[delivery].msgValue[event_info].parameter.boolValue[success] log field value is equal to true, then the security_result.action UDM field is set to ALLOW.Else, the security_result.action UDM field is set to BLOCK. | |
gmail |
events.parameters[delivery].msgValue[event_info].parameter.boolValue[success] |
security_result.action_details |
|
gmail |
security_result.category |
If the events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.intValue[malware_family] log field value is not empty, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.If the events.parameters[delivery].msgValue[message_info].parameter.boolValue[is_spam] log field value is equal to true, then the security_result.category UDM field is set to MAIL_SPAM. | |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.intValue[malware_family] |
security_result.category_details |
If this log field value is equal to 1, then the security_result.category_details UDM field is set to 1 - A known malicious program type of malware.Else, if this log field value is equal to 2, then the security_result.category_details UDM field is set to 2 - A virus or worm type of malware.Else, if this log field value is equal to 3, then the security_result.category_details UDM field is set to 3 - Possible harmful email content.Else, if this log field value is equal to 4, then the security_result.category_details UDM field is set to 4 - Possible unwanted email content.Else, if this log field value is equal to 5, then the security_result.category_details UDM field is set to 5 - Other type of malware. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[flattened_triggered_rule_info] |
security_result.detection_fields[flattened_triggered_rule_info] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[is_internal] |
security_result.detection_fields[is_internal] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[is_intra_domain] |
security_result.detection_fields[is_intra_domain] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[is_policy_check_for_sender] |
security_result.detection_fields[is_policy_check_for_sender] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[is_spam] |
security_result.detection_fields[is_spam] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[smtp_replay_error] |
security_result.detection_fields[smtp_replay_error] |
If this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the security_result.detection_fields.value UDM field is set to 1 - Authentication error.Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 2 - Daily rate limit was exceeded. log field is mapped to the security_result.detection_fields.value UDM field.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 3 - Peak rate limit was exceeded. log field is mapped to the security_result.detection_fields.value UDM field.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 4 - SMTP relay was abused. log field is mapped to the security_result.detection_fields.value UDM field.Else, if this log field value is equal to 5, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 5 - Per-user rate limit was exceeded. log field is mapped to the security_result.detection_fields.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.intValue[classification_reason] |
security_result.detection_fields[spam_info_classification_reason] |
If this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 1 - Default spam classification reason.Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 2 - Message classified because of sender's past actions.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 3 - Suspicious content.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 4 - Suspicious link.Else, if this log field value is equal to 5, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 5 - Suspicious attachment.Else, if this log field value is equal to 6, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 6 - Custom policy defined in Google Workspace Admin Console > Gmail settings.Else, if this log field value is equal to 7, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 7 - DMARC.Else, if this log field value is equal to 8, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 8 - Domain in public RBLs.Else, if this log field value is equal to 9, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 9 - RFC standards violation.Else, if this log field value is equal to 10, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 10 - Gmail policy violation.Else, if this log field value is equal to 11, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 11 - Machine learning verdict.Else, if this log field value is equal to 12, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 12 - Sender reputation.Else, if this log field value is equal to 13, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 13 - Blatant spam.Else, if this log field value is equal to 14, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 14 - Advanced phishing and malware protection. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.intValue[classification_timestamp_usec] |
security_result.detection_fields[spam_info_classification_timestamp_usec] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.boolValue[delayed_for_deepscan] |
security_result.detection_fields[spam_info_delayed_for_deepscan] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.intValue[disposition] |
security_result.detection_fields[spam_info_disposition] |
If this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 1 - Message considered clean (not spam or malware).Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 2 - Spam.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 3 - Phishing.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 4 - Suspicious.Else, if this log field value is equal to 5, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 5 - Malware. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.value[ip_whitelist_entry] |
security_result.detection_fields[spam_info_ip_whitelist_entry] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.multiMsgValue[safety_settings_info].parameter.intValue[safety_settings_action] |
security_result.detection_fields[spam_info_safety_setting_action] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.multiMsgValue[safety_settings_info].parameter.intValue[safety_settings_condition] |
security_result.detection_fields[spam_info_safety_settings_condition] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[attachment_name] |
security_result.detection_fields[triggered_rule_info_string_match_attachment_name] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[matched_string] |
security_result.detection_fields[triggered_rule_info_string_match_matched_string] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.intValue[source] |
security_result.detection_fields[triggered_rule_info_string_match_source] |
If this log field value is equal to 0, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 0 - Unknown.Else, if this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 1 - Message body or including text format attachments.Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 2 - Binary format attachments.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 3 - Message headers.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 4 - Subject.Else, if this log field value is equal to 5, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 5 - Sender header.Else, if this log field value is equal to 6, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 6 - Recipient header.Else, if this log field value is equal to 7, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 7 - Raw message. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[upload_error_category] |
security_result.detection_fields[upload_error_category] |
If this log field value is equal to 0, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 0 - Uncategorized transient error.Else, if this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 1 - Recipient account is too busy.Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 2 - DNS error resolving recipient domain.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 3 - Recipient's server refused connection.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 4 - Recipient is out of storage. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.intValue[rule_id] |
security_result.rule_id |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.intValue[action] |
security_result.rule_labels[triggered_rule_info_consequence_action] |
If this log field value is equal to 0, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 0 - Consequence is a no-op.Else, if this log field value is equal to 3, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 3 - Put message in Admin Quarantine.Else, if this log field value is equal to 4, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 4 - Modify the primary delivery target.Else, if this log field value is equal to 5, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 5 - Add a delivery target.Else, if this log field value is equal to 6, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 6 - Added a message header.Else, if this log field value is equal to 7, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 7 - Overwrite the envelope recipient.Else, if this log field value is equal to 9, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 9 - Add message to specified message set.Else, if this log field value is equal to 10, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 10 - Modify the message labels.Else, if this log field value is equal to 11, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 11 - Prefix text to message subject.Else, if this log field value is equal to 12, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 12 - Add a footer to the message.Else, if this log field value is equal to 13, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 13 - Strip the message body.Else, if this log field value is equal to 14, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the 14 - Store a copy of the message in the user's mailbox or according to comprehensive mail storage setting. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 15, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 15 - Replace attachment with canned text.Else, if this log field value is equal to 16, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 16 - Require secure message delivery.Else, if this log field value is equal to 17, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 17 - Message can't be delivered and bounced.Else, if this log field value is equal to 18, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 18 - Archive to Google Vault for recipients.Else, if this log field value is equal to 20, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 20 - Encrypt outbound message using S/MIME.Else, if this log field value is equal to 21, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the 21 - Change the recipient user when message is received at SMTP. log field is mapped to the security_result.rule_labels.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.value[reason] |
security_result.rule_labels[triggered_rule_info_consequence_reason] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.multiMsgValue[subconsequence].parameter.value[action] |
security_result.rule_labels[triggered_rule_info_consequence_subconsequence_action] |
If this log field value is equal to 0, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 0 - Consequence is a no-op.Else, if this log field value is equal to 3, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 3 - Put message in Admin Quarantine.Else, if this log field value is equal to 4, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 4 - Modify the primary delivery target.Else, if this log field value is equal to 5, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 5 - Add a delivery target.Else, if this log field value is equal to 6, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 6 - Added a message header.Else, if this log field value is equal to 7, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 7 - Overwrite the envelope recipient.Else, if this log field value is equal to 9, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 9 - Add message to specified message set.Else, if this log field value is equal to 10, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 10 - Modify the message labels.Else, if this log field value is equal to 11, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 11 - Prefix text to message subject.Else, if this log field value is equal to 12, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 12 - Add a footer to the message.Else, if this log field value is equal to 13, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 13 - Strip the message body.Else, if this log field value is equal to 14, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the 14 - Store a copy of the message in the user's mailbox or according to comprehensive mail storage setting. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 15, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 15 - Replace attachment with canned text.Else, if this log field value is equal to 16, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 16 - Require secure message delivery.Else, if this log field value is equal to 17, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 17 - Message can't be delivered and bounced.Else, if this log field value is equal to 18, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 18 - Archive to Google Vault for recipients.Else, if this log field value is equal to 20, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 20 - Encrypt outbound message using S/MIME.Else, if this log field value is equal to 21, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the 21 - Change the recipient user when message is received at SMTP. log field is mapped to the security_result.rule_labels.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.multiMsgValue[subconsequence].parameter.value[reason] |
security_result.rule_labels[triggered_rule_info_consequence_subconsequence_reason] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.intValue[policy_id] |
security_result.rule_labels[triggered_rule_info_policy_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.value[spam_label_modifier] |
security_result.rule_labels[triggered_rule_info_spam_label_modifier] |
If this log field value is equal to 0, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_spam_label_modifier and the 0 - No action—the rule honored the Gmail spam classification verdict. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 1, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_spam_label_modifier and the 1 - Spam—the rule classified the message as spam. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 2, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_spam_label_modifier and the 2 - Not spam—the rule classified the message as not spam. log field is mapped to the security_result.rule_labels.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[match_expression] |
security_result.rule_labels[triggered_rule_info_string_match_match_expression] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[predefined_detector_name] |
security_result.rule_labels[triggered_rule_info_string_match_predefined_detector_name] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.intValue[type] |
security_result.rule_labels[triggered_rule_info_string_match_type] |
If this log field value is equal to 0, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 0 - Undefined.Else, if this log field value is equal to 1, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 1 - Regular expression match.Else, if this log field value is equal to 2, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 2 - Predefined detector match.Else, if this log field value is equal to 3, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 3 - Simple content match.Else, if this log field value is equal to 4, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 4 - Non-ASCII match. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.value[rule_name] |
security_result.rule_name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.intValue[rule_type] |
security_result.rule_type |
If this log field value is equal to 0, then the security_result.rule_type UDM field is set to 0 - Walled garden.Else, if this log field value is equal to 7, then the security_result.rule_type UDM field is set to 7 - Objectionable content.Else, if this log field value is equal to 8, then the security_result.rule_type UDM field is set to 8 - Content compliance.Else, if this log field value is equal to 10, then the security_result.rule_type UDM field is set to 10 - Received mail routing.Else, if this log field value is equal to 11, then the security_result.rule_type UDM field is set to 11 - Sent mail routing.Else, if this log field value is equal to 12, then the security_result.rule_type UDM field is set to 12 - Spam override.Else, if this log field value is equal to 14, then the security_result.rule_type UDM field is set to 14 - Blocked senders.Else, if this log field value is equal to 15, then the security_result.rule_type UDM field is set to 15 - Append footer.Else, if this log field value is equal to 16, then the security_result.rule_type UDM field is set to 16 - Attachment compliance.Else, if this log field value is equal to 17, then the security_result.rule_type UDM field is set to 17 - TLS compliance.Else, if this log field value is equal to 18, then the security_result.rule_type UDM field is set to 18 - Domain default routing.Else, if this log field value is equal to 19, then the security_result.rule_type UDM field is set to 19 - Inbound email journal acceptance in Vault.Else, if this log field value is equal to 20, then the security_result.rule_type UDM field is set to 20 - Outbound relay.Else, if this log field value is equal to 21, then the security_result.rule_type UDM field is set to 21 - Quarantine summary.Else, if this log field value is equal to 22, then the security_result.rule_type UDM field is set to 22 - Alternate secure route.Else, if this log field value is equal to 23, then the security_result.rule_type UDM field is set to 23 - Alias table.Else, if this log field value is equal to 24, then the security_result.rule_type UDM field is set to 24 - Comprehensive mail storage.Else, if this log field value is equal to 25, then the security_result.rule_type UDM field is set to 25 - Routing rule.Else, if this log field value is equal to 26, then the security_result.rule_type UDM field is set to 26 - Inbound gateway.Else, if this log field value is equal to 27, then the security_result.rule_type UDM field is set to 27 - S/MIME.Else, if this log field value is equal to 28, then the security_result.rule_type UDM field is set to 28 - Third-party email archiving.Else, if this log field value is equal to 31, then the security_result.rule_type UDM field is set to 31 - S/MIME restrict delivery. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.multiMsgValue[authenticated_domain].parameter.value[name] |
about.domain.name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.value[file_extension_type] |
about.file.file_type |
about.file.file_type UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.value[file_extension_type] |
about.file.mime_type |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.multiMsgValue[detected_file_types].parameter.value[mime_type] |
about.file.mime_type |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.value[sha256] |
about.file.sha256 |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[ip_geo_city] |
about.ip_geo_artifact.location.city |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[ip_geo_country] |
about.ip_geo_artifact.location.country_or_region |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[action_type] |
about.labels[action_type] (deprecated) |
If this log field value is equal to 1, then the about.labels UDM field is set to 1 - Message received by inbound SMTP server.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - Message accepted by Gmail and prepared for delivery.Else, if this log field value is equal to 3, then the about.labels UDM field is set to 3 - Message was handled by Gmail.Else, if this log field value is equal to 10, then the about.labels UDM field is set to 10 - Message sent out by outbound SMTP server.Else, if this log field value is equal to 14, then the about.labels UDM field is set to 14 - A temporary error occurred when Gmail tried to deliver the message or and the message has been scheduled for retry.Else, if this log field value is equal to 18, then the about.labels UDM field is set to 18 - Message could not be delivered and bounced.Else, if this log field value is equal to 19, then the about.labels UDM field is set to 19 - Message was dropped by Gmail.Else, if this log field value is equal to 45, then the about.labels UDM field is set to 45 - Message was accepted for delivery by the Google Groups subsystem.Else, if this log field value is equal to 46, then the about.labels UDM field is set to 46 - Message's recipient address was a Google Group or and the recipient was expanded to each member of the Google Group that has message delivery enabled.Else, if this log field value is equal to 48, then the about.labels UDM field is set to 48 - Message received by inbound SMTP server for relay.Else, if this log field value is equal to 49, then the about.labels UDM field is set to 49 - Message sent through relay by outbound SMTP server.Else, if this log field value is equal to 51, then the about.labels UDM field is set to 51 - Message was written to Google Groups storage.Else, if this log field value is equal to 54, then the about.labels UDM field is set to 54 - Message was rejected by the Google Groups storage system.Else, if this log field value is equal to 55, then the about.labels UDM field is set to 55 - Message was re-inserted into Gmail by policies that modify the primary delivery route or envelope recipient.Else, if this log field value is equal to 68, then the about.labels UDM field is set to 68 - Message accepted by Gmail and prepared for delivery.Else, if this log field value is equal to 69, then the about.labels UDM field is set to 69 - A user changed the message's spam classification in Gmail.Else, if this log field value is equal to 70, then the about.labels UDM field is set to 70 - The message was reclassified as spam or phishing after it was delivered to Gmail.Else, if this log field value is equal to 71, then the about.labels UDM field is set to 71 - A user took an action in the inbox after receiving the message. Post-delivery actions include opening a message or clicking a link in a message or and downloading an attachment. BigQuery export doesn't provide details about the action. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[action_type] |
additional.fields[action_type] |
If this log field value is equal to 1, then the additional.fields UDM field is set to 1 - Message received by inbound SMTP server.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - Message accepted by Gmail and prepared for delivery.Else, if this log field value is equal to 3, then the additional.fields UDM field is set to 3 - Message was handled by Gmail.Else, if this log field value is equal to 10, then the additional.fields UDM field is set to 10 - Message sent out by outbound SMTP server.Else, if this log field value is equal to 14, then the additional.fields UDM field is set to 14 - A temporary error occurred when Gmail tried to deliver the message or and the message has been scheduled for retry.Else, if this log field value is equal to 18, then the additional.fields UDM field is set to 18 - Message could not be delivered and bounced.Else, if this log field value is equal to 19, then the additional.fields UDM field is set to 19 - Message was dropped by Gmail.Else, if this log field value is equal to 45, then the additional.fields UDM field is set to 45 - Message was accepted for delivery by the Google Groups subsystem.Else, if this log field value is equal to 46, then the additional.fields UDM field is set to 46 - Message's recipient address was a Google Group or and the recipient was expanded to each member of the Google Group that has message delivery enabled.Else, if this log field value is equal to 48, then the additional.fields UDM field is set to 48 - Message received by inbound SMTP server for relay.Else, if this log field value is equal to 49, then the additional.fields UDM field is set to 49 - Message sent through relay by outbound SMTP server.Else, if this log field value is equal to 51, then the additional.fields UDM field is set to 51 - Message was written to Google Groups storage.Else, if this log field value is equal to 54, then the additional.fields UDM field is set to 54 - Message was rejected by the Google Groups storage system.Else, if this log field value is equal to 55, then the additional.fields UDM field is set to 55 - Message was re-inserted into Gmail by policies that modify the primary delivery route or envelope recipient.Else, if this log field value is equal to 68, then the additional.fields UDM field is set to 68 - Message accepted by Gmail and prepared for delivery.Else, if this log field value is equal to 69, then the additional.fields UDM field is set to 69 - A user changed the message's spam classification in Gmail.Else, if this log field value is equal to 70, then the additional.fields UDM field is set to 70 - The message was reclassified as spam or phishing after it was delivered to Gmail.Else, if this log field value is equal to 71, then the additional.fields UDM field is set to 71 - A user took an action in the inbox after receiving the message. Post-delivery actions include opening a message or clicking a link in a message or and downloading an attachment. BigQuery export doesn't provide details about the action. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.multiMsgValue[authenticated_domain].parameter.intValue[type] |
about.labels[authenticated_domain_type] (deprecated) |
If this log field value is equal to 1, then the about.labels UDM field is set to 1 - SPF.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - DKIM.Else, if this log field value is equal to 3, then the about.labels UDM field is set to 3 - DKIM_PROXY.Else, if this log field value is equal to 4, then the about.labels UDM field is set to 4 - XOAR_SPF.Else, if this log field value is equal to 5, then the about.labels UDM field is set to 5 - XOAR_DKIM.Else, if this log field value is equal to 6, then the about.labels UDM field is set to 6 - ARC_SPF.Else, if this log field value is equal to 7, then the about.labels UDM field is set to 7 - ARC_DKIM. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.multiMsgValue[authenticated_domain].parameter.intValue[type] |
additional.fields[authenticated_domain_type] |
If this log field value is equal to 1, then the additional.fields UDM field is set to 1 - SPF.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - DKIM.Else, if this log field value is equal to 3, then the additional.fields UDM field is set to 3 - DKIM_PROXY.Else, if this log field value is equal to 4, then the additional.fields UDM field is set to 4 - XOAR_SPF.Else, if this log field value is equal to 5, then the additional.fields UDM field is set to 5 - XOAR_DKIM.Else, if this log field value is equal to 6, then the additional.fields UDM field is set to 6 - ARC_SPF.Else, if this log field value is equal to 7, then the additional.fields UDM field is set to 7 - ARC_DKIM. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[delivery_timestamp_usec] |
about.labels[delivery_timestamp_usec] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[delivery_timestamp_usec] |
additional.fields[delivery_timestamp_usec] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.multiMsgValue[detected_file_types].parameter.intValue[category] |
about.labels[detected_file_types_category] (deprecated) |
If this log field value is equal to 1, then the about.labels UDM field is set to 1 - Unrecognized file type.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - Microsoft Office documents, including word processing, spreadsheet, presentation, and database documents. Includes PDF files. The file might or might not be encrypted.Else, if this log field value is equal to 3, then the about.labels UDM field is set to 3 - Video and multimedia, for example, MPEG, Quicktime, WMV.Else, if this log field value is equal to 4, then the about.labels UDM field is set to 4 - Music and audio, for example, MP3, AAC, WAV.Else, if this log field value is equal to 5, then the about.labels UDM field is set to 5 - Images, for example, JPEG, BMP, GIF.Else, if this log field value is equal to 6, then the about.labels UDM field is set to 6 - Archives, for example, ZIP, TAR, TGZ.Else, if this log field value is equal to 7, then the about.labels UDM field is set to 7 - Executables, for example EXE, COM, JS.Else, if this log field value is equal to 8, then the about.labels UDM field is set to 8 - Office documents that are encrypted.Else, if this log field value is equal to 9, then the about.labels UDM field is set to 9 - Office documents that are not encrypted. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.multiMsgValue[detected_file_types].parameter.intValue[category] |
additional.fields[detected_file_types_category] |
If this log field value is equal to 1, then the additional.fields UDM field is set to 1 - Unrecognized file type.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - Microsoft Office documents, including word processing, spreadsheet, presentation, and database documents. Includes PDF files. The file might or might not be encrypted.Else, if this log field value is equal to 3, then the additional.fields UDM field is set to 3 - Video and multimedia, for example, MPEG, Quicktime, WMV.Else, if this log field value is equal to 4, then the additional.fields UDM field is set to 4 - Music and audio, for example, MP3, AAC, WAV.Else, if this log field value is equal to 5, then the additional.fields UDM field is set to 5 - Images, for example, JPEG, BMP, GIF.Else, if this log field value is equal to 6, then the additional.fields UDM field is set to 6 - Archives, for example, ZIP, TAR, TGZ.Else, if this log field value is equal to 7, then the additional.fields UDM field is set to 7 - Executables, for example EXE, COM, JS.Else, if this log field value is equal to 8, then the additional.fields UDM field is set to 8 - Office documents that are encrypted.Else, if this log field value is equal to 9, then the additional.fields UDM field is set to 9 - Office documents that are not encrypted. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dkim_pass] |
about.labels[dkim_pass] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dkim_pass] |
additional.fields[dkim_pass] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dmarc_pass] |
about.labels[dmarc_pass] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dmarc_pass] |
additional.fields[dmarc_pass] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[dmarc_published_domain] |
about.labels[dmarc_published_domain] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[dmarc_published_domain] |
additional.fields[dmarc_published_domain] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[recipients] |
about.labels[exchange_journal_info_recipients] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[recipients] |
additional.fields[exchange_journal_info_recipients] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.value[rfc822_message_id] |
about.labels[exchange_journal_info_rfc822_message_id] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.value[rfc822_message_id] |
additional.fields[exchange_journal_info_rfc822_message_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.intValue[timestamp] |
about.labels[exchange_journal_info_timestamp] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.intValue[timestamp] |
additional.fields[exchange_journal_info_timestamp] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[unknown_recipients] |
about.labels[exchange_journal_info_unknown_recipients] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[unknown_recipients] |
additional.fields[exchange_journal_info_unknown_recipients] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[internal_message_id] |
about.labels[internal_message_id] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[internal_message_id] |
additional.fields[internal_message_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiStrValue[link_domain] |
about.labels[link_domain] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiStrValue[link_domain] |
additional.fields[link_domain] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[message_set].parameter.intValue[type] |
about.labels[message_set_type] (deprecated) |
If this log field value is equal to 1, then the about.labels UDM field is set to 1 - Message is inbound (received from outside your domains). This message set doesn't appear with message set 10.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - Message is outbound (sent to a recipient outside your domains). This message set doesn't appear with message set 10.Else, if this log field value is equal to 4, then the about.labels UDM field is set to 4 - Message contains objectionable content, as defined by one of your policies.Else, if this log field value is equal to 6, then the about.labels UDM field is set to 6 - Message triggered the walled garden rule you configured that restricts messages to authorized addresses or domains.Else, if this log field value is equal to 7, then the about.labels UDM field is set to 7 - Gmail classified the message as spam.Else, if this log field value is equal to 8, then the about.labels UDM field is set to 8 - Message being sent (outgoing message).Else, if this log field value is equal to 9, then the about.labels UDM field is set to 9 - Message being received (incoming message).Else, if this log field value is equal to 10, then the about.labels UDM field is set to 10 - Message that is internal to your domains.Else, if this log field value is equal to 11, then the about.labels UDM field is set to 11 - Message has a sender or recipients outside your domains.Else, if this log field value is equal to 12, then the about.labels UDM field is set to 12 - Message has some recipients inside your domain and some recipients outside your domain. This message set might appear when:Else, if this log field value is equal to 13, then the about.labels UDM field is set to 13 - The type of the message set is unknown.Else, if this log field value is equal to 15, then the about.labels UDM field is set to 15 - The policy being checked against is tied to a Gmail user.Else, if this log field value is equal to 18, then the about.labels UDM field is set to 18 - Message doesn't have a default route.Else, if this log field value is equal to 19, then the about.labels UDM field is set to 19 - The address list you configured for domain default routing matches the correspondent of the message.Else, if this log field value is equal to 20, then the about.labels UDM field is set to 20 - Message is from an address in your blocked senders list.Else, if this log field value is equal to 21, then the about.labels UDM field is set to 21 - Message was sent over TLS and the SSL certificate is valid.Else, if this log field value is equal to 22, then the about.labels UDM field is set to 22 - Message was sent over TLS.Else, if this log field value is equal to 24, then the about.labels UDM field is set to 24 - The recipient of this message is unknown.Else, if this log field value is equal to 25, then the about.labels UDM field is set to 25 - Message is a non-delivery report responding to a message that was not delivered.Else, if this log field value is equal to 26, then the about.labels UDM field is set to 26 - Message triggered a rerouting rule, which you configured in domain default routing.Else, if this log field value is equal to 27, then the about.labels UDM field is set to 27 - Sender successfully passed SPF/DKIM/DMARC authentication. If the sender isn't authenticated, the sender domain is untrusted and the message is not considered internal.Else, if this log field value is equal to 28, then the about.labels UDM field is set to 28 - Exchange journal is archiving the message to Google Vault.Else, if this log field value is equal to 29, then the about.labels UDM field is set to 29 - Message was routed through SMTP relay.Else, if this log field value is equal to 30, then the about.labels UDM field is set to 30 - A recipient of the message matched one of the enumerated recipients (instead of a regular expression pattern) you configured for domain routing, or domain default routing.Else, if this log field value is equal to 31, then the about.labels UDM field is set to 31 - Message matched a domain default routing condition you configured.Else, if this log field value is equal to 32, then the about.labels UDM field is set to 32 - Message was created from an Exchange journal message for archiving to Google Vault.Else, if this log field value is equal to 33, then the about.labels UDM field is set to 33 - Message has to be transmitted through a secure connection, such as TLS.Else, if this log field value is equal to 34, then the about.labels UDM field is set to 34 - The policy being checked against is tied to a group instead of an individual Gmail user.Else, if this log field value is equal to 35, then the about.labels UDM field is set to 35 - Message could not be authenticated in SMTP relay because it has an empty SMTP envelope-from address or is possibly an Exchange Journal message. It will be checked later at SMTP RCPT command time.Else, if this log field value is equal to 36, then the about.labels UDM field is set to 36 - Message has aggressive spam filtering enabled.Else, if this log field value is equal to 37, then the about.labels UDM field is set to 37 - Message is authenticated for SMTP relay.Else, if this log field value is equal to 39, then the about.labels UDM field is set to 39 - Sender is from an authenticated domain for relay.Else, if this log field value is equal to 40, then the about.labels UDM field is set to 40 - Message is from a Google Workspace user in the domain being authenticated for relay.Else, if this log field value is equal to 41, then the about.labels UDM field is set to 41 - Sender has successfully authenticated with SMTP AUTH, and Gmail is trying to authenticate SMTP relay for the sender's domain.Else, if this log field value is equal to 42, then the about.labels UDM field is set to 42 - Message was sent from an address that isn't authenticated.Else, if this log field value is equal to 43, then the about.labels UDM field is set to 43 - Message was rerouted through an alias table.Else, if this log field value is equal to 44, then the about.labels UDM field is set to 44 - Message triggered a rule that changes the route of the mail flow.Else, if this log field value is equal to 45, then the about.labels UDM field is set to 45 - Message is to a catch-all account and is being relayed to an on-premise server. System-of-record policies won't be applied to it.Else, if this log field value is equal to 46, then the about.labels UDM field is set to 46 - Message bypassed the spam filter.Else, if this log field value is equal to 47, then the about.labels UDM field is set to 47 - Message was detected to be spam by tag-and-deliver information in the inbound gateway settings.Else, if this log field value is equal to 48, then the about.labels UDM field is set to 48 - Message was not checked for spam (by SMTP) due to a spam-override policy.Else, if this log field value is equal to 49, then the about.labels UDM field is set to 49 - Always override spam rejection for the message.Else, if this log field value is equal to 50, then the about.labels UDM field is set to 50 - Message matches a domain routing condition you configured.Else, if this log field value is equal to 51, then the about.labels UDM field is set to 51 - Message triggered a rerouting rule that you configured for domain routing.Else, if this log field value is equal to 55, then the about.labels UDM field is set to 55 - Message was created by the Exchange Journal generation setting.Else, if this log field value is equal to 57, then the about.labels UDM field is set to 57 - Message was received from an inbound gateway rule that you configured.Else, if this log field value is equal to 60, then the about.labels UDM field is set to 60 - Message is protected with Gmail confidential mode.Else, if this log field value is equal to 61, then the about.labels UDM field is set to 61 - Message was caught by Security sandbox.Else, if this log field value is equal to 62, then the about.labels UDM field is set to 62 - The address list you configured for domain default routing matches the SMTP envelope recipient instead of the correspondent of the message.Else, if this log field value is equal to 63, then the about.labels UDM field is set to 63 - Message triggered a domain-level rerouting rule, which you configured for domain routing, or domain default routing. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[message_set].parameter.intValue[type] |
additional.fields[message_set_type] |
If this log field value is equal to 1, then the additional.fields UDM field is set to 1 - Message is inbound (received from outside your domains). This message set doesn't appear with message set 10.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - Message is outbound (sent to a recipient outside your domains). This message set doesn't appear with message set 10.Else, if this log field value is equal to 4, then the additional.fields UDM field is set to 4 - Message contains objectionable content, as defined by one of your policies.Else, if this log field value is equal to 6, then the additional.fields UDM field is set to 6 - Message triggered the walled garden rule you configured that restricts messages to authorized addresses or domains.Else, if this log field value is equal to 7, then the additional.fields UDM field is set to 7 - Gmail classified the message as spam.Else, if this log field value is equal to 8, then the additional.fields UDM field is set to 8 - Message being sent (outgoing message).Else, if this log field value is equal to 9, then the additional.fields UDM field is set to 9 - Message being received (incoming message).Else, if this log field value is equal to 10, then the additional.fields UDM field is set to 10 - Message that is internal to your domains.Else, if this log field value is equal to 11, then the additional.fields UDM field is set to 11 - Message has a sender or recipients outside your domains.Else, if this log field value is equal to 12, then the additional.fields UDM field is set to 12 - Message has some recipients inside your domain and some recipients outside your domain. This message set might appear when:Else, if this log field value is equal to 13, then the additional.fields UDM field is set to 13 - The type of the message set is unknown.Else, if this log field value is equal to 15, then the additional.fields UDM field is set to 15 - The policy being checked against is tied to a Gmail user.Else, if this log field value is equal to 18, then the additional.fields UDM field is set to 18 - Message doesn't have a default route.Else, if this log field value is equal to 19, then the additional.fields UDM field is set to 19 - The address list you configured for domain default routing matches the correspondent of the message.Else, if this log field value is equal to 20, then the additional.fields UDM field is set to 20 - Message is from an address in your blocked senders list.Else, if this log field value is equal to 21, then the additional.fields UDM field is set to 21 - Message was sent over TLS and the SSL certificate is valid.Else, if this log field value is equal to 22, then the additional.fields UDM field is set to 22 - Message was sent over TLS.Else, if this log field value is equal to 24, then the additional.fields UDM field is set to 24 - The recipient of this message is unknown.Else, if this log field value is equal to 25, then the additional.fields UDM field is set to 25 - Message is a non-delivery report responding to a message that was not delivered.Else, if this log field value is equal to 26, then the additional.fields UDM field is set to 26 - Message triggered a rerouting rule, which you configured in domain default routing.Else, if this log field value is equal to 27, then the additional.fields UDM field is set to 27 - Sender successfully passed SPF/DKIM/DMARC authentication. If the sender isn't authenticated, the sender domain is untrusted and the message is not considered internal.Else, if this log field value is equal to 28, then the additional.fields UDM field is set to 28 - Exchange journal is archiving the message to Google Vault.Else, if this log field value is equal to 29, then the additional.fields UDM field is set to 29 - Message was routed through SMTP relay.Else, if this log field value is equal to 30, then the additional.fields UDM field is set to 30 - A recipient of the message matched one of the enumerated recipients (instead of a regular expression pattern) you configured for domain routing, or domain default routing.Else, if this log field value is equal to 31, then the additional.fields UDM field is set to 31 - Message matched a domain default routing condition you configured.Else, if this log field value is equal to 32, then the additional.fields UDM field is set to 32 - Message was created from an Exchange journal message for archiving to Google Vault.Else, if this log field value is equal to 33, then the additional.fields UDM field is set to 33 - Message has to be transmitted through a secure connection, such as TLS.Else, if this log field value is equal to 34, then the additional.fields UDM field is set to 34 - The policy being checked against is tied to a group instead of an individual Gmail user.Else, if this log field value is equal to 35, then the additional.fields UDM field is set to 35 - Message could not be authenticated in SMTP relay because it has an empty SMTP envelope-from address or is possibly an Exchange Journal message. It will be checked later at SMTP RCPT command time.Else, if this log field value is equal to 36, then the additional.fields UDM field is set to 36 - Message has aggressive spam filtering enabled.Else, if this log field value is equal to 37, then the additional.fields UDM field is set to 37 - Message is authenticated for SMTP relay.Else, if this log field value is equal to 39, then the additional.fields UDM field is set to 39 - Sender is from an authenticated domain for relay.Else, if this log field value is equal to 40, then the additional.fields UDM field is set to 40 - Message is from a Google Workspace user in the domain being authenticated for relay.Else, if this log field value is equal to 41, then the additional.fields UDM field is set to 41 - Sender has successfully authenticated with SMTP AUTH, and Gmail is trying to authenticate SMTP relay for the sender's domain.Else, if this log field value is equal to 42, then the additional.fields UDM field is set to 42 - Message was sent from an address that isn't authenticated.Else, if this log field value is equal to 43, then the additional.fields UDM field is set to 43 - Message was rerouted through an alias table.Else, if this log field value is equal to 44, then the additional.fields UDM field is set to 44 - Message triggered a rule that changes the route of the mail flow.Else, if this log field value is equal to 45, then the additional.fields UDM field is set to 45 - Message is to a catch-all account and is being relayed to an on-premise server. System-of-record policies won't be applied to it.Else, if this log field value is equal to 46, then the additional.fields UDM field is set to 46 - Message bypassed the spam filter.Else, if this log field value is equal to 47, then the additional.fields UDM field is set to 47 - Message was detected to be spam by tag-and-deliver information in the inbound gateway settings.Else, if this log field value is equal to 48, then the additional.fields UDM field is set to 48 - Message was not checked for spam (by SMTP) due to a spam-override policy.Else, if this log field value is equal to 49, then the additional.fields UDM field is set to 49 - Always override spam rejection for the message.Else, if this log field value is equal to 50, then the additional.fields UDM field is set to 50 - Message matches a domain routing condition you configured.Else, if this log field value is equal to 51, then the additional.fields UDM field is set to 51 - Message triggered a rerouting rule that you configured for domain routing.Else, if this log field value is equal to 55, then the additional.fields UDM field is set to 55 - Message was created by the Exchange Journal generation setting.Else, if this log field value is equal to 57, then the additional.fields UDM field is set to 57 - Message was received from an inbound gateway rule that you configured.Else, if this log field value is equal to 60, then the additional.fields UDM field is set to 60 - Message is protected with Gmail confidential mode.Else, if this log field value is equal to 61, then the additional.fields UDM field is set to 61 - Message was caught by Security sandbox.Else, if this log field value is equal to 62, then the additional.fields UDM field is set to 62 - The address list you configured for domain default routing matches the SMTP envelope recipient instead of the correspondent of the message.Else, if this log field value is equal to 63, then the additional.fields UDM field is set to 63 - Message triggered a domain-level rerouting rule, which you configured for domain routing, or domain default routing. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_reason] |
about.labels[moderation_reason] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_reason] |
additional.fields[moderation_reason] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_status] |
about.labels[moderation_status] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_status] |
additional.fields[moderation_status] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[num_message_attachments] |
about.labels[num_message_attachments] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[num_message_attachments] |
additional.fields[num_message_attachments] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[sequence_number] |
about.labels[sequence_number] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[sequence_number] |
additional.fields[sequence_number] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[smime_content_type] |
about.labels[smime_content_type] (deprecated) |
If this log field value is equal to 0, then the about.labels UDM field is set to 0 - Message does not have a recognized S/MIME Content-Type.Else, if this log field value is equal to 1, then the about.labels UDM field is set to 1 - An S/MIME message with a detached signature Indicated by content type multipart/signed with parameter protocol=application/pkcs7-signature.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - An S/MIME message with an opaque signature Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=signed-data.Else, if this log field value is equal to 3, then the about.labels UDM field is set to 3 - An S/MIME message that is encrypted Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=enveloped-data.Else, if this log field value is equal to 4, then the about.labels UDM field is set to 4 - An S/MIME message that is compressed Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=compressed-data. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[smime_content_type] |
additional.fields[smime_content_type] |
If this log field value is equal to 0, then the additional.fields UDM field is set to 0 - Message does not have a recognized S/MIME Content-Type.Else, if this log field value is equal to 1, then the additional.fields UDM field is set to 1 - An S/MIME message with a detached signature Indicated by content type multipart/signed with parameter protocol=application/pkcs7-signature.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - An S/MIME message with an opaque signature Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=signed-data.Else, if this log field value is equal to 3, then the additional.fields UDM field is set to 3 - An S/MIME message that is encrypted Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=enveloped-data.Else, if this log field value is equal to 4, then the additional.fields UDM field is set to 4 - An S/MIME message that is compressed Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=compressed-data. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_encrypt_message] |
about.labels[smime_encrypt_message] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_encrypt_message] |
additional.fields[smime_encrypt_message] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_extraction_success] |
about.labels[smime_extraction_success] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_extraction_success] |
additional.fields[smime_extraction_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_packaging_success] |
about.labels[smime_packaging_success] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_packaging_success] |
additional.fields[smime_packaging_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_sign_message] |
about.labels[smime_sign_message] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_sign_message] |
additional.fields[smime_sign_message] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[spf_pass] |
about.labels[spf_pass] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[spf_pass] |
additional.fields[spf_pass] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[tls_required_but_unavailable] |
about.labels[tls_required_but_unavailable] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[tls_required_but_unavailable] |
additional.fields[tls_required_but_unavailable] |
Référence de mappage de champs: types de journaux WORKSPACE_ALERTS sur le type d'événement UDM
Le tableau suivant répertorie les types de journaux WORKSPACE_ALERTS et les types d'événements UDM correspondants.
| Event Identifier | Event Type | Security Category |
|---|---|---|
Customer takeout initiated |
STATUS_UPDATE |
|
Malware reclassification |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Misconfigured whitelist |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Phishing reclassification |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Suspicious message reported |
EMAIL_TRANSACTION |
MAIL_PHISHING |
User reported phishing |
EMAIL_TRANSACTION |
MAIL_PHISHING |
User reported spam spike |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Leaked password |
USER_LOGIN |
ACL_VIOLATION |
Suspicious login |
USER_LOGIN |
ACL_VIOLATION |
Suspicious login (less secure app) |
USER_LOGIN |
ACL_VIOLATION |
Suspicious programmatic login |
USER_LOGIN |
ACL_VIOLATION |
User suspended |
USER_UNCATEGORIZED |
ACL_VIOLATION |
User suspended (spam) |
USER_UNCATEGORIZED |
ACL_VIOLATION |
User suspended (spam through relay) |
USER_UNCATEGORIZED |
ACL_VIOLATION |
User suspended (suspicious activity) |
USER_UNCATEGORIZED |
ACL_VIOLATION |
Google Operations |
STATUS_UPDATE |
|
Configuration problem |
STATUS_UNCATEGORIZED |
|
Government attack warning |
STATUS_UNCATEGORIZED |
|
Device compromised |
GENERIC_EVENT |
|
Suspicious activity |
USER_UNCATEGORIZED |
|
AppMaker Default Cloud SQL setup |
USER_RESOURCE_ACCESS |
|
Activity Rule |
STATUS_UNCATEGORIZED / USER_UNCATEGORIZED / EMAIL_UNCATEGORIZED |
POLICY_VIOLATION |
Data Loss Prevention |
USER_UNCATEGORIZED |
POLICY_VIOLATION |
Apps outage |
STATUS_UPDATE |
|
Primary admin changed |
USER_UNCATEGORIZED |
|
SSO profile added |
USER_RESOURCE_CREATION |
|
SSO profile updated |
USER_RESOURCE_UPDATE_CONTENT |
|
SSO profile deleted |
USER_RESOURCE_DELETION |
|
Super admin password reset |
USER_CHANGE_PASSWORD |
|
User deleted |
USER_DELETION |
|
New user added |
USER_CREATION |
|
User password changed |
USER_CHANGE_PASSWORD |
|
Users Admin privilege revoked |
USER_CHANGE_PERMISSIONS |
|
Suspended user made active |
USER_UNCATEGORIZED |
|
User granted Admin privilege |
USER_CHANGE_PERMISSIONS |
|
User suspended (Administrator email alert) |
USER_UNCATEGORIZED |
|
Drive settings changed |
USER_RESOURCE_ACCESS |
|
Calendar settings changed |
USER_RESOURCE_ACCESS |
|
Reporting Rule |
STATUS_UPDATE |
Documentation de référence sur le mappage des champs : WORKSPACE_ALERTS
Le tableau suivant répertorie les champs de journal du type de journal WORKSPACE_ALERTS et les champs UDM correspondants.
| Log field | UDM mapping | Logic |
|---|---|---|
data.domainId.customerPrimaryDomain |
about.administrative_domain |
|
data.messages.attachmentsSha256Hash |
about.file.sha256 |
|
data.mergeInfo.newAlertId |
about.labels[new_alert_id] (deprecated) |
|
data.mergeInfo.newAlertId |
additional.fields[new_alert_id] |
|
data.mergeInfo.newIncidentTrackingId |
about.labels[new_incident_tracking_id] (deprecated) |
|
data.mergeInfo.newIncidentTrackingId |
additional.fields[new_incident_tracking_id] |
|
data.nextUpdateTime |
about.labels[next_update_time] (deprecated) |
|
data.nextUpdateTime |
additional.fields[next_update_time] |
|
data.resolutionTime |
about.labels[resolution_time] (deprecated) |
|
data.resolutionTime |
additional.fields[resolution_time] |
|
data.status |
about.labels[status] (deprecated) |
|
data.status |
additional.fields[status] |
|
data.incidentTrackingId |
about.labels[tracking_id] (deprecated) |
|
data.incidentTrackingId |
additional.fields[tracking_id] |
|
customerId |
about.resource.product_object_id |
If the customerId log field value is not empty, then the customerId log field is mapped to the about.resource.product_object_id UDM field.Else, the metadata.customerId log field is mapped to the about.resource.product_object_id UDM field. |
metadata.customerId |
about.resource.product_object_id |
If the customerId log field value is not empty, then the customerId log field is mapped to the about.resource.product_object_id UDM field.Else, the metadata.customerId log field is mapped to the about.resource.product_object_id UDM field. |
about.resource.resource_type |
The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION. | |
data.dashboardUri |
about.url |
|
data.attachmentData.csv.dataRows.entries |
additional.fields.entries |
|
data.attachmentData.csv.headers |
additional.fields.header |
|
event.idm.is_alert |
The event.idm.is_alert UDM field is set to TRUE. | |
event.idm.is_significant |
If the data.@type log field value is equal to ActivityRule and the metadata.severity log field value is equal to HIGH, then the event.idm.is_significant UDM field is set to true. | |
extensions.auth.mechanism |
If the data.@type log field value is equal to AccountWarning, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD. | |
extensions.auth.type |
If the data.@type log field value is equal to AccountWarning, then the extensions.auth.type UDM field is set to SSO. | |
data.description |
metadata.description |
|
createTime |
metadata.event_timestamp |
|
data.@type |
metadata.product_event_type |
|
etag |
metadata.product_log_id |
If the etag log field value is not empty, then the etag log field is mapped to the metadata.product_log_id UDM field.Else, the alertId log field is mapped to the metadata.product_log_id UDM field. |
metadata.etag |
metadata.product_log_id |
If the metadata.etag log field value is not empty, then the metadata.etag log field is mapped to the metadata.product_log_id UDM field.Else, the alertId log field is mapped to the metadata.product_log_id UDM field. |
metadata.product_name |
The metadata.product_name UDM field is set to WORKSPACE_ALERTS. | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
data.maliciousEntity.fromHeader |
network.email.from |
|
data.messages.messageId |
network.email.mail_id |
|
data.messages.subjectText |
network.email.subject |
|
data.messages.recipient |
network.email.to |
|
data.ruleViolationInfo.recipients |
network.email.to |
If the data.ruleViolationInfo.recipients log field value matches the regular expression pattern ^.+@.+$, then the data.ruleViolationInfo.recipients log field is mapped to the network.email.to UDM field. |
data.ruleViolationInfo.recipients |
additional.fields[recipients] |
If the data.ruleViolationInfo.recipients log field value is equal to anyone, then the data.ruleViolationInfo.recipients log field is mapped to the additional.fields UDM field. |
data.ruleViolationInfo.recipients |
target.domain.name |
If the data.ruleViolationInfo.recipients log field value matches the regular expression pattern ^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9](?:\.[a-zA-Z]{2,})+$, then the first occurrence of the matching value in the data.ruleViolationInfo.recipients log field is mapped to the target.domain.name UDM field and the other occurrences are mapped to the additional.fields[domain_recipients] UDM field. |
data.sourceIp |
principal.ip |
|
data.loginDetails.ipAddress |
principal.ip |
|
data.maliciousEntity.displayName |
principal.labels[malicious_entity_display_name] (deprecated) |
|
data.maliciousEntity.displayName |
additional.fields[malicious_entity_display_name] |
|
data.requestInfo.appDeveloperEmail |
principal.user.email_addresses |
|
data.actorEmail |
principal.user.email_addresses |
|
data.ruleViolationInfo.triggeringUserEmail |
principal.user.email_addresses |
|
data.email |
principal.user.email_addresses |
|
data.domain |
security_result.about.administrative_domain |
|
metadata.assignee |
security_result.about.labels[assignee] (deprecated) |
|
metadata.assignee |
additional.fields[assignee] |
|
data.header |
security_result.about.labels[header] (deprecated) |
|
data.header |
additional.fields[header] |
|
data.ruleViolationInfo.suppressedActionTypes |
security_result.about.labels[suppressed_action_types] (deprecated) |
|
data.ruleViolationInfo.suppressedActionTypes |
additional.fields[suppressed_action_types] |
|
data.title |
security_result.about.labels[title] (deprecated) |
|
data.title |
additional.fields[title] |
|
alertId |
security_result.about.object_reference |
|
data.affectedUserEmails |
security_result.about.user.email_addresses |
|
data.ruleViolationInfo.triggeredActionTypes |
security_result.action_details |
|
security_result.action_type |
If the data.ruleViolationInfo.triggeredActionTypes log field value is equal to ACTION_TYPE_UNSPECIFIED, then the security_result.action_type UDM field is set to UNKNOWN_ACTION.If the data.ruleViolationInfo.triggeredActionTypes log field value is equal to DRIVE_BLOCK_EXTERNAL_SHARING, then the security_result.action_type UDM field is set to BLOCK.If the data.ruleViolationInfo.triggeredActionTypes log field value is equal to DRIVE_WARN_ON_EXTERNAL_SHARING or ALERT or RULE_ACTIVATE or RULE_DEACTIVATE, then the security_result.action_type UDM field is set to ALLOW. | |
security_result.category |
If the source log field value is equal to Gmail Phishing, then the security_result.category UDM field is set to MAIL_PHISHING.If the source log field value is equal to Google Identity, then the security_result.category UDM field is set to ACL_VIOLATION.If the source log field value is equal to Security Center rules or Data Loss Prevention, then the security_result.category UDM field is set to POLICY_VIOLATION. | |
source |
security_result.category_details |
|
data.actionNames |
security_result.detection_fields[action_names] |
|
data.alertDetails |
security_result.detection_fields[alert_details] |
|
data.createTime |
security_result.detection_fields[create_time] |
|
data.messages.date |
security_result.detection_fields[date] |
If the source log field value is equal to Gmail phishing, then the data.messages.date log field is mapped to the security_result.detection_fields UDM field. |
data.events.deviceCompromisedState |
security_result.detection_fields[device_compromised_state] |
|
data.displayName |
security_result.detection_fields[display_name] |
|
data.eventTime |
security_result.detection_fields[event_time] |
|
data.isInternal |
security_result.detection_fields[is_internal] |
|
data.loginDetails.loginTime |
security_result.detection_fields[login_time] |
|
data.messages.md5HashMessageBody |
security_result.detection_fields[md5_hash_message_body] |
If the source log field value is equal to Gmail phishing, then the data.messages.md5HashMessageBody log field is mapped to the security_result.detection_fields UDM field. |
data.messages.md5hashsubject |
security_result.detection_fields[md5_hash_subject] |
If the source log field value is equal to Gmail phishing, then the data.messages.md5hashsubject log field is mapped to the security_result.detection_fields UDM field. |
data.messages.messageBodySnippet |
security_result.detection_fields[message_body_snippet] |
|
metadata.status |
security_result.detection_fields[metadata_status] |
|
data.query |
security_result.detection_fields[query] |
|
securityInvestigationToolLink |
security_result.detection_fields[security_investigation_tool_link] |
|
startTime |
security_result.detection_fields[start_time] |
|
data.supersededAlerts |
security_result.detection_fields[superseded_alerts] |
|
data.supersedingAlert |
security_result.detection_fields[superseding_alert] |
|
data.systemActionType |
security_result.detection_fields[system_action_type] |
|
data.threshold |
security_result.detection_fields[threshold] |
|
data.triggerSource |
security_result.detection_fields[trigger_source] |
|
data.ruleViolationInfo.trigger |
security_result.detection_fields[trigger] |
|
data.updateTime |
security_result.detection_fields[update_time] |
|
data.windowSize |
security_result.detection_fields[windows_size] |
|
data.ruleViolationInfo.ruleInfo.resourceName |
security_result.rule_id |
|
data.ruleViolationInfo.matchInfo.userDefinedDetector.displayName |
security_result.rule_labels[detector_display_name] |
|
data.ruleViolationInfo.matchInfo.predefinedDetector.detectorName |
security_result.rule_labels[detector_name] |
|
data.ruleViolationInfo.matchInfo.userDefinedDetector.resourceName |
security_result.rule_labels[detector_resource_name] |
|
data.name |
security_result.rule_name |
|
data.ruleViolationInfo.ruleInfo.displayName |
security_result.rule_name |
|
metadata.severity |
security_result.severity |
|
type |
security_result.summary |
|
data.type |
security_result.summary |
If the type log field value is empty, then the data.type log field is mapped to the security_result.summary UDM field. |
security_result.alert_state |
The security_result.alert_state UDM field is set to ALERTING. | |
data.requestInfo.appKey |
target.application |
|
data.events.deviceId |
target.asset.asset_id |
|
data.events.deviceProperty |
target.asset.attribute.labels[device_property] |
|
data.events.iosVendorId |
target.asset.attribute.labels[ios_vendor_id] |
|
data.events.newValue |
target.asset.attribute.labels[new_value] |
|
data.events.oldValue |
target.asset.attribute.labels[old_value] |
|
data.events.resourceId |
target.asset.attribute.labels[resource_id] |
|
data.events.deviceModel |
target.asset.hardware.model |
|
data.events.serialNumber |
target.asset.hardware.serial_number |
|
data.events.deviceType |
target.asset.type |
|
data.primaryAdminChangedEvent.domain |
target.domain.name |
|
data.ssoProfileUpdatedEvent.inboundSsoProfileChanges |
target.labels[inbound_sso_profile_changes] (deprecated) |
|
data.ssoProfileUpdatedEvent.inboundSsoProfileChanges |
additional.fields[inbound_sso_profile_changes] |
|
data.requestInfo.numberOfRequests |
target.labels[number_of_requests] (deprecated) |
|
data.requestInfo.numberOfRequests |
additional.fields[number_of_requests] |
|
data.primaryAdminChangedEvent.previousAdminEmail |
target.labels[previous_admin_email] (deprecated) |
|
data.primaryAdminChangedEvent.previousAdminEmail |
additional.fields[previous_admin_email] |
|
data.products |
target.labels[product] (deprecated) |
|
data.products |
additional.fields[product] |
|
data.ruleViolationInfo.resourceInfo.resourceTitle |
target.labels[resource_title] (deprecated) |
|
data.ruleViolationInfo.resourceInfo.resourceTitle |
additional.fields[resource_title] |
|
data.takeoutRequestId |
target.labels[takeout_request_id] (deprecated) |
|
data.takeoutRequestId |
additional.fields[takeout_request_id] |
|
data.ruleViolationInfo.dataSource |
target.resource.name |
|
data.ssoProfileCreatedEvent.inboundSsoProfileName |
target.resource.name |
|
data.ssoProfileUpdatedEvent.inboundSsoProfileName |
target.resource.name |
|
data.ssoProfileDeletedEvent.inboundSsoProfileName |
target.resource.name |
|
data.ruleViolationInfo.resourceInfo.documentId |
target.resource.product_object_id |
|
target.resource.resource_type |
If the data.@type log field value is equal to DlpRuleViolation, then the target.resource.resource_type UDM field is set to STORAGE_OBJECT.If the data.@type log field value is equal to AppMakerSqlSetupNotification, then the target.resource.resource_type UDM field is set to DATABASE.If the data.type log field value is equal to SSO profile added or SSO profile updated or SSO profile deleted, then the target.resource.resource_type UDM field is set to SETTING. | |
data.maliciousEntity.entity.emailAddress |
target.user.email_addresses |
|
data.email |
target.user.email_addresses |
If the data.@type log field value is equal to StateSponsoredAttack, DeviceCompromised, or AccountWarning, then the data.email log field is mapped to the target.user.email_addresses UDM field.Else, the data.email log field is mapped to the principal.user.email_addresses UDM field. |
data.primaryAdminChangedEvent.updatedAdminEmail |
target.user.email_addresses |
|
data.superAdminPasswordResetEvent.userEmail |
target.user.email_addresses |
|
data.maliciousEntity.entity.displayName |
target.user.user_display_name |
|
data.ruleViolationInfo.triggeredActionInfo |
Documentation de référence sur le mappage de champs: WORKSPACE_GROUPS
Le tableau suivant répertorie les champs de journal du type de journal WORKSPACE_GROUPS et les champs UDM correspondants.
| Log field | UDM mapping | Logic |
|---|---|---|
adminCreated |
entity.group.attribute.labels[admin_created] |
If the adminCreated log field value is equal to true, then the admin_created.value UDM field is set to true.Else, the admin_created.value UDM field is set to false. |
description |
metadata.description |
|
directMembersCount |
entity.group.attribute.labels[direct_members_count] |
|
email |
entity.group.email_addresses |
|
nonEditableAliases |
entity.group.email_addresses |
|
aliases |
entity.group.email_addresses |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
id |
entity.group.product_object_id |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
name |
entity.group.group_display_name |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
metadata.product_name |
The metadata.product_name UDM field is set to WORKSPACE GROUPS. | |
metadata.entity_type |
The metadata.entity_type UDM field is set to GROUP. |
Documentation de référence sur le mappage de champ : WORKSPACE_USERS
Le tableau suivant répertorie les champs de journal du type de journal WORKSPACE_USERS et les champs UDM correspondants.
| Log field | UDM mapping | Logic |
|---|---|---|
addresses.country |
entity.user.personal_address.country_or_region |
|
addresses.countryCode |
entity.user.attribute.labels[addresses_country_code] |
|
addresses.customType |
entity.user.attribute.labels[addresses_custom_type] |
|
addresses.extendedAddress |
entity.user.attribute.labels[addresses_extended_address] |
|
addresses.formatted |
entity.user.office_address.name |
The addresses.formatted log field is mapped to the user.office_address.name UDM field if the following conditions are met:
|
addresses.locality |
entity.user.attribute.labels[addresses_locality] |
|
addresses.poBox |
entity.user.attribute.labels[addresses_pobox] |
|
addresses.postalCode |
entity.user.attribute.labels[addresses_postal_code] |
|
addresses.primary |
entity.user.attribute.labels[addresses_primary] |
|
addresses.region |
entity.user.attribute.labels[addresses_region] |
|
addresses.sourceIsStructured |
entity.user.attribute.labels[addresses_source_is_structured] |
|
addresses.streetAddress |
entity.user.attribute.labels[addresses_street_address] |
|
addresses.type |
entity.user.attribute.labels[addresses_type] |
|
agreedToTerms |
entity.user.attribute.labels[agreed_to_terms] |
|
aliases |
entity.user.attribute.labels[aliases_email] |
|
changePasswordAtNextLogin |
entity.user.attribute.labels[change_password_at_next_login] |
If the changePasswordAtNextLogin log field value is equal to true, then the change_password_at_next_login.value UDM field is set to true.Else, the change_password_at_next_login.value UDM field is set to false. |
creationTime |
entity.user.attribute.creation_time |
|
customerId |
entity.user.attribute.labels[customer_id] |
|
deletionTime |
entity.user.attribute.labels[deletion_time] |
|
emails.customType |
entity.user.attribute.labels[email_acustom_type] |
|
emails.primary |
entity.user.attribute.labels[email_primary] |
|
emails.type |
entity.user.attribute.labels[email_type] |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
externalIds.customType |
entity.user.attribute.labels[external_id_custom_type] |
|
externalIds.type |
entity.user.attribute.labels[external_id_type] |
|
externalIds.value |
entity.user.employee_id |
If the externalIds.type log field value is equal to organization, then the externalIds.value log field is mapped to the user.employee_id UDM field. |
gender.addressMeAs |
entity.user.attribute.labels[gender_address_me_as] |
|
gender.customGender |
entity.user.attribute.labels[custom_gender] |
|
gender.type |
entity.user.attribute.labels[gender] |
|
hashFunction |
entity.user.attribute.labels[hash_function] |
|
id |
entity.user.product_object_id |
|
ims.customProtocol |
entity.user.attribute.labels[ims_custom_protocol] |
|
ims.customType |
entity.user.attribute.labels[ims_custom_type] |
|
ims.im |
entity.user.attribute.labels[ims_im] |
|
ims.primary |
entity.user.attribute.labels[ims_primary] |
|
ims.protocol |
entity.user.attribute.labels[ims_protocol] |
|
ims.type |
entity.user.attribute.labels[ims_type] |
|
includeInGlobalAddressList |
entity.user.attribute.labels[included_in_global_address_list] |
If the includeInGlobalAddressList log field value is equal to true, then the included_in_global_address_list.value UDM field is set to true, else, then the included_in_global_address_list.value UDM field is set to false. |
ipWhitelisted |
entity.user.attribute.labels[ip_whitelisted] |
|
isAdmin |
entity.user.attribute.labels[is_admin] |
|
isDelegatedAdmin |
entity.user.attribute.labels[is_delegated_admin] |
|
user.attribute.roles.type |
If the isAdmin log field value or the isDelegatedAdmin log field value is equal to true, then the user.attribute.roles.type UDM field is set to ADMINISTRATOR. | |
isEnforcedIn2Sv |
entity.user.attribute.labels[is_enforced_in_2sv] |
If the isEnforcedIn2Sv log field value is equal to true, then the is_enforced_in_2sv.value UDM field is set to true, else, then the is_enforced_in_2sv.value UDM field is set to false. |
isEnrolledIn2Sv |
entity.user.attribute.labels[is_enrolled_in_2sv] |
If the isEnrolledIn2Sv log field value is equal to true, then the is_enrolled_in_2sv.value UDM field is set to true, else, then the is_enrolled_in_2sv.value UDM field is set to false. |
isMailboxSetup |
entity.user.attribute.labels[is_mailbox_setup] |
If the isMailboxSetup log field value is equal to true, then the is_mail_box_setup.value UDM field is set to true, else, then the is_mail_box_setup.value UDM field is set to false. |
keywords.customType |
entity.user.attribute.labels[keywords_custom_type] |
|
keywords.type |
entity.user.attribute.labels[keywords_type] |
|
keywords.value |
entity.user.attribute.labels[keywords_value] |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
languages.customLanguage |
entity.user.attribute.labels[language_custom_language] |
|
languages.languageCode |
entity.user.attribute.labels[language_code] |
|
languages.preference |
entity.user.attribute.labels[preferred_language] |
|
lastLoginTime |
entity.user.last_login_time |
|
locations.area |
entity.user.office_address.country_or_region |
|
locations.buildingId |
entity.user.attribute.labels[locations_buildingId] |
|
locations.customType |
entity.user.attribute.labels[locations_customType] |
|
locations.deskCode |
entity.user.officel_address.desk_name |
|
locations.floorName |
entity.user.office_address.floor_name |
|
locations.floorSection |
entity.user.attribute.labels[locations_floorSection] |
|
locations.type |
entity.user.attribute.labels[locations_type] |
|
name.familyName |
entity.user.last_name |
|
name.fullName |
entity.user.user_display_name |
|
name.givenName |
entity.user.first_name |
|
notes.contentType |
entity.user.attribute.labels[notes_content_type] |
|
notes.value |
entity.user.attribute.labels[notes_value] |
|
organizations.costCenter |
entity.user.attribute.labels[organization_cost_center] |
|
organizations.customType |
entity.user.attribute.labels[organization_custom_type] |
|
organizations.department |
entity.user.department |
The organizations.department log field is mapped to the user.department UDM field if the following conditions are met:
|
organizations.description |
entity.user.attribute.labels [organizations_description] |
|
organizations.domain |
entity.user.attribute.labels[organization_domain] |
|
organizations.fullTimeEquivalent |
entity.user.attribute.labels[organization_full_time_equivalent] |
|
organizations.location |
entity.user.attribute.labels[organization_location] |
|
organizations.name |
entity.user.attribute.labels[organization_name] |
|
organizations.primary |
entity.user.attribute.labels[organization_primary] |
|
organizations.symbol |
entity.user.attribute.labels[organization_symbol] |
|
organizations.title |
entity.user.title |
|
organizations.type |
entity.user.attribute.labels[organization_type] |
|
orgUnitPath |
entity.user.attribute.labels[org_unit_path] |
|
password |
entity.user.attribute.labels[password] |
|
phones.customType |
entity.user.attribute.labels[phone_custom_type] |
|
phones.primary |
entity.user.attribute.labels[phone_primary] |
|
phones.type |
entity.user.attribute.labels[phone_type] |
|
phones.value |
entity.user.phone_numbers |
If the phones.value log field value matches the regular expression pattern (^the , then the phones.value log field is mapped to the user.phone_numbers UDM field. |
recoveryPhone |
entity.user.phone_numbers |
|
posixAccounts.accountId |
entity.user.attribute.labels[posix_account_id] |
|
posixAccounts.gecos |
entity.user.attribute.labels[posix_account_gecos] |
|
posixAccounts.gid |
entity.user.group_identifiers |
|
posixAccounts.homeDirectory |
entity.user.attribute.labels[posix_account_home_directory] |
|
posixAccounts.operatingSystemType |
entity.platform |
If the posixAccounts.operatingSystemType log field value is equal to linux, then the entity.platform UDM field is set to LINUX.If the posixAccounts.operatingSystemType log field value is equal to windows, then the entity.platform UDM field is set to WINDOWS.Else, the entity.platform UDM field is set to UNKNOWN_PLATFORM. |
posixAccounts.primary |
entity.user.attribute.labels[posix_account_primary] |
|
posixAccounts.shell |
entity.user.attribute.labels[posix_account_shell] |
|
posixAccounts.systemId |
entity.asset.asset_id |
|
posixAccounts.uid |
entity.user.attribute.labels[posix_account_uid] |
|
posixAccounts.username |
entity.user.userid |
If the posixAccounts.username log field value is not empty, then the posixAccounts.username log field is mapped to the entity.user.userid UDM field. |
primaryEmail |
entity.user.email_addresses |
|
recoveryEmail |
entity.user.email_addresses |
|
nonEditableAliases |
entity.user.email_addresses |
|
emails.address |
entity.user.email_addresses |
If the emails.address log field value is not equal to primaryEmail, then the emails.address log field is mapped to the entity.user.email_addresses UDM field. |
relations.customType |
entity.user.attribute.labels[relations_custom_type] |
|
relations.type |
entity.user.attribute.labels[relation_type] |
|
relations.value |
entity.user.managers.email_addresses |
If the relation.type log field value is equal to manager, then the relations.value log field is mapped to the user.managers.email_addresses UDM field.Else, the relations.value log field is mapped to the user.attribute.labels UDM field. |
relations.value |
entity.user.attribute.labels[relations_type] |
If the relation.type log field value is equal to manager, then the relations.value log field is mapped to the user.managers.email_addresses UDM field.Else, the relations.value log field is mapped to the user.attribute.labels UDM field. |
sshPublicKeys.expirationTimeUsec |
entity.user.attribute.labels[ssh_key_expiration_timec] |
|
sshPublicKeys.fingerprint |
entity.user.attribute.labels[ssh_key_fingerprint] |
|
sshPublicKeys.key |
entity.user.attribute.labels[ssh_key] |
|
suspended |
entity.user.user_authentication_status |
If the suspended log field value is equal to true and the archived log field value is not equal to true, then the entity.user.user_authentication_status UDM field is set to SUSPENDED.If the archived log field value is equal to true, then the entity.user.user_authentication_status UDM field is set to DELETED.Else, the entity.user.user_authentication_status UDM field is set to ACTIVE. |
archived |
entity.user.user_authentication_status |
If the suspended log field value is equal to true and the archived log field value is not equal to true, then the entity.user.user_authentication_status UDM field is set to SUSPENDED.If the archived log field value is equal to true, then the entity.user.user_authentication_status UDM field is set to DELETED.Else, the entity.user.user_authentication_status UDM field is set to ACTIVE. |
suspensionReason |
entity.user.attribute.labels[suspension_reason] |
|
thumbnailPhotoEtag |
entity.user.attribute.labels[thumbnail_photo_etag] |
|
thumbnailPhotoUrl |
entity.url |
|
websites.customType |
entity.user.attribute.labels[websites_custom_type] |
|
websites.primary |
entity.user.attribute.labels[websites_primary] |
|
websites.type |
entity.user.attribute.labels[websites_type] |
|
websites.value |
entity.user.attribute.labels[websites_value] |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
metadata.product_name |
The metadata.product_name UDM field is set to Cloud Identity. | |
metadata.entity_type |
The metadata.entity_type UDM field is set to USER. |
Documentation de référence sur le mappage de champs: WORKSPACE_MOBILE_devices
Le tableau suivant répertorie les champs de journal du type de journal WORKSPACE_MOBILE_DEVICES et les champs UDM correspondants.
| Log field | UDM mapping | Logic |
|---|---|---|
adbStatus |
entity.asset.attribute.labels[abd status] |
|
applications.displayName |
entity.asset.software.name |
|
applications.packageName |
entity.asset.attribute.labels[application_package_name] |
|
applications.permission |
entity.asset.software.permissions.name |
|
applications.versionCode |
entity.asset.attribute.labels[application_version_code] |
|
applications.versionName |
entity.asset.software.version |
|
basebandVersion |
entity.asset.attribute.labels[baseband_version] |
|
bootloaderVersion |
entity.asset.attribute.labels[bootloader_version] |
|
brand |
entity.asset.attribute.labels[brand] |
|
buildNumber |
entity.asset.attribute.labels[build_number] |
|
defaultLanguage |
entity.asset.attribute.labels[default_language] |
|
developerOptionsStatus |
entity.asset.attribute.labels[developer_options_status] |
|
deviceCompromisedStatus |
entity.asset.attribute.labels[device_compromised_status] |
|
deviceId |
entity.asset.asset_id |
|
devicePasswordStatus |
entity.asset.attribute.labels[device_password_status] |
|
email |
entity.user.email_addresses |
|
encryptionStatus |
entity.asset.attribute.labels[encryption_status] |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
firstSync |
entity.asset.attribute.labels[first_sync] |
|
hardware |
entity.asset.attribute.labels[hardware] |
|
hardwareId |
entity.asset.attribute.labels[hardware_id] |
|
imei |
entity.asset.asset_id |
|
deviceId |
entity.asset.asset_id |
If the imei log field value is empty, then the deviceId log field is mapped to the entity.asset.asset_id UDM field. |
kernelVersion |
entity.asset.attribute.labels[kernel_version] |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
lastSync |
entity.asset.attribute.labels[last_sync] |
|
managedAccountIsOnOwnerProfile |
entity.asset.attribute.labels[managed_account_is_on_owner_profile] |
|
manufacturer |
entity.asset.hardware.manufacturer |
|
meid |
entity.asset.attribute.labels[meid] |
|
model |
entity.asset.hardware.model |
|
name |
entity.user.user_display_name |
|
networkOperator |
entity.asset.attribute.labels[network_operator] |
|
os |
entity.asset.platform_software.platform |
If the os log field value matches iOS, then the entity.asset.platform_software.platform UDM field is set to IOS.If the os log field value matches Android, then the entity.asset.platform_software.platform UDM field is set to ANDROID.Else, the entity.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
otherAccountsInfo[] |
entity.asset.attribute.labels[other_accounts_info] |
|
privilege |
entity.asset.attribute.labels[privilege] |
|
releaseVersion |
entity.asset.attribute.labels[release_version] |
|
resourceId |
entity.asset.product_object_id |
|
securityPatchLevel |
entity.asset.platform_software.platform_patch_level |
|
serialNumber |
entity.asset.hardware.serial_number |
|
status |
entity.user.user_authentication_status |
If the status log field value is equal to approved, then the entity.user.user_authentication_status UDM field is set to ACTIVE.If the status log field value is equal to unprovisined, then the entity.user.user_authentication_status UDM field is set to SUSPENDED. |
supportsWorkProfile |
entity.asset.attribute.labels[supports_work_profile] |
|
type |
entity.asset.attribute.labels[type] |
|
unknownSourcesStatus |
entity.asset.attribute.labels[unknown_sources_status] |
|
userAgent |
entity.asset.attribute.labels[user_agent] |
|
wifiMacAddress |
entity.asset.mac |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET. | |
metadata.product_name |
The metadata.product_name UDM field is set to WORKSPACE_MOBILE. | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
relations.entity_type |
The relations.entity_type UDM field is set to USER. | |
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
Documentation de référence sur le mappage des champs : WORKSPACE_CHROMEOS
Le tableau suivant répertorie les champs de journal du type de journal WORKSPACE_CHROMEOS et les champs UDM correspondants.
| Log field | UDM mapping | Logic |
|---|---|---|
activeTimeRanges.activeTime |
entity.asset.attribute.labels[active_time] |
|
activeTimeRanges.date |
entity.asset.attribute.labels[active_time_range_date] |
|
annotatedAssetId |
entity.asset.asset_id |
If the annotatedAssetId log field value is not empty, then the ASSET ID: annotatedAssetId log field is mapped to the entity.asset.asset_id UDM field. |
deviceId |
entity.asset.asset_id |
If the annotatedAssetId log field value is empty, then the CHROMEOS:deviceId log field is mapped to the entity.asset.asset_id UDM field. |
annotatedLocation |
entity.asset.location.name |
|
annotatedUser |
relations.entity.user.user_display_name |
If the annotatedUser log field value is not empty and the annotatedUser log field value does not match the regular expression @, then the annotatedUser log field is mapped to the relations.entity.user.user_display_name UDM field. |
autoUpdateExpiration |
entity.asset.attribute.labels[auto_update_expiration] |
|
bootMode |
entity.asset.attribute.labels[boot_mode] |
|
cpuInfo.architecture |
entity.asset.attribute.labels[cpu_architecture] |
|
cpuInfo.logicalCpus.cStates.displayName |
entity.asset.attribute.labels[cpu_logical_cups_cstates_display_name] |
|
cpuInfo.logicalCpus.cStates.sessionDuration |
entity.asset.attribute.labels[cpu_logical_cups_cstates_session_duration] |
|
cpuInfo.logicalCpus.currentScalingFrequencyKhz |
entity.asset.attribute.labels[cpu_current_scaling_frequency] |
|
cpuInfo.logicalCpus.idleDuration |
entity.asset.attribute.labels[cpu_ideal_duration] |
|
cpuInfo.logicalCpus.maxScalingFrequencyKhz |
entity.asset.attribute.labels[cpu_max_scaling_frequency] |
|
cpuInfo.maxClockSpeedKhz |
entity.asset.attribute.labels[cpu_max_clock_speed] |
|
cpuInfo.model |
entity.asset.hardware.cpu_model |
|
cpuStatusReports.cpuTemperatureInfo.label |
entity.asset.attribute.labels[cpu_temperature_label] |
|
cpuStatusReports.cpuTemperatureInfo.temperature |
entity.asset.attribute.labels[cpu_temperature] |
|
cpuStatusReports.cpuUtilizationPercentageInfo |
entity.asset.attribute.labels[cpu_utilization_percentage_info] |
|
cpuStatusReports.reportTime |
entity.asset.attribute.labels[cpu_report_time] |
|
deviceFiles.createTime |
relations.entity.file.first_seen_time |
|
deviceFiles.downloadUrl |
relations.entity.file.full_path |
|
deviceFiles.name |
relations.entity.file.names |
|
deviceFiles.type |
relations.entity.file.mime_type |
|
relations.entity_type |
The relations.entity_type UDM field is set to FILE. | |
relations.relationship |
The relations.relationship UDM field is set to MEMBER. | |
deviceId |
entity.asset.product_object_id |
|
diskVolumeReports.volumeInfo.storageFree |
entity.asset.attribute.labels[volume_info_storage_free] |
|
diskVolumeReports.volumeInfo.storageTotal |
entity.asset.attribute.labels[volume_info_storage_total] |
|
diskVolumeReports.volumeInfo.volumeId |
entity.asset.attribute.labels[volume_id] |
|
dockMacAddress |
entity.asset.attribute.labels[dock_mac_address] |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
ethernetMacAddress0 |
entity.asset.attribute.labels[ethernet_mac_address] |
|
firmwareVersion |
entity.asset.attribute.labels[firmware_version] |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
lastEnrollmentTime |
entity.asset.last_discover_time |
|
lastKnownNetwork.ipAddress |
entity.asset.ip |
|
lastKnownNetwork.wanIpAddress |
entity.asset.nat_ip |
|
lastSync |
entity.asset.system_last_update_time |
|
macAddress |
entity.asset.mac |
|
ethernetMacAddress |
entity.asset.mac |
|
manufactureDate |
entity.asset.attribute.labels[manufacture_date] |
|
meid |
entity.asset.attribute.labels[meid] |
|
model |
entity.asset.hardware.model |
|
notes |
entity.asset.attribute.labels[notes] |
|
orderNumber |
entity.asset.attribute.labels[order_number] |
|
orgUnitId |
entity.asset.attribute.labels[org_unit_id] |
|
orgUnitPath |
entity.user.attribute.labels[org_unit_path] |
|
osVersion |
entity.asset.attribute.labels[os_version] |
|
platformVersion |
entity.asset.platform_software.platform_version |
|
annotatedUser |
entity.user.email_addresses |
If the annotatedUser log field value is not empty and the annotatedUser log field value matches the regular expression @, then the annotatedUser log field is mapped to the entity.user.email_addresses UDM field. |
recentUsers.email |
entity.user.email_addresses |
|
recentUsers.type |
relations.entity.user.attribute.roles.name |
|
relations.entity.user.attribute.roles.description |
If the recentUsers.type log field value is equal to USER_TYPE_MANAGED, then the relations.entity.user.attribute.roles.description UDM field is set to The user is managed by the domain.Else, if the recentUsers.type log field value is equal to USER_TYPE_UNMANAGED, then the relations.entity.user.attribute.roles.description UDM field is set to The user is not managed by the domain. | |
screenshotFiles.createTime |
relations.entity.file.first_seen_time |
|
screenshotFiles.downloadUrl |
relations.entity.file.full_path |
|
screenshotFiles.name |
relations.entity.file.names |
|
screenshotFiles.type |
relations.entity.file.mime_type |
|
serialNumber |
entity.asset.hardware.serial_number |
|
status |
entity.asset.deployment_status |
If the status log field value is equal to DEPROVISIONED, then the entity.asset.deployment_status UDM field is set to DECOMMISSIONED.Else, the entity.asset.deployment_status UDM field is set to ACTIVE. |
supportEndDate |
entity.asset.attribute.labels[support_end_date] |
|
systemRamFreeReports.reportTime |
entity.asset.attribute.labels[system_ram_report_time] |
|
systemRamFreeReports.systemRamFreeInfo |
entity.asset.attribute.labels[system_ram_free_info] |
|
systemRamTotal |
entity.asset.hardware.ram |
|
tpmVersionInfo.family |
entity.asset.attribute.labels[tpm_ver_info_family] |
|
tpmVersionInfo.firmwareVersion |
entity.asset.attribute.labels[tpm_ver_info_firmware_version] |
|
tpmVersionInfo.manufacturer |
entity.asset.attribute.labels[tpm_ver_info_manufacturer] |
|
tpmVersionInfo.specLevel |
entity.asset.attribute.labels[tpm_ver_info_spec_level] |
|
tpmVersionInfo.tpmModel |
entity.asset.attribute.labels[tpm_ver_info_tpm_model] |
|
tpmVersionInfo.vendorSpecific |
entity.asset.attribute.labels[tpm_ver_info_vendor_specific] |
|
willAutoRenew |
entity.asset.attribute.labels[will_auto_renew] |
|
entity.asset.type |
The entity.asset.type UDM field is set to WORKSTATION. | |
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET. | |
metadata.product_name |
The metadata.product_name UDM field is set to ChromeOS. | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
relations.entity_type |
The relations.entity_type UDM field is set to USER. | |
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
Documentation de référence sur le mappage des champs : WORKSPACE_PRIVILEGES
Le tableau suivant répertorie les champs de journal du type de journal WORKSPACE_PRIVILEGES et les champs UDM correspondants.
| Log field | UDM mapping |
|---|---|
roleAssignments.assignedTo |
metadata.product_entity_id |
roleAssignments.roleAssignmentId |
entity.user.attribute.labels[role_assignment_id] |
roleAssignments.roleDetails.roleDescription |
entity.user.attribute.roles.description |
roleAssignments.roleDetails.roleId |
entity.user.attribute.labels[role_details_role_id] |
roleAssignments.roleDetails.roleName |
entity.user.attribute.roles.name |
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.etag |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.isOuScopable |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.kind |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.privilegeName |
entity.user.attribute.labels[%{rolePrivilege.privilegeName}_CHILD_PRIVILEGES] |
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.serviceId |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.serviceName |
|
roleAssignments.roleDetails.rolePrivileges.details.etag |
entity.labels[etag] (deprecated) |
roleAssignments.roleDetails.rolePrivileges.details.etag |
additional.fields[etag] |
roleAssignments.roleDetails.rolePrivileges.details.isOuScopable |
entity.user.attribute.labels[is_ou_scopable] |
roleAssignments.roleDetails.rolePrivileges.details.kind |
entity.labels[kind] (deprecated) |
roleAssignments.roleDetails.rolePrivileges.details.kind |
additional.fields[kind] |
roleAssignments.roleDetails.rolePrivileges.details.privilegeName |
|
roleAssignments.roleDetails.rolePrivileges.details.serviceId |
|
roleAssignments.roleDetails.rolePrivileges.details.serviceName |
entity.user.attribute.labels[service_name] |
roleAssignments.roleDetails.rolePrivileges.privilegeName |
entity.user.attribute.permissions.name |
roleAssignments.roleDetails.rolePrivileges.serviceId |
entity.user.attribute.permissions.description |
roleAssignments.roleId |
entity.user.attribute.labels[role_id] |
roleAssignments.scopeType |
entity.user.attribute.labels[scope_type] |
userId |
entity.user.userid |
metadata.vendor_name | |
metadata.product_name | |
metadata.entity_type |