收集 Google Workspace 日志
支持以下语言:
Google SecOps
SIEM
本文档介绍了如何通过设置 Google 安全运营 Feed 来收集 Google Workspace 日志,以及日志字段如何映射到 Google 安全运营 Unified Data Model (UDM) 字段。本文档还列出了支持的日志类型和事件 各种 Google Workspace 产品
如需了解详情,请参阅将数据注入到 Google Security Operations 中。
典型的部署包括 Google Workspace 和配置为将日志发送到 Google Security Operations 的 Google Security Operations Feed。每个客户部署 可能有所不同,而且可能更加复杂。
该部署包含以下组件:
Google Workspace。您从中收集日志的 Google Workspace 平台。
Google Security Operations Feed。Google Security Operations Feed,用于从 Google Workspace 提取日志并将日志写入 Google Security Operations。
Google Security Operations。Google Security Operations 会保留并分析 Google Workspace。
提取标签用于标识将原始日志数据标准化的解析器 结构化 UDM 格式本文档中的信息适用于 Google Workspace 解析器 具有下列提取标签:
WORKSPACE_ACTIVITYWORKSPACE_ALERTSWORKSPACE_CHROMEOSWORKSPACE_GROUPSWORKSPACE_MOBILEWORKSPACE_PRIVILEGESWORKSPACE_USERS
准备工作
请确保您使用的是 Google Workspace 商务标准版或商务 Plus 版,因为 Google Workspace 解析器支持这两种版本。
确保您拥有 Google Workspace 管理员账号。
在 Google Cloud 项目中启用以下 API:
如需对 Google Workspace API 进行身份验证,请在 Google Cloud 项目中创建一个服务账号,并记下该服务账号的唯一数字 ID 和电子邮件地址。如需详细了解如何创建服务账号,请参阅创建和管理服务账号。
创建模拟服务账号的用户,然后授予该用户权限:
- 登录 Google 管理控制台。
- 依次选择目录 > 用户,然后点击添加新用户。
- 输入用户详细信息。
- 点击添加新用户。
- 点击新创建的用户链接,然后点击管理员角色和权限。
- 点击 收起。
- 点击创建自定义角色。
- 点击创建新角色,然后为此角色命名。
- 向该角色授予以下权限:
- 权限 >报告
- 权限 >服务 >提醒中心 >完整访问权限 >查看权限
- 权限 > 服务 > 移动设备管理 > 管理设备和设置
- 权限 > 服务 > Chrome 管理 > 设置
- Admin API >权限 >用户 >已读
- Admin API > 权限 > 群组 > 读取
- 点击继续,然后点击创建角色。
- 点击为用户分配角色。
- 选择要分配角色的用户。
- 点击分配角色。
创建访问凭据。如需详细了解如何创建访问凭据,请参阅创建服务账号密钥。
如需访问数据,请使用以下链接为服务账号授权全网域授权: 以下范围:
https://www.googleapis.com/auth/admin.reports.audit.readonlyhttps://www.googleapis.com/auth/apps.alertshttps://www.googleapis.com/auth/admin.directory.device.chromeos.readonlyhttps://www.googleapis.com/auth/admin.directory.group.readonlyhttps://www.googleapis.com/auth/admin.directory.device.mobile.readonlyhttps://www.googleapis.com/auth/admin.directory.rolemanagement.readonlyhttps://www.googleapis.com/auth/admin.directory.user.readonly
要查找 Google Workspace 客户 ID,请在 Google 管理控制台中执行以下操作: 依次选择账号 > 账号设置 > 个人资料。
确保已配置部署架构中的所有系统 (采用 UTC 时区)。
验证 Google Security Operations 解析器支持的日志类型。相关信息 如需了解支持的 Google Workspace 日志,请参阅支持的 Google Workspace 日志类型。
在 Google Security Operations 中配置 Feed 以注入 Google Workspace 日志
- 在导航栏中,依次选择设置 > SIEM 设置 > Feed。
- 点击 Add New(新增)。
- 针对来源类型,选择第三方 API。
- 如需为 Workspace 活动创建 Feed,请选择 Workspace 活动作为日志类型。
- 点击下一步。
根据您创建的 Google Workspace 配置,指定值 :
- OAuth JWT 端点。包含 OAuth JSON Web 令牌的端点。
指定服务账号 JSON 密钥中的
token_uri值。 - JWT 声明颁发者。这是客户端 ID。指定
client_email值 从服务账号 JSON 密钥获取。例如InsertServiceAccount@project.iam.gserviceaccount.com - JWT 声明主体。指定您在 Google Workspace 管理控制台中创建的用户的电子邮件地址。
- JWT 声明受众群体。指定服务账号 JSON 密钥中的
token_uri值。 RSA 私钥。PEM 格式的 RSA 私钥。PEM 密钥可用 包含在服务账号密钥文件中输入私钥时,请在文本框中添加
BEGIN PRIVATE KEY标头和END PRIVATE KEY页脚,并将\n令牌的所有实例替换为实际的Enter按键操作。客户 ID。除提醒日志类型以外,其他所有日志类型均包含客户 ID 字段需以“C”开头字符。如果客户 ID 字段不包含前导“C”字符,请在值前面附加“C”字符。
应用。只有在为 Workspace 活动创建 Feed 时,应用字段才是必填字段。
- OAuth JWT 端点。包含 OAuth JSON Web 令牌的端点。
指定服务账号 JSON 密钥中的
点击下一步,然后点击提交。
完成为 Workspace 活动创建 Feed 的步骤后,请重复 为以下每种日志类型创建单独 Feed 的步骤。
Workspace AlertsWorkspace ChromeOS DevicesWorkspace GroupsWorkspace Mobile DevicesWorkspace PrivilegesWorkspace Users
如需详细了解 Google Security Operations Feed,请参阅 Google Security Operations Feed 文档。如需了解每种 Feed 类型的要求,请参阅按类型配置 Feed。
如果您在创建 Feed 时遇到问题,请与 Google 安全运营支持团队联系。
支持的 Google Workspace 日志类型
以下部分列出了 Google Workspace 解析器支持的日志类型:
WORKSPACE_ACTIVITY
下表列出了 WORKSPACE_ACTIVITY 支持的应用名称和事件类型。
日志类型。
| 应用名称 | 事件类型 |
|---|---|
access_transparency
|
GSUITE_RESOURCE
|
chrome
|
CHROME_OS_ADD_REMOVE_USER_TYPE
|
DEVICE_BOOT_STATE_CHANGE_TYPE
|
|
CHROME_OS_LOGIN_LOGOUT_TYPE
|
|
CHROME_OS_REPORTING_DATA_LOST_TYPE
|
|
SAFE_BROWSING_PASSWORD_ALERT
|
|
DLP_EVENTS_TYPE
|
|
CONTENT_TRANSFER_TYPE
|
|
CONTENT_UNSCANNED_TYPE
|
|
EXTENSION_REQUEST_TYPE
|
|
LOGIN_EVENT_TYPE
|
|
MALWARE_TRANSFER_TYPE
|
|
PASSWORD_BREACH_TYPE
|
|
SENSITIVE_DATA_TRANSFER_TYPE
|
|
UNSAFE_SITE_VISIT_TYPE
|
|
context_aware_access
|
CONTEXT_AWARE_ACCESS_USER_EVENT
|
gplus
|
comment_change
|
plusone_change
|
|
poll_vote_change
|
|
post_change
|
|
data_studio
|
ACCESS
|
ACL_CHANGE
|
|
mobile
|
device_applications
|
device_updates
|
|
suspicious_activity
|
|
groups_enterprise
|
moderator_action
|
calendar
|
calendar_change
|
notification
|
|
subscription_change
|
|
event_change
|
|
interop
|
|
chat
|
user_action
|
gcp
|
CLOUD_OSLOGIN
|
drive
|
access
|
acl_change
|
|
pooled_quota_metadata
|
|
groups
|
acl_change
|
moderator_action
|
|
keep
|
user_action
|
meet
|
call
|
token
|
auth
|
rules
|
action_complete_type
|
rule_match_type
|
|
rule_trigger_type
|
|
saml
|
login
|
user_accounts
|
2sv_change
|
password_change
|
|
recovery_info_change
|
|
titanium_change
|
|
email_forwarding_change
|
|
login
|
2sv_change
|
password_change
|
|
recovery_info_change
|
|
account_warning
|
|
titanium_change
|
|
email_forwarding_change
|
|
jamboard
|
administrative_action
|
setting_change
|
|
status_change
|
|
admin
|
USER_SETTINGS
|
如需详细了解 Google 安全运营支持的 Google Workspace 应用,请参阅 Google Workspace 应用。
WORKSPACE_ALERTS
以下是支持的提醒类型列表:
Customer takeout initiatedMalware reclassificationMisconfigured whitelistPhishing reclassificationSuspicious message reportedUser reported phishingUser reported spam spikeLeaked passwordSuspicious loginSuspicious login (less secure app)Suspicious programmatic loginUser suspendedUser suspended (spam)User suspended (spam through relay)User suspended (suspicious activity)Google OperationsConfiguration problemGovernment attack warningDevice compromisedSuspicious activityAppMaker Default Cloud SQL setupActivity RuleData Loss PreventionApps outagePrimary admin changedSSO profile addedSSO profile updatedSSO profile deletedSuper admin password reset
WORKSPACE_CHROMEOS
如需了解受支持的 ChromeOS 日志架构,请参阅 ChromeOS 设备。
WORKSPACE_GROUPS
如需了解受支持的群组日志架构,请参阅群组。
WORKSPACE_MOBILE
如需了解受支持的移动日志架构,请参阅 mobile。
WORKSPACE_PRIVILEGES
如需了解支持的权限日志架构,请参阅权限。
WORKSPACE_USERS
如需了解受支持的用户日志架构,请参阅用户。
字段映射参考文档
以下部分介绍了 Google Security Operations 解析器如何映射 Google Workspace 日志字段转换为 Google Security Operations 统一数据模型 (UDM) 字段。 无论是基于 Feed 的提取还是原生提取,此解析器的字段映射都保持不变。
字段映射参考信息:WORKSPACE_ACTIVITY 日志类型到 UDM 事件类型
下表列出了 WORKSPACE_ACTIVITY 日志类型及其对应的 UDM 事件类型。
| Workspace application | Event identifier | Event type |
|---|---|---|
access_transparency |
ACCESS |
USER_RESOURCE_ACCESS |
chrome |
CHROME_OS_ADD_USER |
USER_CREATION |
chrome |
CHROME_OS_REMOVE_USER |
USER_DELETION |
chrome |
DEVICE_BOOT_STATE_CHANGE |
SETTING_MODIFICATION |
chrome |
CHROME_OS_LOGIN_FAILURE_EVENT |
USER_LOGIN |
chrome |
CHROME_OS_LOGIN_LOGOUT_EVENT |
USER_LOGIN |
chrome |
CHROME_OS_LOGIN_EVENT |
USER_LOGIN |
chrome |
CHROME_OS_LOGOUT_EVENT |
USER_LOGOUT |
chrome |
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
chrome |
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
chrome |
PASSWORD_REUSE |
USER_UNCATEGORIZED |
chrome |
DLP_EVENT |
USER_UNCATEGORIZED |
chrome |
CONTENT_TRANSFER |
STATUS_UNCATEGORIZED |
chrome |
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
chrome |
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
chrome |
LOGIN_EVENT |
USER_LOGIN |
chrome |
MALWARE_TRANSFER |
SCAN_UNCATEGORIZED. The security category is |
chrome |
PASSWORD_BREACH |
USER_RESOURCE_ACCESS. The security category is |
chrome |
SENSITIVE_DATA_TRANSFER |
SCAN_UNCATEGORIZED |
chrome |
UNSAFE_SITE_VISIT |
NETWORK_UNCATEGORIZED. The security category is |
chrome |
BROWSER_CRASH |
STATUS_UNCATEGORIZED |
chrome |
BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
chrome |
CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
chrome |
CHROMEOS_AFFILIATED_UNLOCK_FAILURE |
USER_LOGIN |
chrome |
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
chrome |
CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
chrome |
CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
chrome |
CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
chrome |
CHROMEOS_UPDATE_FAILURE |
STATUS_UNCATEGORIZED |
chrome |
CHROMEOS_UPDATE_SUCCESS |
STATUS_UNCATEGORIZED |
chrome |
CHROME_OS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
chrome |
CHROME_OS_CRD_HOST_ENDED |
STATUS_STARTUP |
chrome |
CHROME_OS_CRD_HOST_STARTED |
STATUS_STARTUP |
chrome |
URL_FILTERING_INTERSTITIAL |
STATUS_UNCATEGORIZED |
context_aware_access |
ACCESS_DENY_EVENT |
USER_RESOURCE_ACCESS |
context_aware_access |
ACCESS_DENY_INTERNAL_ERROR_EVENT |
USER_RESOURCE_ACCESS |
context_aware_access |
MONITOR_MODE_ACCESS_DENY_EVENT |
USER_RESOURCE_ACCESS |
gplus |
create_comment |
USER_RESOURCE_CREATION |
gplus |
delete_comment |
USER_RESOURCE_DELETION |
gplus |
edit_comment |
USER_RESOURCE_UPDATE_CONTENT |
gplus |
add_plusone |
STATUS_UPDATE |
gplus |
remove_plusone |
STATUS_UPDATE |
gplus |
add_poll_vote |
STATUS_UPDATE |
gplus |
remove_poll_vote |
STATUS_UPDATE |
gplus |
create_post |
USER_RESOURCE_CREATION |
gplus |
delete_post |
USER_RESOURCE_DELETION |
gplus |
content_manager_delete_post |
USER_RESOURCE_DELETION |
gplus |
edit_post |
USER_RESOURCE_UPDATE_CONTENT |
data_studio |
ADD_REPORT_EMAIL_DELIVERY |
USER_UNCATEGORIZED |
data_studio |
CREATE |
USER_RESOURCE_CREATION |
data_studio |
DATA_EXPORT |
USER_RESOURCE_ACCESS |
data_studio |
DELETE |
USER_RESOURCE_DELETION |
data_studio |
DOWNLOAD_REPORT |
USER_UNCATEGORIZED |
data_studio |
EDIT |
USER_RESOURCE_UPDATE_CONTENT |
data_studio |
RESTORE |
USER_RESOURCE_CREATION |
data_studio |
STOP_REPORT_EMAIL_DELIVERY |
USER_UNCATEGORIZED |
data_studio |
TRASH |
USER_RESOURCE_DELETION |
data_studio |
UPDATE_REPORT_EMAIL_DELIVERY |
USER_UNCATEGORIZED |
data_studio |
VIEW |
USER_RESOURCE_ACCESS |
data_studio |
CHANGE_DATA_SOURCE_ACCESS_TYPE |
USER_RESOURCE_UPDATE_PERMISSIONS |
data_studio |
CHANGE_ASSET_LINK_SHARING_ACCESS_TYPE |
USER_RESOURCE_UPDATE_PERMISSIONS |
data_studio |
CHANGE_ASSET_LINK_SHARING_VISIBILITY |
USER_RESOURCE_UPDATE_PERMISSIONS |
data_studio |
CHANGE_USER_ACCESS |
USER_CHANGE_PERMISSIONS |
mobile |
APPLICATION_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
APPLICATION_REPORT_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_REGISTER_UNREGISTER_EVENT |
USER_RESOURCE_UPDATE_PERMISSIONS |
mobile |
ADVANCED_POLICY_SYNC_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_ACTION_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
DEVICE_COMPLIANCE_CHANGED_EVENT |
STATUS_UPDATE |
mobile |
OS_UPDATED_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
DEVICE_OWNERSHIP_CHANGE_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_SETTINGS_UPDATED_EVENT |
SETTING_MODIFICATION |
mobile |
APPLE_DEP_DEVICE_UPDATE_ON_APPLE_PORTAL_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_SYNC_EVENT |
USER_RESOURCE_UPDATE_CONTENT |
mobile |
RISK_SIGNAL_UPDATED_EVENT |
STATUS_UPDATE |
mobile |
ANDROID_WORK_PROFILE_SUPPORT_ENABLED_EVENT |
STATUS_UPDATE |
mobile |
DEVICE_COMPROMISED_EVENT |
STATUS_UPDATE |
mobile |
FAILED_PASSWORD_ATTEMPTS_EVENT |
STATUS_UPDATE |
mobile |
SUSPICIOUS_ACTIVITY_EVENT |
STATUS_UPDATE |
groups_enterprise |
accept_invitation |
USER_UNCATEGORIZED |
groups_enterprise |
add_info_setting |
GROUP_MODIFICATION |
groups_enterprise |
add_member |
GROUP_MODIFICATION |
groups_enterprise |
add_member_role |
USER_CHANGE_PERMISSIONS |
groups_enterprise |
add_security_setting |
GROUP_MODIFICATION |
groups_enterprise |
add_service_account_permission |
USER_CHANGE_PERMISSIONS |
groups_enterprise |
approve_join_request |
USER_UNCATEGORIZED |
groups_enterprise |
ban_member_with_moderation |
GROUP_MODIFICATION |
groups_enterprise |
change_info_setting |
GROUP_MODIFICATION |
groups_enterprise |
change_security_setting |
GROUP_MODIFICATION |
groups_enterprise |
create_group |
GROUP_CREATION |
groups_enterprise |
create_namespace |
GROUP_UNCATEGORIZED |
groups_enterprise |
delete_group |
GROUP_DELETION |
groups_enterprise |
delete_namespace |
GROUP_UNCATEGORIZED |
groups_enterprise |
add_dynamic_group_query |
GROUP_UNCATEGORIZED |
groups_enterprise |
change_dynamic_group_query |
GROUP_MODIFICATION |
groups_enterprise |
invite_member |
GROUP_UNCATEGORIZED |
groups_enterprise |
join |
GROUP_MODIFICATION |
groups_enterprise |
add_membership_expiry |
GROUP_MODIFICATION |
groups_enterprise |
remove_membership_expiry |
GROUP_MODIFICATION |
groups_enterprise |
update_membership_expiry |
GROUP_MODIFICATION |
groups_enterprise |
reject_invitation |
USER_UNCATEGORIZED |
groups_enterprise |
reject_join_request |
USER_UNCATEGORIZED |
groups_enterprise |
remove_info_setting |
GROUP_MODIFICATION |
groups_enterprise |
remove_member |
GROUP_MODIFICATION |
groups_enterprise |
remove_member_role |
GROUP_MODIFICATION |
groups_enterprise |
remove_security_setting |
GROUP_MODIFICATION |
groups_enterprise |
remove_service_account_permission |
GROUP_MODIFICATION |
groups_enterprise |
request_to_join |
USER_UNCATEGORIZED |
groups_enterprise |
revoke_invitation |
USER_UNCATEGORIZED |
groups_enterprise |
unban_member |
GROUP_MODIFICATION |
calendar |
change_calendar_acls |
USER_CHANGE_PERMISSIONS |
calendar |
change_calendar_country |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
create_calendar |
USER_RESOURCE_CREATION |
calendar |
delete_calendar |
USER_RESOURCE_DELETION |
calendar |
change_calendar_description |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_calendar_location |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_calendar_timezone |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_calendar_title |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
notification_triggered |
USER_UNCATEGORIZED |
calendar |
add_subscription |
USER_UNCATEGORIZED |
calendar |
delete_subscription |
STATUS_UPDATE |
calendar |
create_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
delete_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
add_event_guest |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_guest_response_auto |
USER_UNCATEGORIZED |
calendar |
remove_event_guest |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_guest_response |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
remove_event_from_trash |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
restore_event |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_start_time |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
change_event_title |
USER_RESOURCE_UPDATE_CONTENT |
calendar |
transfer_event_requested |
USER_UNCATEGORIZED |
calendar |
transfer_event_completed |
USER_UNCATEGORIZED |
calendar |
interop_freebusy_lookup_outbound_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_freebusy_lookup_inbound_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_availability_lookup_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_list_lookup_successful |
USER_RESOURCE_ACCESS |
calendar |
interop_freebusy_lookup_outbound_unsuccessful |
USER_RESOURCE_ACCESS |
calendar |
interop_freebusy_lookup_inbound_unsuccessful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_availability_lookup_unsuccessful |
USER_RESOURCE_ACCESS |
calendar |
interop_exchange_resource_list_lookup_unsuccessful |
USER_RESOURCE_ACCESS |
chat |
add_room_member |
GROUP_MODIFICATION |
chat |
attachment_download |
FILE_UNCATEGORIZED |
chat |
attachment_upload |
FILE_UNCATEGORIZED |
chat |
block_room |
GROUP_UNCATEGORIZED |
chat |
block_user |
USER_UNCATEGORIZED |
chat |
direct_message_started |
USER_UNCATEGORIZED |
chat |
invite_accept |
USER_UNCATEGORIZED |
chat |
invite_decline |
USER_UNCATEGORIZED |
chat |
invite_send |
USER_UNCATEGORIZED |
chat |
message_edited |
USER_RESOURCE_UPDATE_CONTENT |
chat |
message_posted |
USER_RESOURCE_CREATION |
chat |
message_reported |
USER_UNCATEGORIZED |
chat |
message_deleted |
USER_RESOURCE_DELETION |
chat |
remove_room_member |
GROUP_MODIFICATION |
chat |
room_created |
GROUP_CREATED |
chat |
reaction_added |
USER_UNCATEGORIZED |
chat |
call_ended |
USER_UNCATEGORIZED |
chat |
presentation_started |
STATUS_UNCATEGORIZED |
chat |
invitation_sent |
STATUS_UNCATEGORIZED |
chat |
presentation_stopped |
STATUS_UNCATEGORIZED |
gcp |
IMPORT_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
gcp |
DELETE_POSIX_ACCOUNT |
USER_UNCATEGORIZED |
gcp |
DELETE_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
gcp |
GET_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
gcp |
GET_LOGIN_PROFILE |
USER_UNCATEGORIZED |
gcp |
UPDATE_SSH_PUBLIC_KEY |
USER_UNCATEGORIZED |
drive |
add_to_folder |
USER_RESOURCE_CREATION |
drive |
approval_canceled |
USER_UNCATEGORIZED |
drive |
approval_comment_added |
USER_UNCATEGORIZED |
drive |
approval_completed |
USER_UNCATEGORIZED |
drive |
approval_decisions_reset |
USER_UNCATEGORIZED |
drive |
approval_due_time_change |
USER_UNCATEGORIZED |
drive |
approval_requested |
USER_UNCATEGORIZED |
drive |
approval_reviewer_change |
USER_UNCATEGORIZED |
drive |
approval_reviewer_responded |
USER_UNCATEGORIZED |
drive |
copy |
USER_RESOURCE_CREATION |
drive |
create |
USER_RESOURCE_CREATION |
drive |
delete |
USER_RESOURCE_DELETION |
drive |
download |
USER_RESOURCE_ACCESS |
drive |
email_as_attachment |
EMAIL_TRANSACTION |
drive |
edit |
USER_RESOURCE_UPDATE_CONTENT |
drive |
label_added |
USER_UNCATEGORIZED |
drive |
label_added_by_item_create |
USER_UNCATEGORIZED |
drive |
label_field_changed |
USER_UNCATEGORIZED |
drive |
label_removed |
USER_UNCATEGORIZED |
drive |
add_lock |
USER_UNCATEGORIZED |
drive |
move |
USER_UNCATEGORIZED |
drive |
preview |
USER_RESOURCE_ACCESS |
drive |
print |
USER_UNCATEGORIZED |
drive |
remove_from_folder |
USER_RESOURCE_DELETION |
drive |
rename |
USER_RESOURCE_UPDATE_CONTENT |
drive |
untrash |
USER_RESOURCE_CREATION |
drive |
sheets_import_range |
USER_RESOURCE_ACCESS |
drive |
source_copy |
USER_RESOURCE_UPDATE_CONTENT |
drive |
trash |
USER_RESOURCE_DELETION |
drive |
remove_lock |
USER_UNCATEGORIZED |
drive |
unmovable_item_reparented |
USER_UNCATEGORIZED |
drive |
upload |
USER_RESOURCE_CREATION |
drive |
view |
USER_RESOURCE_ACCESS |
drive |
connected_sheets_query |
USER_RESOURCE_ACCESS |
drive |
accept_suggestion |
USER_RESOURCE_UPDATE_CONTENT |
drive |
create_comment |
USER_RESOURCE_CREATION |
drive |
create_suggestion |
USER_RESOURCE_CREATION |
drive |
delete_comment |
USER_RESOURCE_DELETION |
drive |
delete_suggestion |
USER_RESOURCE_DELETION |
drive |
edit_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
expire_access_request |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
reassign_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
reject_suggestion |
USER_RESOURCE_UPDATE_CONTENT |
drive |
reopen_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
request_access |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
resolve_comment |
USER_RESOURCE_UPDATE_CONTENT |
drive |
deny_access_request |
USER_UNCATEGORIZED |
drive |
download_forms_response |
USER_RESOURCE_ACCESS |
drive |
email_collaborators |
EMAIL_UNCATEGORIZED |
drive |
access_url |
USER_RESOURCE_ACCESS |
drive |
access_item_content |
USER_RESOURCE_ACCESS |
drive |
sheets_import_url |
USER_UNCATEGORIZED |
drive |
apply_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_apply_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_remove_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
publish_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_acl_editors |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_access_scope |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_access_scope_hierarchy_reconciled |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_visibility |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_document_visibility_hierarchy_reconciled |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
remove_security_update |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_membership_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
shared_drive_settings_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
sheets_import_range_access_change |
USER_RESOURCE_UPDATE_PERMISSIONS |
drive |
change_user_access |
USER_CHANGE_PERMISSIONS |
drive |
change_user_access_hierarchy_reconciled |
USER_CHANGE_PERMISSIONS |
drive |
change_owner |
USER_CHANGE_PERMISSIONS |
drive |
publish_new_version |
USER_UNCATEGORIZED |
drive |
change_owner_hierarchy_reconciled |
USER_CHANGE_PERMISSIONS |
drive |
team_drive_membership_change |
USER_CHANGE_PERMISSIONS |
drive |
team_drive_settings_change |
USER_CHANGE_PERMISSIONS |
drive |
storage_usage_update |
USER_RESOURCE_ACCESS |
groups |
change_acl_permission |
GROUP_MODIFICATION |
groups |
accept_invitation |
USER_UNCATEGORIZED |
groups |
approve_join_request |
USER_UNCATEGORIZED |
groups |
join |
GROUP_MODIFICATION |
groups |
request_to_join |
USER_UNCATEGORIZED |
groups |
change_basic_setting |
GROUP_MODIFICATION |
groups |
create_group |
GROUP_CREATION |
groups |
delete_group |
GROUP_DELETION |
groups |
change_identity_setting |
GROUP_MODIFICATION |
groups |
add_info_setting |
GROUP_MODIFICATION |
groups |
change_info_setting |
GROUP_MODIFICATION |
groups |
remove_info_setting |
GROUP_MODIFICATION |
groups |
change_new_members_restrictions_setting |
GROUP_UNCATEGORIZED |
groups |
change_post_replies_setting |
GROUP_MODIFICATION |
groups |
change_spam_moderation_setting |
GROUP_MODIFICATION |
groups |
change_topic_setting |
GROUP_MODIFICATION |
groups |
moderate_message |
GROUP_MODIFICATION |
groups |
always_post_from_user |
USER_UNCATEGORIZED |
groups |
add_user |
GROUP_MODIFICATION |
groups |
ban_user_with_moderation |
GROUP_MODIFICATION |
groups |
revoke_invitation |
USER_UNCATEGORIZED |
groups |
invite_user |
USER_UNCATEGORIZED |
groups |
reject_join_request |
USER_UNCATEGORIZED |
groups |
reinvite_user |
USER_UNCATEGORIZED |
groups |
remove_user |
GROUP_MODIFICATION |
groups |
change_email_subscription_type |
GROUP_MODIFICATION |
groups |
unsubscribe_via_mail |
USER_UNCATEGORIZED |
keep |
deleted_attachment |
USER_UNCATEGORIZED |
keep |
uploaded_attachment |
USER_UNCATEGORIZED |
keep |
edited_note_content |
USER_RESOURCE_UPDATE_CONTENT |
keep |
created_note |
USER_RESOURCE_CREATION |
keep |
deleted_note |
USER_RESOURCE_DELETION |
keep |
modified_acl |
USER_RESOURCE_UPDATE_PERMISSIONS |
meet |
abuse_report_submitted |
USER_UNCATEGORIZED |
meet |
call_ended |
USER_UNCATEGORIZED |
meet |
livestream_watched |
USER_COMMUNICATION |
meet |
invitation_sent |
STATUS_UNCATEGORIZED |
meet |
presentation_started |
STATUS_UNCATEGORIZED |
meet |
presentation_stopped |
STATUS_UNCATEGORIZED |
meet |
knocking_denied |
STATUS_UNCATEGORIZED |
meet |
knocking_accepted |
STATUS_UNCATEGORIZED |
meet |
recording_activity |
STATUS_UNCATEGORIZED |
meet |
dialed_out |
STATUS_UNCATEGORIZED |
token |
activity |
USER_RESOURCE_ACCESS |
token |
authorize |
USER_RESOURCE_ACCESS |
token |
revoke |
USER_RESOURCE_UPDATE_PERMISSIONS |
rules |
action_complete |
USER_RESOURCE_ACCESS |
rules |
rule_match |
USER_RESOURCE_ACCESS |
rules |
rule_trigger |
USER_RESOURCE_ACCESS |
rules |
label_field_value_changed |
USER_RESOURCE_UPDATE_CONTENT |
rules |
label_applied |
USER_RESOURCE_UPDATE_CONTENT |
rules |
sharing_blocked |
USER_RESOURCE_UPDATE_CONTENT |
rules |
content_matched |
USER_RESOURCE_ACCESS |
rules |
content_unmatched |
USER_RESOURCE_ACCESS |
saml |
login_failure |
USER_LOGIN |
saml |
login_success |
USER_LOGIN |
user_accounts |
2sv_disable |
USER_UNCATEGORIZED |
user_accounts |
2sv_enroll |
USER_UNCATEGORIZED |
user_accounts |
password_edit |
USER_UNCATEGORIZED |
user_accounts |
recovery_email_edit |
USER_UNCATEGORIZED |
user_accounts |
recovery_phone_edit |
USER_UNCATEGORIZED |
user_accounts |
recovery_secret_qa_edit |
USER_UNCATEGORIZED |
user_accounts |
titanium_enroll |
USER_UNCATEGORIZED |
user_accounts |
titanium_unenroll |
USER_UNCATEGORIZED |
user_accounts |
email_forwarding_out_of_domain |
USER_UNCATEGORIZED |
jamboard |
DEVICE_LICENSE_ENROLLMENT_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_OTA_UPDATE_REQUESTED |
SETTING_MODIFICATION |
jamboard |
DEVICE_PROVISIONING_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_REBOOT_REQUESTED |
USER_UNCATEGORIZED |
jamboard |
EXPORT_JAMBOARD_FLEET |
USER_UNCATEGORIZED |
jamboard |
ADB_ENABLED_STATE_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_ADDITIONAL_IMES_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_LOGGING_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEMO_MODE_AVAILABILITY_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEMO_MODE_CHANGE |
SETTING_MODIFICATION |
jamboard |
FINGER_ERASING_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_LANGUAGE_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_LOCATION_CHANGE |
STATUS_UPDATE |
jamboard |
DEVICE_NAME_CHANGE |
STATUS_UPDATE |
jamboard |
DEVICE_NOTE_CHANGE |
STATUS_UPDATE |
jamboard |
DEVICE_PAIRING_CHANGE |
SETTING_MODIFICATION |
jamboard |
SCREENSAVER_TIMEOUT_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_SETTING_LOCKED |
SETTING_MODIFICATION |
jamboard |
DEVICE_SETTING_UNLOCKED |
SETTING_MODIFICATION |
jamboard |
VIDEOCONF_ENABLED_CHANGE |
SETTING_MODIFICATION |
jamboard |
DEVICE_UPDATE |
STATUS_UPDATE |
login |
2sv_disable |
SERVICE_STOP |
login |
2sv_enroll |
SERVICE_START |
login |
password_edit |
USER_CHANGE_PASSWORD |
login |
recovery_email_edit |
USER_UNCATEGORIZED |
login |
recovery_phone_edit |
USER_UNCATEGORIZED |
login |
recovery_secret_qa_edit |
USER_UNCATEGORIZED |
login |
account_disabled_password_leak |
USER_UNCATEGORIZED |
login |
suspicious_login |
USER_LOGIN |
login |
suspicious_login_less_secure_app |
USER_LOGIN |
login |
suspicious_programmatic_login |
USER_LOGIN |
login |
account_disabled_generic |
USER_UNCATEGORIZED |
login |
account_disabled_spamming_through_relay |
USER_UNCATEGORIZED |
login |
account_disabled_spamming |
USER_UNCATEGORIZED |
login |
account_disabled_hijacked |
USER_UNCATEGORIZED |
login |
titanium_enroll |
USER_UNCATEGORIZED |
login |
titanium_unenroll |
USER_UNCATEGORIZED |
login |
gov_attack_warning |
STATUS_UNCATEGORIZED |
login |
email_forwarding_out_of_domain |
USER_UNCATEGORIZED |
login |
login_failure |
USER_LOGIN. The security category is |
login |
login_challenge |
USER_LOGIN |
login |
login_verification |
USER_LOGIN |
login |
logout |
USER_LOGOUT |
login |
login_success |
USER_LOGIN |
login |
risky_sensitive_action_allowed |
USER_LOGIN |
login |
risky_sensitive_action_blocked |
USER_LOGIN |
login |
blocked_sender |
STATUS_UNCATEGORIZED |
admin |
DELETE_2SV_SCRATCH_CODES |
USER_RESOURCE_DELETION |
admin |
GENERATE_2SV_SCRATCH_CODES |
USER_RESOURCE_CREATION |
admin |
REVOKE_3LO_DEVICE_TOKENS |
USER_RESOURCE_ACCESS |
admin |
REVOKE_3LO_TOKEN |
USER_RESOURCE_ACCESS |
admin |
ADD_RECOVERY_EMAIL |
USER_RESOURCE_CREATION |
admin |
ADD_RECOVERY_PHONE |
USER_RESOURCE_CREATION |
admin |
GRANT_ADMIN_PRIVILEGE |
USER_CHANGE_PERMISSIONS |
admin |
REVOKE_ADMIN_PRIVILEGE |
USER_CHANGE_PERMISSIONS |
admin |
REVOKE_ASP |
USER_CHANGE_PERMISSIONS |
admin |
TOGGLE_AUTOMATIC_CONTACT_SHARING |
SETTING_MODIFICATION |
admin |
BULK_UPLOAD |
USER_RESOURCE_CREATION |
admin |
BULK_UPLOAD_NOTIFICATION_SENT |
USER_UNCATEGORIZED |
admin |
CANCEL_USER_INVITE |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_CUSTOM_FIELD |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_EXTERNAL_ID |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_GENDER |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_IM |
USER_UNCATEGORIZED |
admin |
ENABLE_USER_IP_WHITELIST |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_KEYWORD |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_LANGUAGE |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_LOCATION |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_ORGANIZATION |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_PHONE_NUMBER |
USER_UNCATEGORIZED |
admin |
CHANGE_RECOVERY_EMAIL |
USER_UNCATEGORIZED |
admin |
CHANGE_RECOVERY_PHONE |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_RELATION |
USER_UNCATEGORIZED |
admin |
CHANGE_USER_ADDRESS |
USER_UNCATEGORIZED |
admin |
CREATE_EMAIL_MONITOR |
SERVICE_CREATION |
admin |
CREATE_DATA_TRANSFER_REQUEST |
USER_UNCATEGORIZED |
admin |
GRANT_DELEGATED_ADMIN_PRIVILEGES |
USER_CHANGE_PERMISSIONS |
admin |
DELETE_ACCOUNT_INFO_DUMP |
USER_RESOURCE_DELETION |
admin |
DELETE_EMAIL_MONITOR |
SERVICE_DELETION |
admin |
DELETE_MAILBOX_DUMP |
USER_RESOURCE_DELETION |
admin |
DELETE_PROFILE_PHOTO |
USER_RESOURCE_DELETION |
admin |
CHANGE_DISPLAY_NAME |
USER_UNCATEGORIZED |
admin |
CHANGE_FIRST_NAME |
USER_UNCATEGORIZED |
admin |
GMAIL_RESET_USER |
USER_UNCATEGORIZED |
admin |
CHANGE_LAST_NAME |
USER_UNCATEGORIZED |
admin |
MAIL_ROUTING_DESTINATION_ADDED |
USER_RESOURCE_CREATION |
admin |
MAIL_ROUTING_DESTINATION_REMOVED |
USER_RESOURCE_DELETION |
admin |
ADD_NICKNAME |
USER_UNCATEGORIZED |
admin |
REMOVE_NICKNAME |
USER_UNCATEGORIZED |
admin |
CHANGE_PASSWORD |
USER_CHANGE_PASSWORD |
admin |
CHANGE_PASSWORD_ON_NEXT_LOGIN |
USER_CHANGE_PASSWORD |
admin |
DOWNLOAD_PENDING_INVITES_LIST |
STATUS_UNCATEGORIZED |
admin |
REMOVE_RECOVERY_EMAIL |
USER_RESOURCE_DELETION |
admin |
REMOVE_RECOVERY_PHONE |
USER_RESOURCE_DELETION |
admin |
REQUEST_ACCOUNT_INFO |
USER_UNCATEGORIZED |
admin |
REQUEST_MAILBOX_DUMP |
USER_UNCATEGORIZED |
admin |
RESEND_USER_INVITE |
USER_UNCATEGORIZED |
admin |
RESET_SIGNIN_COOKIES |
USER_RESOURCE_UPDATE_CONTENT |
admin |
SECURITY_KEY_REGISTERED_FOR_USER |
USER_RESOURCE_CREATION |
admin |
REVOKE_SECURITY_KEY |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
USER_INVITE |
USER_UNCATEGORIZED |
admin |
VIEW_TEMP_PASSWORD |
USER_UNCATEGORIZED |
admin |
TURN_OFF_2_STEP_VERIFICATION |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
UNBLOCK_USER_SESSION |
USER_UNCATEGORIZED |
admin |
UNMANAGED_USERS_BULK_UPLOAD |
USER_RESOURCE_CREATION |
admin |
DOWNLOAD_UNMANAGED_USERS_LIST |
USER_UNCATEGORIZED |
admin |
UPDATE_PROFILE_PHOTO |
USER_RESOURCE_UPDATE_CONTENT |
admin |
UNENROLL_USER_FROM_TITANIUM |
USER_UNCATEGORIZED |
admin |
ARCHIVE_USER |
USER_UNCATEGORIZED |
admin |
UPDATE_BIRTHDATE |
USER_UNCATEGORIZED |
admin |
CREATE_USER |
USER_CREATION |
admin |
DELETE_USER |
USER_DELETION |
admin |
DOWNGRADE_USER_FROM_GPLUS |
USER_CHANGE_PERMISSIONS |
admin |
USER_ENROLLED_IN_TWO_STEP_VERIFICATION |
USER_UNCATEGORIZED |
admin |
DOWNLOAD_USERLIST_CSV |
STATUS_UNCATEGORIZED |
admin |
MOVE_USER_TO_ORG_UNIT |
USER_UNCATEGORIZED |
admin |
USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD |
USER_UNCATEGORIZED |
admin |
RENAME_USER |
USER_RESOURCE_UPDATE_CONTENT |
admin |
UNENROLL_USER_FROM_STRONG_AUTH |
USER_UNCATEGORIZED |
admin |
SUSPEND_USER |
USER_UNCATEGORIZED |
admin |
UNARCHIVE_USER |
USER_UNCATEGORIZED |
admin |
UNDELETE_USER |
USER_UNCATEGORIZED |
admin |
UNSUSPEND_USER |
USER_UNCATEGORIZED |
admin |
UPGRADE_USER_TO_GPLUS |
USER_CHANGE_PERMISSIONS |
admin |
USERS_BULK_UPLOAD |
USER_RESOURCE_CREATION |
admin |
USERS_BULK_UPLOAD_NOTIFICATION_SENT |
USER_UNCATEGORIZED |
admin |
ASSIGN_ROLE |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
CREATE_ROLE |
USER_RESOURCE_CREATION |
admin |
UNASSIGN_ROLE |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
AUTHORIZE_API_CLIENT_ACCESS |
USER_RESOURCE_ACCESS |
admin |
ADD_TRUSTED_DOMAINS |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_DOMAIN_DEFAULT_TIMEZONE |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_DOMAIN_DEFAULT_LOCALE |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CREATE_ALERT |
USER_RESOURCE_CREATION |
admin |
REMOVE_APPLICATION |
USER_RESOURCE_DELETION |
admin |
ADD_APPLICATION |
USER_RESOURCE_CREATION |
admin |
REMOVE_API_CLIENT_ACCESS |
USER_RESOURCE_DELETION |
admin |
CHANGE_SSO_SETTINGS |
SETTING_MODIFICATION |
admin |
ALERT_CENTER_VIEW |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_LIST_FEEDBACK |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_GET_SIT_LINK |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_LIST_CHANGE |
STATUS_UNCATEGORIZED |
admin |
ALERT_CENTER_LIST_RELATED_ALERTS |
STATUS_UNCATEGORIZED |
admin |
EMAIL_LOG_SEARCH |
EMAIL_UNCATEGORIZED |
admin |
CHANGE_EMAIL_SETTING |
SETTING_MODIFICATION |
admin |
CREATE_GMAIL_SETTING |
SETTING_MODIFICATION |
admin |
CHANGE_GMAIL_SETTING |
SETTING_MODIFICATION |
admin |
DELETE_GMAIL_SETTING |
SETTING_MODIFICATION |
admin |
RELEASE_FROM_QUARANTINE |
EMAIL_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_QUERY |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_ACTION |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_OBJECT_CREATE_DRAFT_INVESTIGATION |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_ACTION_COMPLETION |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_EXPORT_QUERY |
STATUS_UNCATEGORIZED |
admin |
SECURITY_INVESTIGATION_ACTION_CANCELLATION |
STATUS_UNCATEGORIZED |
admin |
CHANGE_GROUP_SETTING |
GROUP_MODIFICATION |
admin |
ADD_GROUP_MEMBER |
GROUP_MODIFICATION |
admin |
CREATE_GROUP |
GROUP_CREATION |
admin |
REMOVE_GROUP_MEMBER |
GROUP_MODIFICATION |
admin |
UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS |
GROUP_MODIFICATION |
admin |
UPDATE_GROUP_MEMBER |
GROUP_MODIFICATION |
admin |
DELETE_GROUP |
GROUP_DELETION |
admin |
USER_LICENSE_ASSIGNMENT |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
USER_LICENSE_REVOKE |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
SECURITY_CHART_DRILLDOWN |
STATUS_UNCATEGORIZED |
admin |
SYSTEM_DEFINED_RULE_UPDATED |
SETTING_MODIFICATION |
admin |
CUSTOMER_USER_DEVICE_DELETION_EVENT |
USER_RESOURCE_DELETION |
admin |
ADD_MOBILE_APPLICATION_TO_WHITELIST |
USER_RESOURCE_UPDATE_CONTENT |
admin |
REMOVE_MOBILE_APPLICATION_FROM_WHITELIST |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_MOBILE_APPLICATION_SETTINGS |
SETTING_MODIFICATION |
admin |
ACTION_REQUESTED |
USER_UNCATEGORIZED |
admin |
CREATE_APPLICATION_SETTING |
SETTING_CREATION |
admin |
CHANGE_APPLICATION_SETTING |
SETTING_MODIFICATION |
admin |
CREATE_SAML2_SERVICE_PROVIDER_CONFIG |
SETTING_CREATION |
admin |
DELETE_SAML2_SERVICE_PROVIDER_CONFIG |
SETTING_DELETION |
admin |
TOGGLE_SERVICE_ENABLED |
SETTING_MODIFICATION |
admin |
CREATE_ORG_UNIT |
USER_RESOURCE_CREATION |
admin |
MOVE_ORG_UNIT |
USER_RESOURCE_UPDATE_CONTENT |
admin |
EDIT_ORG_UNIT_NAME |
USER_RESOURCE_UPDATE_CONTENT |
admin |
REMOVE_ORG_UNIT |
USER_RESOURCE_DELETION |
admin |
UNASSIGN_CUSTOM_LOGO |
USER_RESOURCE_UPDATE_CONTENT |
admin |
ASSIGN_CUSTOM_LOGO |
USER_RESOURCE_UPDATE_CONTENT |
admin |
EDIT_ORG_UNIT_DESCRIPTION |
USER_RESOURCE_UPDATE_CONTENT |
admin |
CHANGE_DOCS_SETTING |
SETTING_MODIFICATION |
admin |
CHANGE_CALENDAR_SETTING |
SETTING_MODIFICATION |
admin |
SESSION_CONTROL_SETTINGS_CHANGE |
SETTING_MODIFICATION |
admin |
DISALLOW_SERVICE_FOR_OAUTH2_ACCESS |
SETTING_MODIFICATION |
admin |
ALLOW_STRONG_AUTHENTICATION |
SETTING_MODIFICATION |
admin |
ENFORCE_STRONG_AUTHENTICATION |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_FREQUENCY |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION |
SETTING_MODIFICATION |
admin |
CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS |
SETTING_MODIFICATION |
admin |
CHANGE_TWO_STEP_VERIFICATION_START_DATE |
SETTING_MODIFICATION |
admin |
WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED |
SETTING_MODIFICATION |
admin |
ADD_TO_BLOCKED_OAUTH2_APPS |
STATUS_UPDATE |
admin |
ADD_TO_TRUSTED_OAUTH2_APPS |
STATUS_UPDATE |
admin |
GENERATE_CERTIFICATE |
USER_RESOURCE_CREATION |
admin |
ENABLE_DIRECTORY_SYNC |
SETTING_MODIFICATION |
admin |
CHANGE_DEVICE_STATE |
STATUS_UPDATE |
admin |
UPDATE_ACCESS_LEVEL_V2 |
USER_RESOURCE_UPDATE_PERMISSIONS |
admin |
UPDATE_AUTO_PROVISIONED_USER |
STATUS_UPDATE |
admin |
SECURITY_CENTER_RULE_THRESHOLD_TRIGGER |
STATUS_UPDATE |
gmail |
EMAIL_TRANSACTION |
字段映射参考文档:WORKSPACE_ACTIVITY - 通用字段
下表列出了 WORKSPACE_ACTIVITY 日志类型的常见字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
actor.callerType |
target.user.attribute.labels[caller_type] |
If the event.name log field value is equal to one of the following values, then the actor.callerType log field is mapped to the target.user.attribute.labels UDM field:
|
actor.callerType |
principal.user.attribute.labels[caller_type] |
If the event.name log field value is not equal to one of the following values, then the actor.callerType log field is mapped to the principal.user.attribute.labels UDM field:
If the id.applicationName log field value is equal to gmail, then principal.user.attribute.labels.key UDM field is set to actor_caller_type and actor.callerType log field is mapped to principal.user.attribute.labels.value UDM field. |
actor.email |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the actor.email log field is mapped to the target.user.email_addresses UDM field:
If the id.applicationName log field value is equal to gmail, then actor.email log field is mapped to principal.user.email_addresses UDM field. |
actor.email |
principal.user.email_addresses |
If the event.name log field value is not equal to one of the following values, then the actor.email log field is mapped to the principal.user.email_addresses UDM field:
|
actor.email |
security_result.about.email |
|
actor.key |
target.user.attribute.labels[actor_key] |
If the event.name log field value is equal to one of the following values, then the actor.key log field is mapped to the target.user.attribute.labels[actor_key] UDM field:
|
actor.key |
principal.user.attribute.labels[actor_key] |
If the event.name log field value is not equal to one of the following values, then the actor.key log field is mapped to the principal.user.attribute.labels[actor_key] UDM field:
|
actor.key |
target.user.userid |
The actor.key log field is mapped to the target.user.userid UDM field if the following conditions are met:
|
actor.key |
principal.user.userid |
The actor.key log field is mapped to the principal.user.userid UDM field if the following conditions are met:
|
actor.profileId |
target.user.product_object_id |
If the event.name log field value is equal to one of the following values, then the actor.profileId log field is mapped to the target.user.product_object_id UDM field:
|
actor.profileId |
principal.user.product_object_id |
If the event.name log field value is not equal to one of the following values, then the actor.profileId log field is mapped to the principal.user.product_object_id UDM field:
|
etag |
metadata.product_log_id |
|
events.name |
metadata.product_event_type |
|
events.type |
security_result.category_details |
|
id.applicationName |
metadata.product_name |
|
id.customerId |
about.resource.product_object_id |
|
id.time |
metadata.event_timestamp |
|
id.uniqueQualifier |
metadata.product_log_id |
|
ipAddress |
principal.ip |
|
kind |
about.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
ownerDomain |
target.administrative_domain |
If the target.resource log field value is not empty, then the ownerDomain log field is mapped to the target.administrative_domain UDM field.If the principal.resource log field value is not empty, then the ownerDomain log field is mapped to the principal.administrative_domainIf the id.applicationName log field value is equal to gmail, then ownerDomain log field is mapped to principal.administrative_domain UDM field. |
about.resource.resource_type |
The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION. | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. |
|
actor.gaiaId |
principal.user.product_object_id |
If the event.name log field value is not equal to one of the following values, then the actor.gaiaId log field is mapped to the principal.user.product_object_id UDM field:
|
actor.gaiaId |
target.user.product_object_id |
If the event.name log field value is equal to one of the following values, then the actor.gaiaId log field is mapped to the target.user.product_object_id UDM field:
|
actor.orgunitPath |
principal.user.attribute.labels[org_unit_path] |
If the event.name log field value is not equal to one of the following values, then the actor.orgunitPath log field is mapped to the principal.user.attribute.labels[org_unit_path] UDM field:
|
actor.orgunitPath |
target.user.attribute.labels[org_unit_path] |
If the event.name log field value is equal to one of the following values, then the actor.orgunitPath log field is mapped to the target.user.attribute.labels[org_unit_path] UDM field:
|
actor.groupId |
principal.user.group_identifiers |
If the event.name log field value is not equal to one of the following values, then the actor.groupId log field is mapped to the principal.user.group_identifiers UDM field:
|
actor.groupId |
target.user.group_identifiers |
If the event.name log field value is equal to one of the following values, then the actor.groupId log field is mapped to the target.user.group_identifiers UDM field:
|
字段映射参考:WORKSPACE_ACTIVITY
下表列出了 WORKSPACE_ACTIVITY 日志类型的日志字段和
对应的 UDM 字段。
| Workspace application | Log field | UDM mapping | Logic |
|---|---|---|---|
access_transparency |
ACCESS_APPROVAL_REQUEST_IDS |
about.labels [access_approval_request_ids] (deprecated) |
|
access_transparency |
ACCESS_APPROVAL_REQUEST_IDS |
additional.fields [access_approval_request_ids] |
|
access_transparency |
ACCESS_MANAGEMENT_POLICY |
about.labels [access_management_policy] (deprecated) |
|
access_transparency |
ACCESS_MANAGEMENT_POLICY |
additional.fields [access_management_policy] |
|
access_transparency |
ACTOR_HOME_OFFICE |
principal.user.office_address.country_or_region |
If the event.name log field value is equal to ACCESS, then the ACTOR_HOME_OFFICE log field is mapped to the principal.user.office_address.country_or_region UDM field. |
access_transparency |
GSUITE_PRODUCT_NAME |
target.application |
If the event.name log field value is equal to ACCESS, then the GSUITE_PRODUCT_NAME log field is mapped to the target.application UDM field. |
access_transparency |
JUSTIFICATIONS |
about.labels [justifications] (deprecated) |
If the event.name log field value is equal to ACCESS, then the JUSTIFICATIONS log field is mapped to the about.labels UDM field. |
access_transparency |
JUSTIFICATIONS |
additional.fields [justifications] |
If the event.name log field value is equal to ACCESS, then the JUSTIFICATIONS log field is mapped to the additional.fields UDM field. |
access_transparency |
LOG_ID |
about.labels [logid] (deprecated) |
If the event.name log field value is equal to ACCESS, then the LOG_ID log field is mapped to the about.labels UDM field. |
access_transparency |
LOG_ID |
additional.fields [logid] |
If the event.name log field value is equal to ACCESS, then the LOG_ID log field is mapped to the additional.fields UDM field. |
access_transparency |
ON_BEHALF_OF |
about.labels [on_behalf_of] (deprecated) |
If the event.name log field value is equal to ACCESS, then the ON_BEHALF_OF log field is mapped to the about.labels UDM field. |
access_transparency |
ON_BEHALF_OF |
additional.fields [on_behalf_of] |
If the event.name log field value is equal to ACCESS, then the ON_BEHALF_OF log field is mapped to the additional.fields UDM field. |
access_transparency |
OWNER_EMAIL |
target.user.email_addresses |
If the event.name log field value is equal to ACCESS, then the OWNER_EMAIL log field is mapped to the target.user.email_addresses UDM field. |
access_transparency |
RESOURCE_NAME |
target.resource.name |
If the event.name log field value is equal to ACCESS, then the RESOURCE_NAME log field is mapped to the target.resource.name UDM field. |
access_transparency |
TICKETS |
about.labels [tickets] (deprecated) |
|
access_transparency |
TICKETS |
additional.fields [tickets] |
|
chrome |
DEVICE_NAME |
target.asset.attribute.labels [device_name] |
If the event.name log field value is equal to one of the following values, then the DEVICE_NAME log field is mapped to the target.asset.attribute.labels UDM field:
|
chrome |
DEVICE_PLATFORM |
target.asset.platform_software.platform |
If the DEVICE_PLATFORM log field value matches windows, then the target.asset.platform_software.platform UDM field is set to WINDOWS.If the DEVICE_PLATFORM log field value matches mac, then the target.asset.platform_software.platform UDM field is set to MAC.If the DEVICE_PLATFORM log field value matches linux, then the target.asset.platform_software.platform UDM field is set to LINUX.Else, the target.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
chrome |
DEVICE_USER |
principal.user.user_display_name |
If the event.name log field value is equal to LOGIN_EVENT, then the DEVICE_USER log field is mapped to the principal.user.user_display_name UDM field. |
chrome |
LOGIN_USER_NAME |
target.user.user_display_name |
If the event.name log field value is equal to LOGIN_EVENT, then the LOGIN_USER_NAME log field is mapped to the target.user.user_display_name UDM field. |
chrome |
DEVICE_USER |
target.user.user_display_name |
If the event.name log field value is equal to one of the following values, then the DEVICE_USER log field is mapped to the target.user.user_display_name UDM field:
If the event.name log field value is equal to LOGIN_EVENT, then the LOGIN_USER_NAME log field is mapped to the target.user.user_display_name UDM field. |
chrome |
PROFILE_USER_NAME |
target.user.attribute.labels [profile_user_name] |
If the event.name log field value is equal to one of the following values, then the PROFILE_USER_NAME log field is mapped to the target.user.attribute.labels UDM field:
|
chrome |
DIRECTORY_DEVICE_ID |
about.labels [directory_device_id] (deprecated) |
If the event.name log field value is equal to one of the following values, then the DIRECTORY_DEVICE_ID log field is mapped to the about.labels UDM field:
|
chrome |
DIRECTORY_DEVICE_ID |
additional.fields [directory_device_id] |
If the event.name log field value is equal to one of the following values, then the DIRECTORY_DEVICE_ID log field is mapped to the additional.fields UDM field:
|
chrome |
DEVICE_ID |
target.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the DEVICE_ID log field is mapped to the target.asset.asset_id UDM field:
|
chrome |
VIRTUAL_DEVICE_ID |
about.labels [virtual_device_id] (deprecated) |
If the event.name log field value is equal to one of the following values, then the VIRTUAL_DEVICE_ID log field is mapped to the about.labels UDM field:
|
chrome |
VIRTUAL_DEVICE_ID |
additional.fields [virtual_device_id] |
If the event.name log field value is equal to one of the following values, then the VIRTUAL_DEVICE_ID log field is mapped to the additional.fields UDM field:
|
chrome |
EVENT_REASON |
security_result.summary |
If the event.name log field value is equal to one of the following values, then the EVENT_REASON log field is mapped to the security_result.summary UDM field:
|
chrome |
EVENT_RESULT |
security_result.action_details |
If the event.name log field value is equal to one of the following values, then the EVENT_RESULT log field is mapped to the security_result.action_details UDM field:
|
chrome |
security_result.action |
The security_result.action UDM field is set to ALLOW. | |
chrome |
TIMESTAMP |
about.labels [timestamp] (deprecated) |
If the event.name log field value is equal to one of the following values, then the TIMESTAMP log field is mapped to the about.labels UDM field:
|
chrome |
TIMESTAMP |
additional.fields [timestamp] |
If the event.name log field value is equal to one of the following values, then the TIMESTAMP log field is mapped to the additional.fields UDM field:
|
chrome |
BROWSER_VERSION |
target.resource.attribute.labels [browser_version] |
If the event.name log field value is equal to one of the following values, then the BROWSER_VERSION log field is mapped to the target.resource.attribute.labels UDM field:
|
chrome |
LOGIN_FAILURE_REASON |
security_result.description |
|
chrome |
USER_AGENT |
network.http.user_agent |
If the event.name log field value is equal to one of the following values, then the USER_AGENT log field is mapped to the network.http.user_agent UDM field:
|
chrome |
URL |
target.url |
If the event.name log field value is equal to one of the following values, then the URL log field is mapped to the about.url UDM field:
|
chrome |
SCAN_ID |
about.labels [scan_id] (deprecated) |
If the event.name log field value is equal to one of the following values, then the SCAN_ID log field is mapped to the about.labels UDM field:
|
chrome |
SCAN_ID |
additional.fields [scan_id] |
If the event.name log field value is equal to one of the following values, then the SCAN_ID log field is mapped to the additional.fields UDM field:
|
chrome |
REMOVE_USER_REASON |
security_result.detection_fields [remove_user_reason] |
If the event.name log field value is equal to CHROME_OS_REMOVE_USER, then the REMOVE_USER_REASON log field is mapped to the security_result.detection_fields UDM field. |
chrome |
NEW_BOOT_MODE |
target.asset.attribute.labels [new_boot_mode] |
|
chrome |
PREVIOUS_BOOT_MODE |
target.asset.attribute.labels [previous_boot_mode] |
|
chrome |
CLIENT_TYPE |
target.resource.attribute.labels [client_type] |
|
chrome |
TRIGGER_USER |
security_result.about.labels [trigger_user] (deprecated) |
|
chrome |
TRIGGER_USER |
additional.fields [trigger_user] |
|
chrome |
TRIGGER_DESTINATION |
security_result.about.labels [trigger_destination] (deprecated) |
|
chrome |
TRIGGER_DESTINATION |
additional.fields [trigger_destination] |
|
chrome |
TRIGGER_SOURCE |
security_result.about.labels [trigger_source] (deprecated) |
|
chrome |
TRIGGER_SOURCE |
additional.fields [trigger_source] |
|
chrome |
TRIGGER_TYPE |
security_result.about.labels [trigger_type] (deprecated) |
|
chrome |
TRIGGER_TYPE |
additional.fields [trigger_type] |
|
chrome |
TRIGGERED_RULES_REASON |
security_result.about.labels [triggered_rules_reason] (deprecated) |
|
chrome |
TRIGGERED_RULES_REASON |
additional.fields [triggered_rules_reason] |
|
chrome |
CONTENT_HASH |
about.labels [content_hash] (deprecated) |
|
chrome |
CONTENT_HASH |
additional.fields [content_hash] |
|
chrome |
CONTENT_NAME |
about.labels [content_name] (deprecated) |
|
chrome |
CONTENT_NAME |
additional.fields [content_name] |
|
chrome |
CONTENT_SIZE |
about.labels [content_size] (deprecated) |
|
chrome |
CONTENT_SIZE |
additional.fields [content_size] |
|
chrome |
CONTENT_TYPE |
about.labels [content_type] (deprecated) |
|
chrome |
CONTENT_TYPE |
additional.fields [content_type] |
|
chrome |
APP_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the APP_NAME log field is mapped to the target.application UDM field:
|
chrome |
PRODUCT_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the PRODUCT_NAME log field is mapped to the target.application UDM field:
Else, the PRODUCT_NAME log field is mapped to the target.labels UDM field. |
chrome |
PRODUCT_NAME |
target.labels [product_name] (deprecated) |
If the event.name log field value is equal to one of the following values, then the PRODUCT_NAME log field is mapped to the target.application UDM field:
Else, the PRODUCT_NAME log field is mapped to the target.labels UDM field. |
chrome |
PRODUCT_NAME |
additional.fields [product_name] |
If the event.name log field value is equal to one of the following values, then the PRODUCT_NAME log field is mapped to the target.application UDM field:
Else, the PRODUCT_NAME log field is mapped to the additional.fields UDM field. |
chrome |
ORG_UNIT_NAME |
about.labels [org_unit_name] (deprecated) |
If the event.name log field value is equal to EXTENSION_REQUEST, then the ORG_UNIT_NAME log field is mapped to the about.labels UDM field. |
chrome |
ORG_UNIT_NAME |
additional.fields [org_unit_name] |
If the event.name log field value is equal to EXTENSION_REQUEST, then the ORG_UNIT_NAME log field is mapped to the additional.fields UDM field. |
chrome |
USER_JUSTIFICATION |
principal.user.attribute.labels [user_justification] |
|
chrome |
FEDERATED_ORIGIN |
security_result.about.labels [federated_origin] (deprecated) |
|
chrome |
FEDERATED_ORIGIN |
additional.fields [federated_origin] |
|
chrome |
IS_FEDERATED |
security_result.about.labels [is_federated] (deprecated) |
|
chrome |
IS_FEDERATED |
additional.fields [is_federated] |
|
chrome |
EVIDENCE_LOCKER_FILEPATH |
security_result.about.labels [evidence_locker_filepath] (deprecated) |
|
chrome |
EVIDENCE_LOCKER_FILEPATH |
additional.fields [evidence_locker_filepath] |
|
| Google Chrome | CONNECTION_TYPE |
about.labels[connection_type] (deprecated) |
|
| Google Chrome | CONNECTION_TYPE |
additional.fields[connection_type] |
|
| Google Chrome | PREVIOUS_OS_VERSION |
target.asset.attribute.labels[previous_os_version] |
|
| Google Chrome | VENDOR_ID |
src.labels[vendor_id] (deprecated) |
|
| Google Chrome | VENDOR_ID |
additional.fields[vendor_id] |
|
| Google Chrome | LOCALIZED_URL_CATEGORY |
about.labels[localized_url_category] (deprecated) |
|
| Google Chrome | LOCALIZED_URL_CATEGORY |
additional.fields[localized_url_category] |
|
| Google Chrome | VENDOR_NAME |
src.labels[vendor_name] (deprecated) |
|
| Google Chrome | VENDOR_NAME |
additional.fields[vendor_name] |
|
| Google Chrome | SESSION_ID |
network.session_id |
|
| Google Chrome | APP_ID |
target.resource.product_object_id |
If the event.name log field value is equal to BROWSER_EXTENSION_INSTALL, then the APP_ID log field is mapped to the target.resource.product_object_id UDM field. |
| Google Chrome | CURRENT_OS_VERSION |
target.asset.platform_software.platform_version |
|
| Google Chrome | PRODUCT_ID |
target.resource.product_object_id |
If the events.name log field value contains one of the following values, then the PRODUCT_ID log field is mapped to the target.resource.product_object_id UDM field.
Else, the PRODUCT_ID log field is mapped to the target.labels UDM field. |
| Google Chrome | PRODUCT_ID |
target.labels[product_id] (deprecated) |
If the events.name log field value contains one of the following values, then the PRODUCT_ID log field is mapped to the target.resource.product_object_id UDM field.
Else, the PRODUCT_ID log field is mapped to the target.labels UDM field. |
| Google Chrome | PRODUCT_ID |
additional.fields[product_id] |
If the events.name log field value contains one of the following values, then the PRODUCT_ID log field is mapped to the target.resource.product_object_id UDM field.
Else, the PRODUCT_ID log field is mapped to the additional.fields UDM field. |
| Google Chrome | UNLOCK_TYPE |
target.labels[unlock_type] (deprecated) |
|
| Google Chrome | UNLOCK_TYPE |
additional.fields[unlock_type] |
|
| Google Chrome | REPORT_ID |
target.labels[report_id] (deprecated) |
|
| Google Chrome | REPORT_ID |
additional.fields[report_id] |
|
| Google Chrome | CHANNEL |
target.labels[channel] (deprecated) |
|
| Google Chrome | CHANNEL |
additional.fields[channel] |
|
| Google Chrome | TAB_URL |
additional.fields[tab_url] |
|
context_aware_access |
CAA_ACCESS_LEVEL_APPLIED |
security_result.about.labels [caa_access_level_applied] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_APPLIED log field is mapped to the security_result.about.labels UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_APPLIED |
additional.fields [caa_access_level_applied] |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_APPLIED log field is mapped to the additional.fields UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_SATISFIED |
security_result.about.labels [caa_access_level_satisfied] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_SATISFIED log field is mapped to the security_result.about.labels UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_SATISFIED |
additional.fields [caa_access_level_satisfied] |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_SATISFIED log field is mapped to the additional.fields UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_UNSATISFIED |
security_result.about.labels [caa_access_level_unsatisfied] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_UNSATISFIED log field is mapped to the security_result.about.labels UDM field. |
context_aware_access |
CAA_ACCESS_LEVEL_UNSATISFIED |
additional.fields [caa_access_level_unsatisfied] |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_ACCESS_LEVEL_UNSATISFIED log field is mapped to the additional.fields UDM field. |
context_aware_access |
CAA_APPLICATION |
target.resource.name |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_APPLICATION log field is mapped to the target.resource.name UDM field. |
context_aware_access |
target.resource.resource_type |
If the event.name log field value is equal to DEVICE_SETTINGS_UPDATED_EVENT, then the target.resource.resource_type UDM field is set to SETTING.Else, the target.resource.resource_type UDM field is set to DEVICE. | |
context_aware_access |
CAA_DEVICE_ID |
principal.asset.asset_id |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_DEVICE_ID log field is mapped to the principal.asset.asset_id UDM field. |
context_aware_access |
CAA_DEVICE_STATE |
principal.labels [caa_device_state] (deprecated) |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_DEVICE_STATE log field is mapped to the principal.labels UDM field. |
context_aware_access |
CAA_DEVICE_STATE |
additional.fields [caa_device_state] |
If the event.name log field value is equal to ACCESS_DENY_EVENT, then the CAA_DEVICE_STATE log field is mapped to the additional.fields UDM field. |
context_aware_access |
BLOCKED_API_ACCESS |
additional.fields [blocked_api_access] |
|
gplus |
attachment_type |
target.resource.attribute.labels [attachment_type] |
If the event.name log field value is equal to one of the following values, then the attachment_type log field is mapped to the target.resource.attribute.labels UDM field:
|
gplus |
comment_resource_name |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the comment_resource_name log field is mapped to the target.resource.product_object_id UDM field:
|
gplus |
post_resource_name |
target.resource_ancestors.product_object_id |
If the event.name log field value is equal to one of the following values, then the post_resource_name log field is mapped to the target.resource_ancestors.product_object_id UDM field:
|
gplus |
post_permalink |
target.resource_ancestors.attribute.labels [post_permalink] |
|
gplus |
post_visibility |
target.resource_ancestors.attribute.labels [post_visibility] |
|
gplus |
plusone_context |
target.resource_ancestors.attribute.labels [plusone_context] |
|
gplus |
post_author_name |
target.user.user_display_name |
If the event.name log field value is equal to content_manager_delete_post, then the post_resource_name log field is mapped to the target.user.user_display_name UDM field. |
data_studio |
ASSET_ID |
principal.resource.product_object_id |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_ID log field is mapped to the principal.resource.product_object_id UDM field.Else, the ASSET_ID log field is mapped to the target.resource.product_object_id UDM field. |
data_studio |
ASSET_NAME |
principal.resource.name |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_NAME log field is mapped to the principal.resource.name UDM field.Else, the ASSET_NAME log field is mapped to the target.resource.name UDM field. |
data_studio |
ASSET_TYPE |
principal.resource.resource_subtype |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_TYPE log field is mapped to the principal.resource.resource_subtype UDM field.Else, the ASSET_TYPE log field is mapped to the target.resource.resource_subtype UDM field. |
data_studio |
ASSET_ID |
target.resource.product_object_id |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_ID log field is mapped to the principal.resource.product_object_id UDM field.Else, the ASSET_ID log field is mapped to the target.resource.product_object_id UDM field. |
data_studio |
ASSET_NAME |
target.resource.name |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_NAME log field is mapped to the principal.resource.name UDM field.Else, the ASSET_NAME log field is mapped to the target.resource.name UDM field. |
data_studio |
ASSET_TYPE |
target.resource.resource_subtype |
If the ASSET_TYPE log field value is equal to DATA_SOURCE, then the ASSET_TYPE log field is mapped to the principal.resource.resource_subtype UDM field.Else, the ASSET_TYPE log field is mapped to the target.resource.resource_subtype UDM field. |
data_studio |
CONNECTOR_TYPE |
target.resource.attribute.labels[connector_type] |
|
data_studio |
EMBEDDED_IN_REPORT_ID |
target.resource.attribute.labels[embedded_in_report_id] |
|
data_studio |
OWNER_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is not equal to the OWNER_EMAIL, then the OWNER_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
data_studio |
TARGET_USER_EMAIL |
target.user.email_addresses |
|
data_studio |
PRIOR_VISIBILITY |
target.resource.attribute.labels [prior_visibility] |
|
data_studio |
VISIBILITY |
target.resource.attribute.labels [visibility] |
|
data_studio |
NEW_VALUE |
target.resource.attribute.labels [new_value] |
|
data_studio |
OLD_VALUE |
target.resource.attribute.labels [old_value] |
|
data_studio |
TARGET_DOMAIN |
target.domain.name [ target_domain] |
|
data_studio |
DATA_EXPORT_TYPE |
target.resource.attribute.labels [data_export_type] |
|
mobile |
target.resource.resource_type |
The target.resource.resource_type UDM field is set to DEVICE. | |
mobile |
ACCOUNT_STATE |
target.resource.attribute.labels [account_state] |
|
mobile |
ACTION_EXECUTION_STATUS |
target.resource.attribute.labels [account_execution_status] |
|
mobile |
ACTION_ID |
target.resource.attribute.labels [action_id] |
|
mobile |
ACTION_TYPE |
target.resource.attribute.labels [action_type] |
|
mobile |
APK_SHA256_HASH |
target.resource.attribute.labels [apk_sha256_hash] |
|
mobile |
APPLICATION_ID |
target.resource.attribute.labels [application_id] |
|
mobile |
APPLICATION_MESSAGE |
target.resource.attribute.labels [application_message] |
|
mobile |
APPLICATION_REPORT_KEY |
target.resource.attribute.labels [application_report_key] |
|
mobile |
APPLICATION_REPORT_SEVERITY |
target.resource.attribute.labels [application_report_severity] |
|
mobile |
APPLICATION_STATE |
target.resource.attribute.labels [application_state] |
|
mobile |
APPLICATION_REPORT_TIMESTAMP |
target.resource.attribute.labels [application_report_timestamp] |
|
mobile |
BASIC_INTEGRITY |
target.resource.attribute.labels [basic_integrity] |
|
mobile |
CTS_PROFILE_MATCH |
target.resource.attribute.labels [cts_profile_match] |
|
mobile |
DEVICE_COMPLIANCE |
target.resource.attribute.labels [device_compliance] |
|
mobile |
DEVICE_COMPROMISED_STATE |
about.target.resource.attribute.labels [device_compromised_state] |
|
mobile |
DEVICE_DEACTIVATION_REASON |
target.resource.attribute.labels [device_deactivation_reason] |
|
mobile |
DEVICE_ID |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the DEVICE_ID log field is mapped to the target.resource.product_object_id UDM field:
|
mobile |
NEW_DEVICE_ID |
target.resource.attribute.labels [new_device_id] |
If the NEW_DEVICE_ID log field value is not empty, then the NEW_DEVICE_ID log field is mapped to the target.resource.product_object_id UDM field. |
mobile |
DEVICE_MODEL |
target.resource.attribute.labels [device_model] |
|
mobile |
DEVICE_OWNERSHIP |
target.resource.attribute.labels [device_ownership] |
|
mobile |
DEVICE_PROPERTY |
target.resource.attribute.labels [device_property] |
|
mobile |
DEVICE_SETTING |
target.resource.attribute.labels [device_setting] |
|
mobile |
DEVICE_STATUS_ON_APPLE_PORTAL |
target.resource.attribute.labels [device_status_on_apple_portal] |
|
mobile |
DEVICE_TYPE |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the DEVICE_TYPE log field is mapped to the target.resource.resource_subtype UDM field:
|
mobile |
FAILED_PASSWD_ATTEMPTS |
target.resource.attribute.labels [failed_passwd_attempts] |
|
mobile |
IOS_VENDOR_ID |
target.resource.attribute.labels [ios_vendor_id] |
|
mobile |
NEW_VALUE |
target.resource.attribute.labels [new_value] |
|
mobile |
OLD_VALUE |
target.resource.attribute.labels [old_value] |
|
mobile |
OS_EDITION |
target.resource.attribute.labels [os_edition] |
|
mobile |
OS_PROPERTY |
target.resource.attribute.labels [os_property] |
|
mobile |
OS_VERSION |
target.resource.attribute.labels [os_version] |
|
mobile |
PHA_CATEGORY |
security_results.detection_fields |
|
mobile |
POLICY_NAME |
security_result.about.labels [policy_name] (deprecated) |
|
mobile |
POLICY_NAME |
additional.fields [policy_name] |
|
mobile |
POLICY_SYNC_RESULT |
security_result.about.labels [policy_sync_result] (deprecated) |
|
mobile |
POLICY_SYNC_RESULT |
additional.fields [policy_sync_result] |
|
mobile |
POLICY_SYNC_TYPE |
security_result.about.labels [policy_sync_type] (deprecated) |
|
mobile |
POLICY_SYNC_TYPE |
additional.fields [policy_sync_type] |
|
mobile |
RESOURCE_ID |
target.resource.attribute.labels |
If the event.name log field value is equal to one of the following values, then the RESOURCE_ID log field is mapped to the target.resource.attribute.labels UDM field:
|
mobile |
REGISTER_PRIVILEGE |
security_result.about.labels [register_privilege] (deprecated) |
|
mobile |
REGISTER_PRIVILEGE |
additional.fields |
|
mobile |
RISK_SIGNAL |
security_result.about.labels [risk_signal] (deprecated) |
|
mobile |
RISK_SIGNAL |
additional.fields [risk_signal] |
|
mobile |
SECURITY_EVENT_ID |
security_result.about.labels [security_event_id] (deprecated) |
If the event.name log field value is equal to APPLICATION_EVENT, then the SECURITY_EVENT_ID log field is mapped to the security_result.about.labels UDM field. |
mobile |
SECURITY_EVENT_ID |
additional.fields |
If the event.name log field value is equal to APPLICATION_EVENT, then the SECURITY_EVENT_ID log field is mapped to the additional.fields UDM field. |
mobile |
SECURITY_PATCH_LEVEL |
security_result.about.labels [security_patch_level] (deprecated) |
If the event.name log field value is equal to one of the following values, then the SECURITY_PATCH_LEVEL log field is mapped to the security_result.about.labels UDM field:
|
mobile |
SECURITY_PATCH_LEVEL |
additional.fields [security_patch_level] |
If the event.name log field value is equal to one of the following values, then the SECURITY_PATCH_LEVEL log field is mapped to the additional.fields UDM field:
|
mobile |
SERIAL_NUMBER |
target.resource.attribute.labels [serial_number] |
|
mobile |
USER_EMAIL |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the USER_EMAIL log field is mapped to the target.user.email_addresses UDM field:
|
mobile |
VALUE |
security_result.about.labels [value] (deprecated) |
|
mobile |
VALUE |
additional.fields [value] |
|
mobile |
WINDOWS_SYNCML_POLICY_STATUS_CODE |
security_result.about.labels [windows_syncml_policy_status_code] (deprecated) |
|
mobile |
WINDOWS_SYNCML_POLICY_STATUS_CODE |
additional.fields [windows_syncml_policy_status_code] |
|
mobile |
LAST_SYNC_AUDIT_DATE |
target.resource.attribute.labels[LAST_SYNC_AUDIT_DATE] |
|
groups_enterprise |
dynamic_group_query |
target.group.attribute.labels [dynamic_group_query] |
|
groups_enterprise |
group_id |
target.user.group_identifiers |
If the event.name log field value is equal to one of the following values, then the group_id log field is mapped to the target.user.group_identifiers UDM field:
|
groups_enterprise |
info_setting |
target.group.attribute.labels [info_setting] |
|
groups_enterprise |
member_id |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the member_id log field is mapped to the target.user.email_addresses UDM field:
|
groups_enterprise |
member_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to one of the following values, then the member_role log field is mapped to the target.user.attribute.roles.name UDM field:
|
groups_enterprise |
member_type |
target.user.attribute.labels[member_type] |
|
groups_enterprise |
membership_expiry |
target.group.attribute.labels [membership_query] |
|
groups_enterprise |
namespace |
target.group.group_display_name |
|
groups_enterprise |
new_value |
target.group.attribute.labels [new_value] |
|
groups_enterprise |
old_value |
target.group.attribute.labels [old_value] |
|
groups_enterprise |
value |
target.group.attribute.labels [value] |
|
groups_enterprise |
security_setting |
target.group.attribute.labels [security_setting] |
|
calendar |
access_level |
security_result.about.labels [access_level] (deprecated) |
|
calendar |
access_level |
additional.fields [access_level] |
|
calendar |
api_kind |
target.resource.attribute.labels [api_kind] |
|
calendar |
calendar_country |
target.resource.attribute.labels [calendar_country] |
If the event.name log field value is equal to change_calendar_country, then the calendar_country log field is mapped to the target.resource.attribute.labels UDM field. |
calendar |
calendar_description |
target.resource.attribute.labels [calendar_description] |
|
calendar |
calendar_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the calendar_id log field is mapped to the target.resource.product_object_id UDM field:
transfer_event_requestedtransfer_event_completed |
calendar |
calendar_location |
target.resource.attribute.labels [calendar_location] |
|
calendar |
calendar_timezone |
target.resource.attribute.labels [calendar_timezone] |
|
calendar |
calendar_title |
target.resource.name |
If the event.name log field value is equal to change_calendar_title, then the calendar_title log field is mapped to the target.resource.name UDM field. |
calendar |
end_time |
target.resource.attribute.labels [end_time] |
|
calendar |
start_time |
target.resource.attribute.labels [start_time] |
|
calendar |
event_guest |
target.labels [event_guest] (deprecated) |
|
calendar |
event_guest |
additional.fields [event_guest] |
|
calendar |
event_id |
target.resource.attribute.labels [event_id] |
If the event.name log field value is equal to one of the following values, then the event_id log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
event_response_status |
target.resource.attribute.labels [event_response_status] |
|
calendar |
event_title |
target.resource.attribute.labels [event_title] |
If the event.name log field value is equal to one of the following values, then the event_title log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
old_event_title |
target.resource.attribute.labels [old_event_title] |
|
calendar |
grantee_email |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the grantee_email log field is mapped to the target.user.email_addresses UDM field:
|
calendar |
interop_error_code |
security_result.action_details |
If the event.name log field value is equal to one of the following values, then the interop_error_code log field is mapped to the security_result.action_details UDM field:
|
calendar |
notification_message_id |
target.resource.attribute.labels [notification_message_id] |
If the event.name log field value is equal to one of the following values, then the notification_message_id log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
notification_method |
target.resource.attribute.labels [notification_method] |
If the event.name log field value is equal to one of the following values, then the notification_method log field is mapped to the target.resource.attribute.labels UDM field:
|
calendar |
notification_type |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the notification_type log field is mapped to the target.resource.resource_subtype UDM field:
|
calendar |
organizer_calendar_id |
principal.user.attribute.labels[organizer_calendar_id] |
If the event.name log field value is equal to one of the following values, then the organizer_calendar_id log field is mapped to the principal.user.attribute.labels[organizer_calendar_id] UDM field:
|
calendar |
recipient_email |
principal.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the recipient_email log field is mapped to the principal.user.email_addresses UDM field:
|
calendar |
remote_ews_url |
security_result.about.labels [remote_ews_url] (deprecated) |
|
calendar |
remote_ews_url |
additional.fields [remote_ews_url] |
|
calendar |
requested_period_end |
security_result.about.labels [requested_period_end] (deprecated) |
|
calendar |
requested_period_end |
additional.fields [requested_period_end] |
|
calendar |
requested_period_start |
security_result.about.labels [requested_period_start] (deprecated) |
|
calendar |
requested_period_start |
additional.fields [requested_period_start] |
|
calendar |
subscriber_calendar_id |
principal.user.attribute.labels[subscriber_calendar_id] |
|
calendar |
user_agent |
network.http.user_agent |
|
calendar |
target_calendar_id |
target.resource.attribute.labels [target_calendar_id] |
|
calendar |
user_agent |
network.http.user_agent |
|
calendar |
target_calendar_id |
target.resource.attribute.labels [target_calendar_id] |
|
calendar |
client_side_encrypted |
target.resource.attribute.labels [client_side_encrypted] |
|
calendar |
is_recurring |
target.resource.attribute.labels [is_recurring] |
|
calendar |
recurring |
target.resource.attribute.labels [recurring] |
|
chat |
actor |
principal.user.email_addresses |
The event.name log field is mapped to the principal.user.email_addresses UDM field if the following conditions are met:
|
chat |
attachment_hash |
target.file.sha256 |
If the event.name log field value is equal to one of the following values, then the attachment_hash log field is mapped to the target.file.sha256 UDM field:
|
chat |
attachment_name |
target.file.names |
If the event.name log field value is equal to one of the following values, then the attachment_name log field is mapped to the target.file.names UDM field:
|
chat |
attachment_url |
target.file.full_path |
If the event.name log field value is equal to attachment_download, then the attachment_url log field is mapped to the target.file.full_path UDM field. |
chat |
dlp_scan_status |
security_result.action_details |
If the event.name log field value is equal to one of the following values, then the dlp_scan_status log field is mapped to the security_result.action_details UDM field:
|
chat |
message_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the message_id log field is mapped to the target.resource.product_object_id UDM field:
|
chat |
conference_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the message_id log field is mapped to the target.resource.product_object_id UDM field:
|
chat |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the target.resource.resource_subtype UDM field is set to Google Chat - Message:
| |
chat |
report_type |
target.resource.attribute.labels [report_type] |
|
chat |
room_id |
target.group.product_object_id |
If the event.name log field value is equal to one of the following values, then the room_id log field is mapped to the target.group.product_object_id UDM field:
|
chat |
dm_id |
about.labels [dm_id] (deprecated) |
If the event.name log field value is equal to direct_message_started, then the about.labels UDM field is set to dm_id. |
chat |
dm_id |
additional.fields [dm_id] |
If the event.name log field value is equal to direct_message_started, then the additional.fields UDM field is set to dm_id. |
chat |
target_users |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the target_users log field is mapped to the target.user.email_addresses UDM field:
|
chat |
retention_state |
target.user.attribute.labels[retention_state] |
|
chat |
room_name |
target.group.group_display_name |
|
chat |
timestamp_ms |
target.resource.attribute.labels [timestamp_ms] |
|
chat |
external_room |
about.labels[external_room] (deprecated) |
|
chat |
external_room |
additional.fields[external_room] |
|
chat |
device_type |
principal.asset.attribute.labels [device_type] |
|
chat |
identifier_type |
principal.user.attribute.labels [identifier_type] |
|
chat |
location_region |
principal.user.attribute.labels [location_region] |
|
chat |
identifier |
principal.user.userid |
|
chat |
display_name |
principal.user.user_display_name |
|
chat |
location_country |
principal.location.country_or_region |
|
chat |
product_type |
principal.resource.resource_subtype |
|
chat |
ip_address |
target.ip |
|
chat |
target_user_count |
target.user.attribute.labels[target_user_count] |
|
chat |
duration_seconds |
target.resource.attribute.labels [duration_seconds] |
|
chat |
meeting_code |
target.resource.attribute.labels[meeting_code] |
|
chat |
organizer_email |
about.user.email_addresses |
|
chat |
network_estimated_upload_kbps_mean |
additional.fields [network_estimated_upload_kbps_mean] |
|
chat |
video_recv_fps_mean |
additional.fields [video_recv_fps_mean] |
|
chat |
screencast_send_fps_mean |
additional.fields [screencast_send_fps_mean] |
|
chat |
audio_recv_packet_loss_max |
additional.fields [audio_recv_packet_loss_max] |
|
chat |
video_send_long_side_median_pixels |
additional.fields [video_send_long_side_median_pixels] |
|
chat |
screencast_recv_packet_loss_mean |
additional.fields [screencast_recv_packet_loss_mean] |
|
chat |
video_recv_packet_loss_mean |
additional.fields [video_recv_packet_loss_mean] |
|
chat |
video_recv_long_side_median_pixels |
additional.fields [video_recv_long_side_median_pixels] |
|
chat |
video_send_packet_loss_mean |
additional.fields [video_send_packet_loss_mean] |
|
chat |
audio_send_packet_loss_max |
additional.fields [audio_send_packet_loss_max] |
|
chat |
video_recv_short_side_median_pixels |
additional.fields [video_recv_short_side_median_pixels] |
|
chat |
screencast_recv_bitrate_kbps_mean |
additional.fields [screencast_recv_bitrate_kbps_mean] |
|
chat |
calendar_event_id |
additional.fields [calendar_event_id] |
|
video_send_fps_mean |
additional.fields [video_send_fps_mean] |
target |
|
chat |
audio_recv_packet_loss_mean |
additional.fields [audio_recv_packet_loss_mean] |
|
chat |
video_recv_seconds |
additional.fields [video_recv_seconds] |
|
chat |
video_send_packet_loss_max |
additional.fields [video_send_packet_loss_max] |
|
chat |
network_recv_jitter_msec_max |
additional.fields [network_recv_jitter_msec_max] |
|
chat |
network_recv_jitter_msec_mean |
additional.fields [network_recv_jitter_msec_mean] |
|
chat |
audio_send_seconds |
additional.fields [audio_send_seconds] |
|
chat |
screencast_send_long_side_median_pixels |
additional.fields [screencast_send_long_side_median_pixels] |
|
chat |
screencast_recv_seconds |
additional.fields [screencast_recv_seconds] |
|
chat |
screencast_recv_long_side_median_pixels |
additional.fields [screencast_recv_long_side_median_pixels] |
|
chat |
screencast_send_bitrate_kbps_mean |
additional.fields [screencast_send_bitrate_kbps_mean] |
|
chat |
screencast_send_packet_loss_max |
additional.fields [screencast_send_packet_loss_max] |
|
chat |
video_send_bitrate_kbps_mean |
additional.fields [video_send_bitrate_kbps_mean] |
|
chat |
screencast_send_seconds |
additional.fields [screencast_send_seconds] |
|
chat |
audio_send_bitrate_kbps_mean |
additional.fields [audio_send_bitrate_kbps_mean] |
|
chat |
screencast_recv_fps_mean |
additional.fields [screencast_recv_fps_mean] |
|
chat |
audio_recv_seconds |
additional.fields [audio_recv_seconds] |
|
chat |
video_recv_packet_loss_max |
additional.fields [video_recv_packet_loss_max] |
|
chat |
screencast_send_packet_loss_mean |
additional.fields [screencast_send_packet_loss_mean] |
|
chat |
network_transport_protocol |
additional.fields [network_transport_protocol] |
|
chat |
screencast_recv_short_side_median_pixels |
additional.fields [screencast_recv_short_side_median_pixels] |
|
chat |
screencast_send_short_side_median_pixels |
additional.fields [screencast_send_short_side_median_pixels] |
|
chat |
screencast_recv_packet_loss_max |
additional.fields [screencast_recv_packet_loss_max] |
|
chat |
is_external |
additional.fields [is_external] |
|
chat |
video_send_short_side_median_pixels |
additional.fields [video_send_short_side_median_pixels] |
|
chat |
endpoint_id |
additional.fields [endpoint_id] |
|
chat |
network_estimated_download_kbps_mean |
additional.fields [network_estimated_download_kbps_mean] |
|
chat |
network_send_jitter_msec_mean |
additional.fields [network_send_jitter_msec_mean] |
|
chat |
video_send_seconds |
additional.fields [video_send_seconds] |
|
chat |
network_rtt_msec_mean |
additional.fields [network_rtt_msec_mean] |
|
chat |
network_congestion |
additional.fields [network_congestion] |
|
chat |
audio_send_packet_loss_mean |
additional.fields [audio_send_packet_loss_mean] |
|
chat |
action_time |
additional.fields [action_time] |
|
gcp |
USER_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is empty, then the USER_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
drive |
actor_is_collaborator_account |
about.labels [actor_is_collaborator_account] (deprecated) |
|
drive |
actor_is_collaborator_account |
additional.fields [actor_is_collaborator_account] |
|
drive |
added_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to shared_drive_membership_change, then the added_role log field is mapped to the target.user.attribute.roles.name UDM field. |
drive |
requested_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to request_access, then the requested_role log field is mapped to the target.user.attribute.roles.name UDM field. |
drive |
billable |
about.labels [billable] (deprecated) |
|
drive |
billable |
additional.fields [billable] |
|
drive |
copy_type |
about.labels [copy_type] (deprecated) |
|
drive |
copy_type |
additional.fields [copy_type] |
|
drive |
destination_folder_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the destination_folder_id log field is mapped to the target.resource.product_object_id UDM field:
|
drive |
doc_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the doc_id log field is mapped to the target.resource.product_object_id UDM field:
|
drive |
destination_folder_title |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the destination_folder_title log field is mapped to the target.resource.name UDM field:
|
drive |
doc_title |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the doc_title log field is mapped to the target.resource.name UDM field:
|
drive |
doc_id |
src.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the doc_id log field is mapped to the src.resource.product_object_id UDM field:
|
drive |
doc_title |
src.resource.name |
If the event.name log field value is equal to one of the following values, then the doc_title log field is mapped to the src.resource.name UDM field:
|
drive |
doc_type |
target.resource.attribute.labels[doc_type] |
If the event.name log field value is equal to one of the following values, then the doc_type log field is mapped to the target.resource.attribute.labels[doc_type] UDM field:
|
drive |
doc_type |
src.resource.attribute.labels [doc_type] |
If the event.name log field value is equal to one of the following values, then the doc_type log field is mapped to the src.resource.attribute.labels [doc_type] UDM field:
|
drive |
field |
target.resource.attribute.labels [field] |
|
drive |
field_id |
target.resource.attribute.labels [field_id] |
|
drive |
is_encrypted |
target.labels [is_encrypted] (deprecated) |
|
drive |
is_encrypted |
additional.fields [is_encrypted] |
|
drive |
label |
target.resource.attribute.labels [label] |
|
drive |
label_title |
target.resource.attribute.labels [label_title] |
|
drive |
membership_change_type |
about.labels [membership_change_type] (deprecated) |
|
drive |
membership_change_type |
additional.fields [membership_change_type] |
|
drive |
new_publish_visibility |
target.resource.attribute.labels [new_publish_visibility] |
|
drive |
new_value |
target.resource.attribute.labels [new_value] |
|
drive |
new_value_id |
target.resource.attribute.labels [new_value_id] |
|
drive |
new_settings_state |
about.labels [new_settings_state] (deprecated) |
|
drive |
new_settings_state |
additional.fields [new_settings_state] |
|
drive |
old_settings_state |
about.labels [old_settings_state] (deprecated) |
|
drive |
old_settings_state |
additional.fields [old_settings_state] |
|
drive |
old_publish_visibility |
target.resource.attribute.labels [old_publish_visibility] |
|
drive |
old_value |
target.resource.attribute.labels [old_value] |
|
drive |
old_value_id |
target.resource.attribute.labels [old_value_id] |
|
drive |
old_visibility |
target.resource.attribute.labels [old_visibility] |
|
drive |
originating_app_id |
about.labels [originating_app_id] (deprecated) |
|
drive |
originating_app_id |
additional.fields [originating_app_id] |
|
drive |
owner |
target.resource.attribute.labels[owner] |
|
drive |
owner_is_shared_drive |
target.resource.attribute.labels [owner_is_shared_drive] |
|
drive |
primary_event |
about.labels [primary_event] (deprecated) |
|
drive |
primary_event |
additional.fields [primary_event] |
|
drive |
reason |
security_result.summary |
If the event.name log field value is equal to one of the following values, then the reason log field is mapped to the security_result.summary UDM field:
|
drive |
removed_role |
target.user.attribute.labels [removed_role] and target.user.roles.description |
If the removed_role log field value is equal to commenter,
then the target.user.roles.description UDM field is set to Team Drive role Commenter.
If the removed_role log field value is equal to content_manager,
then the target.user.roles.description UDM field is set to Team Drive role Content manager.
If the removed_role log field value is equal to editor,
then the target.user.roles.description UDM field is set to Team Drive role Contributor.
If the removed_role log field value is equal to none,
then the target.user.roles.description UDM field is set to No role in Team Drive.
If the removed_role log field value is equal to organizer,
then the target.user.roles.description UDM field is set to Team Drive role Manager.
If the removed_role log field value is equal to viewer,
then the target.user.roles.description UDM field is set to Team Drive role Viewer. |
drive |
target_domain |
target.domain.name |
If the event.name log field value is equal to one of the following values, then the target_domain log field is mapped to the target.domain.name UDM field:
|
drive |
target_user |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the target_user log field is mapped to the target.user.email_addresses UDM field:
|
drive |
target_user |
additional.fields[target_user] |
|
drive |
new_owner |
target.user.email_addresses |
The new_owner log field is mapped to the target.user.email_addresses UDM field if the following conditions are met:
Else, the new_owner log field is mapped to the target.user.attribute.labels UDM field. |
drive |
target |
target.user.email_addresses |
If the event.name log field value matches the regular expression pattern ^.+@.+$, then the target log field is mapped to the target.user.email_addresses UDM field. |
drive |
target |
target.user.attribute.labels[target] |
If the event.name log field value does not match the regular expression pattern ^.+@.+$, then the target log field is mapped to the target.user.attribute.labels[target] UDM field. |
drive |
recipients |
target.user.email_addresses |
If the event.name log field value is equal to email_collaborators, then the recipients log field is mapped to the target.user.email_addresses UDM field. |
drive |
shared_drive_id |
target.resource_ancestors.product_object_id |
|
drive |
shared_drive_settings_change_type |
about.labels [shared_drive_settings_change_type] (deprecated) |
|
drive |
shared_drive_settings_change_type |
additional.fields [shared_drive_settings_change_type] |
|
drive |
sheets_import_range_recipient_doc |
target.resource.attribute.labels [sheets_import_range_recipient_doc] |
|
drive |
source_folder_id |
principal.resource.id |
If the event.name log field value is equal to one of the following values, then the source_folder_id log field is mapped to the principal.resource.id UDM field:
|
drive |
source_folder_title |
principal.resource.name |
If the event.name log field value is equal to one of the following values, then the source_folder_title log field is mapped to the principal.resource.name UDM field:
|
drive |
storage_entity_id |
about.labels [storage_entity_id] (deprecated) |
|
drive |
storage_entity_id |
additional.fields [storage_entity_id] |
|
drive |
storage_usage_in_bytes |
about.labels [storage_usage_in_bytes] (deprecated) |
|
drive |
storage_usage_in_bytes |
additional.fields [storage_usage_in_bytes] |
|
drive |
visibility |
target.resource.attribute.labels [visibility] |
|
drive |
visibility_change |
target.resource.attribute.labels [visibility_change] |
|
drive |
team_drive_id |
target.group.product_object_id |
|
drive |
owner_is_team_drive |
target.resource.attribute.labels [owner_is_team_drive] |
|
drive |
data_connection_id |
about.labels[data_connection_id] (deprecated) |
|
drive |
data_connection_id |
additional.fields[data_connection_id] |
|
drive |
delegating_principal |
about.user.email_addresses |
If the actor.email log field value is not equal to delegating_principal,
then the delegating_principal log field is mapped to about.user.email_addresses UDM field. |
drive |
execution_id |
about.labels[execution_id] (deprecated) |
|
drive |
execution_id |
additional.fields[execution_id] |
|
drive |
execution_trigger |
about.labels[execution_trigger] (deprecated) |
|
drive |
execution_trigger |
additional.fields[execution_trigger] |
|
drive |
query_type |
about.labels[query_type] (deprecated) |
|
drive |
query_type |
additional.fields[query_type] |
|
drive |
owner_team_drive_id |
target.resource.attribute.labels[owner_team_drive_id] |
|
drive |
new_owner_is_team_drive |
target.resource.attribute.labels [new_owner_is_team_drive] |
|
drive |
new_owner_team_drive_id |
target.resource.attribute.labels[new_owner_team_drive_id] |
|
drive |
owner_shared_drive_id |
target.resource.attribute.labels[owner_shared_drive_id] |
|
drive |
dlp_info |
target.resource.attribute.labels[dlp_info] |
|
drive |
team_drive_settings_change_type |
target.resource.attribute.labels[team_drive_settings_change_type] |
|
drive |
accessed_url |
target.url |
|
drive |
script_id |
additional.fields[script_id] |
|
drive |
additional.fields[script_id] |
additional.fields[api_method] |
|
keep |
attachment_name |
target.resource.attribute.labels [attachment_name] |
If the event.name log field value is equal to one of the following values, then the attachment_name log field is mapped to the target.resource.attribute.labels UDM field:
|
keep |
note_name |
target.url |
If the event.name log field value is equal to one of the following values, then the note_name log field is mapped to the target.url UDM field:
|
keep |
owner_email |
principal.user.email_addresses |
If the actor.email log field value is empty, then the owner_email log field is mapped to the principal.user.email_addresses UDM field. |
keep |
target.resource_subtype |
The target.resource_subtype UDM field is set to keep. | |
meet |
action_description |
security_result.action_details |
If the event.name log field value is equal to abuse_report_submitted, then the action_description log field is mapped to the security_result.action_details UDM field. |
meet |
action_reason |
security_result.summary |
|
meet |
conference_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the conference_id log field is mapped to the target.resource.product_object_id UDM field:
|
meet |
calendar_event_id |
target.labels [calendar_event_id] (deprecated) |
|
meet |
calendar_event_id |
additional.fields [calendar_event_id] |
|
meet |
device_type |
principal.asset.attribute.labels [device_type] |
|
meet |
display_name |
principal.user.user_display_name |
If the event.name log field value is equal to one of the following values, then the display_name log field is mapped to the principal.user.user_display_name UDM field:
|
meet |
target_display_names |
target.user.user_display_name |
If the event.name log field value is equal to abuse_report_submitted, then the target_display_name log field is mapped to the target.user.user_display_name UDM field. |
meet |
duration_seconds |
target.resource.attribute.labels [duration_seconds] |
|
meet |
end_of_call_rating |
target.resource.attribute.labels [end_of_call_rating] |
|
meet |
endpoint_id |
security_result.about.labels [endpoint_id] (deprecated) |
|
meet |
endpoint_id |
additional.fields [endpoint_id] |
|
meet |
identifier |
principal.user.userid |
If the event.name log field value is equal to one of the following values, then the identifier log field is mapped to the principal.user.userid UDM field:
|
meet |
identifier_type |
principal.user.attribute.labels [identifier_type] |
|
meet |
ip_address |
target.ip |
If the ipAddress log field value is empty, then the ip_address log field is mapped to the target.ip UDM field. |
meet |
is_external |
principal.labels [is_external] (deprecated) |
|
meet |
is_external |
additional.fields [is_external] |
|
meet |
livestream_view_page_id |
target.resource.attribute.labels [livestream_view_page_id] |
|
meet |
location_country |
principal.location.country_or_region |
If the event.name log field value is equal to call_ended, then the location_country log field is mapped to the principal.location.country_or_region UDM field. |
meet |
location_region |
principal.user.attribute.labels [location_region] |
If the event.name log field value is equal to call_ended, then the location_region log field is mapped to the principal.location.country_or_region UDM field. |
meet |
meeting_code |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the meeting_code log field is mapped to the target.resource.product_object_id UDM field:
|
meet |
organizer_email |
about.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the organizer_email log field is mapped to the about.user.email_addresses UDM field:
|
meet |
product_type |
principal.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the product_type log field is mapped to the principal.resource.resource_subtype UDM field:
|
meet |
target_email |
target.user.email_addresses |
If the event.name log field value is equal to abuse_report_submitted, then the target_email log field is mapped to the target.user.email_addresses UDM field. |
meet |
target_phone_number |
target.user.phone_numbers |
If the event.name log field value is equal to abuse_report_submitted, then the target_phone_number log field is mapped to the target.user.phone_numbers UDM field. |
meet |
audio_recv_packet_loss_max |
about.labels [audio_recv_packet_loss_max] (deprecated) |
|
meet |
audio_recv_packet_loss_max |
additional.fields [audio_recv_packet_loss_max] |
|
meet |
audio_recv_packet_loss_mean |
about.labels [audio_recv_packet_loss_mean] (deprecated) |
|
meet |
audio_recv_packet_loss_mean |
additional.fields [audio_recv_packet_loss_mean] |
|
meet |
audio_recv_seconds |
about.labels [audio_recv_seconds] (deprecated) |
|
meet |
audio_recv_seconds |
additional.fields [audio_recv_seconds] |
|
meet |
audio_send_bitrate_kbps_mean |
about.labels [audio_send_bitrate_kbps_mean] (deprecated) |
|
meet |
audio_send_bitrate_kbps_mean |
additional.fields [audio_send_bitrate_kbps_mean] |
|
meet |
audio_send_packet_loss_max |
about.labels [audio_send_packet_loss_max] (deprecated) |
|
meet |
audio_send_packet_loss_max |
additional.fields [audio_send_packet_loss_max] |
|
meet |
audio_send_packet_loss_mean |
about.labels [audio_send_packet_loss_mean] (deprecated) |
|
meet |
audio_send_packet_loss_mean |
additional.fields [audio_send_packet_loss_mean] |
|
meet |
audio_send_seconds |
about.labels [audio_send_seconds] (deprecated) |
|
meet |
audio_send_seconds |
additional.fields [audio_send_seconds] |
|
meet |
network_congestion |
about.labels [network_congestion] (deprecated) |
|
meet |
network_congestion |
additional.fields [network_congestion] |
|
meet |
network_estimated_download_kbps_mean |
about.labels [network_estimated_download_kbps_mean] (deprecated) |
|
meet |
network_estimated_download_kbps_mean |
additional.fields [network_estimated_download_kbps_mean] |
|
meet |
network_estimated_upload_kbps_mean |
about.labels [network_estimated_upload_kbps_mean] (deprecated) |
|
meet |
network_estimated_upload_kbps_mean |
additional.fields [network_estimated_upload_kbps_mean] |
|
meet |
network_recv_jitter_msec_max |
about.labels [network_recv_jitter_msec_max] (deprecated) |
|
meet |
network_recv_jitter_msec_max |
additional.fields [network_recv_jitter_msec_max] |
|
meet |
network_recv_jitter_msec_mean |
about.labels [network_recv_jitter_msec_mean] (deprecated) |
|
meet |
network_recv_jitter_msec_mean |
additional.fields [network_recv_jitter_msec_mean] |
|
meet |
network_rtt_msec_mean |
about.labels [network_rtt_msec_mean] (deprecated) |
|
meet |
network_rtt_msec_mean |
additional.fields [network_rtt_msec_mean] |
|
meet |
network_send_jitter_msec_mean |
about.labels [network_send_jitter_msec_mean] (deprecated) |
|
meet |
network_send_jitter_msec_mean |
additional.fields [network_send_jitter_msec_mean] |
|
meet |
network_transport_protocol |
about.labels [network_transport_protocol] (deprecated) |
|
meet |
network_transport_protocol |
additional.fields [network_transport_protocol] |
|
meet |
screencast_recv_bitrate_kbps_mean |
about.labels [screencast_recv_bitrate_kbps_mean] (deprecated) |
|
meet |
screencast_recv_bitrate_kbps_mean |
additional.fields [screencast_recv_bitrate_kbps_mean] |
|
meet |
screencast_recv_fps_mean |
about.labels [screencast_recv_fps_mean] (deprecated) |
|
meet |
screencast_recv_fps_mean |
additional.fields [screencast_recv_fps_mean] |
|
meet |
screencast_recv_long_side_median_pixels |
about.labels [screencast_recv_long_side_median_pixels] (deprecated) |
|
meet |
screencast_recv_long_side_median_pixels |
additional.fields [screencast_recv_long_side_median_pixels] |
|
meet |
screencast_recv_packet_loss_max |
about.labels [screencast_recv_packet_loss_max] (deprecated) |
|
meet |
screencast_recv_packet_loss_max |
additional.fields [screencast_recv_packet_loss_max] |
|
meet |
screencast_recv_packet_loss_mean |
about.labels [screencast_recv_packet_loss_mean] (deprecated) |
|
meet |
screencast_recv_packet_loss_mean |
additional.fields [screencast_recv_packet_loss_mean] |
|
meet |
screencast_recv_seconds |
about.labels [screencast_recv_seconds] (deprecated) |
|
meet |
screencast_recv_seconds |
additional.fields [screencast_recv_seconds] |
|
meet |
screencast_recv_short_side_median_pixels |
about.labels [screencast_recv_short_side_median_pixels] (deprecated) |
|
meet |
screencast_recv_short_side_median_pixels |
additional.fields [screencast_recv_short_side_median_pixels] |
|
meet |
screencast_send_bitrate_kbps_mean |
about.labels [screencast_send_bitrate_kbps_mean] (deprecated) |
|
meet |
screencast_send_bitrate_kbps_mean |
additional.fields [screencast_send_bitrate_kbps_mean] |
|
meet |
screencast_send_fps_mean |
about.labels [screencast_send_fps_mean] (deprecated) |
|
meet |
screencast_send_fps_mean |
additional.fields [screencast_send_fps_mean] |
|
meet |
screencast_send_long_side_median_pixels |
about.labels [screencast_send_long_side_median_pixels] (deprecated) |
|
meet |
screencast_send_long_side_median_pixels |
additional.fields [screencast_send_long_side_median_pixels] |
|
meet |
screencast_send_packet_loss_max |
about.labels [screencast_send_packet_loss_max] (deprecated) |
|
meet |
screencast_send_packet_loss_max |
additional.fields [screencast_send_packet_loss_max] |
|
meet |
screencast_send_packet_loss_mean |
about.labels [screencast_send_packet_loss_mean] (deprecated) |
|
meet |
screencast_send_packet_loss_mean |
additional.fields [screencast_send_packet_loss_mean] |
|
meet |
screencast_send_seconds |
about.labels [screencast_send_seconds] (deprecated) |
|
meet |
screencast_send_seconds |
additional.fields [screencast_send_seconds] |
|
meet |
screencast_send_short_side_median_pixels |
about.labels [screencast_send_short_side_median_pixels] (deprecated) |
|
meet |
screencast_send_short_side_median_pixels |
additional.fields [screencast_send_short_side_median_pixels] |
|
meet |
video_recv_fps_mean |
about.labels [video_recv_fps_mean] (deprecated) |
|
meet |
video_recv_fps_mean |
additional.fields [video_recv_fps_mean] |
|
meet |
video_recv_long_side_median_pixels |
about.labels [video_recv_long_side_median_pixels] (deprecated) |
|
meet |
video_recv_long_side_median_pixels |
additional.fields [video_recv_long_side_median_pixels] |
|
meet |
video_recv_packet_loss_max |
about.labels [video_recv_packet_loss_max] (deprecated) |
|
meet |
video_recv_packet_loss_max |
additional.fields [video_recv_packet_loss_max] |
|
meet |
video_recv_packet_loss_mean |
about.labels [video_recv_packet_loss_mean] (deprecated) |
|
meet |
video_recv_packet_loss_mean |
additional.fields [video_recv_packet_loss_mean] |
|
meet |
video_recv_seconds |
about.labels [video_recv_seconds] (deprecated) |
|
meet |
video_recv_seconds |
additional.fields [video_recv_seconds] |
|
meet |
video_recv_short_side_median_pixels |
about.labels [video_recv_short_side_median_pixels] (deprecated) |
|
meet |
video_recv_short_side_median_pixels |
additional.fields [video_recv_short_side_median_pixels] |
|
meet |
video_send_bitrate_kbps_mean |
about.labels [video_send_bitrate_kbps_mean] (deprecated) |
|
meet |
video_send_bitrate_kbps_mean |
additional.fields [video_send_bitrate_kbps_mean] |
|
meet |
video_send_fps_mean |
about.labels [video_send_fps_mean] (deprecated) |
|
meet |
video_send_fps_mean |
additional.fields [video_send_fps_mean] |
|
meet |
video_send_long_side_median_pixels |
about.labels [video_send_long_side_median_pixels] (deprecated) |
|
meet |
video_send_long_side_median_pixels |
additional.fields [video_send_long_side_median_pixels] |
|
meet |
video_send_packet_loss_max |
about.labels [video_send_packet_loss_max] (deprecated) |
|
meet |
video_send_packet_loss_max |
additional.fields [video_send_packet_loss_max] |
|
meet |
video_send_packet_loss_mean |
about.labels [video_send_packet_loss_mean] (deprecated) |
|
meet |
video_send_packet_loss_mean |
additional.fields [video_send_packet_loss_mean] |
|
meet |
video_send_seconds |
about.labels [video_send_seconds] (deprecated) |
|
meet |
video_send_seconds |
additional.fields [video_send_seconds] |
|
meet |
video_send_short_side_median_pixels |
about.labels [video_send_short_side_median_pixels] (deprecated) |
|
meet |
video_send_short_side_median_pixels |
additional.fields [video_send_short_side_median_pixels] |
|
meet |
action_time |
about.labels[action_time] (deprecated) |
|
meet |
action_time |
additional.fields[action_time] |
|
meet |
target_user_count |
target.user.attribute.labels[target_user_count] |
|
meet |
streaming_session_state |
about.labels[streaming_session_state] (deprecated) |
|
meet |
streaming_session_state |
additional.fields[streaming_session_state] |
|
login |
affected_email_address |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the affected_email_address log field is mapped to the target.user.email_addresses UDM field:
|
login |
login_timestamp |
security_result.detection_fields [login_timestamp] |
|
login |
is_second_factor |
about.labels[is_2sv] (deprecated) |
|
login |
is_second_factor |
additional.fields[is_2sv] |
|
login |
is_suspicious |
about.labels[is_suspicious] (deprecated) |
|
login |
is_suspicious |
additional.fields[is_suspicious] |
|
login |
login_failure_type |
scurity_result.summary |
|
login |
login_challenge_status |
about.labels[login_challenge_status] (deprecated) |
|
login |
login_challenge_status |
additional.fields[login_challenge_status] |
|
login |
login_challenge_method |
security_result.detection_fields [login_challenge_method] |
|
login |
login_challenge_method |
security_result.detection_fields [login_challenge_method_attempts_count] |
|
login |
login_type |
security_result.detection_fields [login_type] |
|
login |
sensitive_action_name |
security_result.action_details [sensitive_action_name] |
|
login |
extensions.auth.mechanism |
If the param.value log field value is equal to google_password, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD.Else, the extensions.auth.mechanism UDM field is set to MECHANISM_UNSPECIFIED. | |
login |
extensions.auth.type |
If the param.value log field value is equal to google_password, then the extensions.auth.type UDM field is set to SSO. | |
login |
security_result.action |
If the event.name log field value is equal to one of the following values, then the security_result.action UDM field is set to BLOCK:
| |
token |
api_name |
about.resource.attribute.labels [api_name] |
|
token |
app_name |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the app_name log field is mapped to the target.resource.name UDM field:
|
token |
client_id |
principal.asset.attribute.labels [client_id] |
If the event.name log field value is equal to one of the following values, then the client_id log field is mapped to the principal.asset.attribute.labels UDM field:
|
token |
client_type |
principal.asset.attribute.labels [client_type] |
|
token |
method_name |
target.resource.attribute.labels [method_name] |
|
token |
num_response_bytes |
target.resource.attribute.labels [num_response_bytes] |
|
token |
product_bucket |
target.resource.attribute.labels product_bucket] |
|
token |
scope |
target.resource.attribute.labels [scope] |
|
token |
scope_data |
target.resource.attribute.labels [scope_data] |
|
token |
rejection_type |
target.resource.attribute.labels [rejection_type] |
|
rules |
actions |
security_result.action_details [actions] |
|
rules |
triggered_actions |
security_result.action_details [actions] |
|
rules |
actor_ip_address |
principal.ip |
If the ipAddress log field value is equal to empty, then the actor_ip_address log field is mapped to the principal.ip UDM field. |
rules |
application |
target.resource.attribute.labels[application] |
|
rules |
conference_id |
target.resource.attribute.labels [conference_id] |
|
rules |
data_source |
security_result.detection_fields [data_source] |
|
rules |
device_id |
target.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the device_id log field is mapped to the target.asset.asset_id UDM field:
|
rules |
device_type |
target.asset.attribute.labels[device_type] |
|
rules |
drive_shared_drive_id |
target.resource.attribute.labels[drive_shared_drive_id] |
|
rules |
evaluation_context |
about.labels [evaluation_context] (deprecated) |
|
rules |
evaluation_context |
additional.fields [evaluation_context] |
|
rules |
has_alert |
security_result.about.labels [has_alert] (deprecated) |
|
rules |
has_alert |
additional.fields [has_alert] |
|
rules |
has_content_match |
security_result.about.labels [has_content_match] (deprecated) |
|
rules |
has_content_match |
additional.fields [has_content_match] |
|
rules |
matched_detectors |
security_result.detection_fields [matched_detectors] |
|
rules |
matched_templates |
security_result.detection_fields [matched_templates] |
|
rules |
matched_threshold |
security_result.detection_fields [matched_threshold] |
|
rules |
matched_trigger |
security_result.detection_fields [matched_trigger] |
|
rules |
mobile_device_type |
target.asset.category |
If the event.name log field value is equal to rule_match, then the mobile_device_type log field is mapped to the target.asset.category UDM field. |
rules |
mobile_ios_vendor_id |
target.asset.attribute.labels [mobile_ios_vendor_id] |
|
rules |
resource_id |
target.resource.product_object_id |
If the event.name log field value is equal to one of the following values, then the resource_id log field is mapped to the target.resource.product_object_id UDM field:
|
rules |
resource_name |
target.resource.name |
If the event.name log field value is equal to rule_match, then the resource_name log field is mapped to the target.resource.name UDM field. |
rules |
resource_title |
target.labels [resource_title] (deprecated) |
|
rules |
resource_title |
additional.fields [resource_title] |
|
rules |
resource_owner_email |
principal.user.email_addresses |
If the actor.email log field value is not equal to resource_owner_email, then the principal.user.email_addresses UDM field is set to resource_owner_email. |
rules |
resource_recipients |
principal.user.email_addresses |
If the actor.email log field value is not equal to resource_recipients, then the principal.user.email_addresses UDM field is set to resource_recipients. |
rules |
resource_recipients_omitted_count |
target.labels [resource_recipients_omitted_count] (deprecated) |
|
rules |
resource_recipients_omitted_count |
additional.fields [resource_recipients_omitted_count] |
|
rules |
resource_type |
target.resource.resource_subtype |
If the event.name log field value is equal to one of the following values, then the resource_type log field is mapped to the target.resource.resource_subtype UDM field:
|
rules |
rule_name |
security_result.rule_name |
If the event.name log field value is equal to one of the following values, then the rule_name log field is mapped to the security_result.rule_name UDM field:
|
rules |
rule_id |
security_result.rule_id |
If the event.name log field value is equal to rule_match, then the rule_id log field is mapped to the security_result.rule_id UDM field. |
rules |
rule_resource_name |
security_result.rule_labels [rule_resource_name] |
|
rules |
rule_type |
security_result.rule_type |
If the event.name log field value is equal to one of the following values, then the rule_type log field is mapped to the security_result.rule_type UDM field:
|
rules |
rule_update_time_usec |
security_result.rule_labels [rule_update_time_usec] |
|
rules |
scan_type |
security_result.about.labels [scan_type] (deprecated) |
|
rules |
scan_type |
additional.fields [scan_type] |
|
rules |
severity |
security_result.severity |
If the event.name log field value is equal to one of the following values, then the severity log field is mapped to the security_result.severity UDM field:
|
rules |
space_id |
target.resource.attribute.labels [space_id] |
|
rules |
space_type |
target.resource.attribute.labels [space_type] |
|
rules |
suppressed_actions |
security_result.about.labels [suppressed_actions] (deprecated) |
|
rules |
suppressed_actions |
additional.fields [suppressed_actions] |
|
rules |
label_field |
target.resource.attribute.labels [label_field] |
|
rules |
label_title |
target.resource.attribute.labels [label_title] |
|
rules |
new_value |
target.resource.attribute.labels [new_value] |
|
rules |
old_value |
target.resource.attribute.labels [old_value] |
|
rules |
blocked_recipients |
target.user.email_addresses |
|
rules |
snippets |
target.resource.attribute.labels [snippets] |
|
saml |
application_name |
target.application |
If the event.name log field value is equal to one of the following values, then the application_name log field is mapped to the target.application UDM field:
|
saml |
device_id |
principal.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the device_id log field is mapped to the principal.asset.assetid UDM field:
|
saml |
failure_type |
security_result.summary |
If the event.name log field value is equal to login_failure, then the failure_type log field is mapped to the security_result.summary UDM field. |
saml |
initiated_by |
security_result.detection_fields[initiated_by] |
If the event.name log field value is equal to one of the following values, then the initiated_by log field is mapped to the security_result.detection_fields UDM field:
|
saml |
orgunit_path |
target.user.attribute.labels [orgunit_path] |
If the event.name log field value is equal to one of the following values, then the orgunit_path log field is mapped to the target.user.attribute.labels UDM field:
|
saml |
saml_second_level_status_code |
security_result.about.labels [saml_second_level_status_code] (deprecated) |
|
saml |
saml_second_level_status_code |
additional.fields [saml_second_level_status_code] |
|
saml |
saml_status_code |
security_result.about.labels [saml_status_code] (deprecated) |
|
saml |
saml_status_code |
additional.fields [saml_status_code] |
|
saml |
security_result.action |
If the event.name log field value is equal to login_failure, then the security_result.action UDM field is set to BLOCK. | |
user_accounts |
email_forwarding_destination_address |
target.user.email_addresses |
|
groups |
acl_permission |
target.group.attribute.roles.name |
If the event.name log field value is equal to change_acl_permission, then the acl_permission log field is mapped to the target.group.attribute.roles.name UDM field. |
groups |
basic_setting |
target.group.attribute.labels [basic_setting] |
|
groups |
group_email |
target.group.email_addresses |
If the event.name log field value is equal to one of the following values, then the group_email log field is mapped to the target.group.email_addresses UDM field:
|
groups |
identity_setting |
target.group.attribute.labels [identity_setting] |
|
groups |
info_setting |
target.group.attribute.labels [info_setting] |
|
groups |
message_id |
network.email.mail_id |
If the event.name log field value is equal to moderate_message, then the message_id log field is mapped to the network.email.mail_id UDM field. |
groups |
message_moderation_action |
target.group.attribute.labels [message_moderation_action] |
|
groups |
member_role |
target.user.attribute.roles.name |
If the event.name log field value is equal to add_user, then the member_role log field is mapped to the target.user.attribute.roles.name UDM field. |
groups |
new_members_restrictions_setting |
target.group.attribute.labels [new_members_restrictions_setting] |
|
groups |
new_value |
target.group.attribute.labels [new_value] |
|
groups |
new_value_repeated |
target.group.attribute.labels [new_value_repeated] |
|
groups |
old_value |
target.group.attribute.labels [old_value] |
|
groups |
old_value_repeated |
target.group.attribute.labels [old_value_repeated] |
|
groups |
post_replies_setting |
target.group.attribute.labels [post_replies_setting] |
|
groups |
spam_moderation_setting |
target.group.attribute.labels [spam_moderation_setting] |
|
groups |
status |
target.group.attribute.labels[status] |
|
groups |
topic_setting |
target.group.attribute.labels [topic_setting] |
|
groups |
user_email |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the user_email log field is mapped to the target.user.email_addresses UDM field:
|
groups |
user_email |
principal.user.email_addresses |
If the event.name log field value is equal to unsubscribe_via_mail and the actor.email log field value is not equal to the user_email, then the user_email log field is mapped to the principal.user.email_addresses UDM field. |
groups |
value |
target.group.attribute.labels [value_of_info_setting] |
|
admin |
USER_EMAIL |
src.user.email_addresses |
If the event.name log field value is equal to CREATE_DATA_TRANSFER_REQUEST, then the USER_EMAIL log field is mapped to the src.user.email_addresses UDM field. |
admin |
USER_EMAIL |
target.user.email_addresses |
If the event.name log field value is equal to one of the following values, then the USER_EMAIL log field is mapped to the target.user.email_addresses UDM field:
|
admin |
DESTINATION_USER_EMAIL |
target.user.email_addresses |
|
admin |
DEVICE_ID |
target.asset.asset_id |
If the event.name log field value is equal to one of the following values, then the DEVICE_ID log field is mapped to the target.asset.asset_id UDM field:
|
admin |
DEVICE_TYPE |
target.platform |
If the DEVICE_TYPE log field value matches the regular expression pattern (?i)windows, then the target.platform UDM field is set to WINDOWS.Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)mac, then the target.platform UDM field is set to MAC.
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)linux, then the target.platform UDM field is set to LINUX.
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)ios, then the target.platform UDM field is set to IOS.
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)android, then the target.platform UDM field is set to ANDROID.
Else, if the DEVICE_TYPE log field value matches the regular expression pattern (?i)chrome, then the target.platform UDM field is set to CHROME_OS. |
admin |
APP_ID |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the APP_ID log field is mapped to the target.resource.name UDM field:
|
admin |
NEW_VALUE |
target.resource.name |
If the event.name log field value is equal to MAIL_ROUTING_DESTINATION_ADDED, then the NEW_VALUE log field is mapped to the target.resource.name UDM field. |
admin |
SETTING_NAME |
target.resource.name |
If the event.name log field value is equal to one of the following values, then the SETTING_NAME log field is mapped to the target.resource.name UDM field:
|
admin |
CERTIFICATE_NAME |
target.resource.name |
If the event.name log field value is equal to GENERATE_CERTIFICATE, then the CERTIFICATE_NAME log field is mapped to the target.resource.name UDM field. |
admin |
ACCESS_LEVEL_NAME |
target.resource.name |
If the event.name log field value is equal to UPDATE_ACCESS_LEVEL_V2, then the ACCESS_LEVEL_NAME log field is mapped to the target.resource.name UDM field. |
admin |
ASP_ID |
target.labels [asp_id] (deprecated) |
|
admin |
ASP_ID |
additional.fields [asp_id] |
|
admin |
NEW_VALUE |
target.resource.attribute.labels [new_value] |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the target.resource.attribute.labels UDM field:
|
admin |
NEW_VALUE |
target.labels [new_value] (deprecated) |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the target.labels UDM field:
|
admin |
NEW_VALUE |
additional.fields [new_value] |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the additional.fields UDM field:
|
admin |
NEW_VALUE |
target.user.attribute.labels [new_value] |
|
admin |
NEW_VALUE |
target.user.user_display_name |
If the event.name log field value is equal to one of the following values, then the NEW_VALUE log field is mapped to the target.user.user_display_name UDM field:
|
admin |
NEW_VALUE |
target.user.first_name |
If the event.name log field value is equal to CHANGE_FIRST_NAME, then the NEW_VALUE log field is mapped to the target.user.first_name UDM field. |
admin |
NEW_VALUE |
target.user.last_name |
If the event.name log field value is equal to CHANGE_LAST_NAME, then the NEW_VALUE log field is mapped to the target.user.last_name UDM field. |
admin |
OLD_VALUE |
target.resource.attribute.labels [old_value] |
If the event.name log field value is equal to one of the following values, then the OLD_VALUE log field is mapped to the target.resource.attribute.labels UDM field:
|
admin |
OLD_VALUE |
target.labels [old_value] (deprecated) |
If the event.name log field value is equal to one of the following values, then the OLD_VALUE log field is mapped to the target.labels UDM field:
|
admin |
OLD_VALUE |
additional.fields [old_value] |
If the event.name log field value is equal to one of the following values, then the OLD_VALUE log field is mapped to the additional.fields UDM field:
|
admin |
OLD_VALUE |
target.user.attribute.labels [old_value] |
|
admin |
BULK_UPLOAD_FAIL_USERS_NUMBER |
target.user.attribute.labels [bulk_upload_fail_users_number] |
|
admin |
BULK_UPLOAD_TOTAL_USERS_NUMBER |
target.user.attribute.labels [bulk_upload_total_users_number] |
|
admin |
SYSTEM_DEFINED_RULE_NAME |
security_result.rule_name |
If the event.name log field value is equal to SYSTEM_DEFINED_RULE_UPDATED, then the SYSTEM_DEFINED_RULE_NAME log field is mapped to the security_result.rule_name UDM field. |
admin |
ALERT_NAME |
security_result.rule_name |
|
admin |
SECURITY_CENTER_RULE_NAME |
security_result.rule_name |
|
admin |
DOMAIN_NAME |
target.domain.name |
|
admin |
USER_CUSTOM_FIELD |
target.user.attribute.labels [user_custom_field] |
|
admin |
BEGIN_DATE_TIME |
target.resource.attribute.labels [begin_date_time] |
|
admin |
EMAIL_MONITOR_DEST_EMAIL |
target.resource.attribute.labels [email_monitor_dest_email] |
|
admin |
EMAIL_MONITOR_LEVEL_CHAT |
target.resource.attribute.labels [email_monitor_level_chat] |
|
admin |
EMAIL_MONITOR_LEVEL_DRAFT_EMAIL |
target.resource.attribute.labels [email_monitor_level_draft_email] |
|
admin |
EMAIL_MONITOR_LEVEL_INCOMING_EMAIL |
target.resource.attribute.labels [email_monitor_level_incoming_email] |
|
admin |
EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL |
target.resource.attribute.labels [email_monitor_level_outgoing_email] |
|
admin |
END_DATE_TIME |
target.resource.attribute.labels [end_date_time] |
|
admin |
APPLICATION_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the APPLICATION_NAME log field is mapped to the target.application UDM field:
|
admin |
SERVICE_NAME |
target.application |
If the event.name log field value is equal to TOGGLE_SERVICE_ENABLED, then the SERVICE_NAME log field is mapped to the target.application UDM field. |
admin |
REAUTH_APPLICATION |
target.application |
If the event.name log field value is equal to SESSION_CONTROL_SETTINGS_CHANGE, then the REAUTH_APPLICATION log field is mapped to the target.application UDM field. |
admin |
OAUTH2_SERVICE_NAME |
target.application |
If the event.name log field value is equal to DISALLOW_SERVICE_FOR_OAUTH2_ACCESS, then the OAUTH2_SERVICE_NAME log field is mapped to the target.application UDM field. |
admin |
OAUTH2_APP_NAME |
target.application |
If the event.name log field value is equal to one of the following values, then the OAUTH2_APP_NAME log field is mapped to the target.application UDM field:
|
admin |
REQUEST_ID |
target.labels [request_id] (deprecated) |
|
admin |
REQUEST_ID |
additional.fields [request_id] |
|
admin |
GMAIL_RESET_REASON |
security_result.summary |
|
admin |
USER_NICKNAME |
target.user.attribute.labels[nickname] |
|
admin |
EMAIL_EXPORT_INCLUDE_DELETED |
target.resource.attribute.labels [email_export_include_deleted] |
|
admin |
EMAIL_EXPORT_PACKAGE_CONTENT |
target.resource.attribute.labels [email_export_package_content] |
|
admin |
SEARCH_QUERY_FOR_DUMP |
target.resource.attribute.labels [search_query_for_dump] |
|
admin |
BIRTHDATE |
target.user.attribute.labels [birthdate] |
|
admin |
ORG_UNIT_NAME |
target.labels[org_unit_name] (deprecated) |
If the event.name log field value is equal to one of the following values, then the ORG_UNIT_NAME log field is mapped to the target.labels UDM field:
|
admin |
ORG_UNIT_NAME |
additional.fields[org_unit_name] |
If the event.name log field value is equal to one of the following values, then the ORG_UNIT_NAME log field is mapped to the additional.fields UDM field:
|
admin |
ORG_UNIT_NAME |
about.labels[org_unit_name] (deprecated) |
|
admin |
ORG_UNIT_NAME |
additional.fields[org_unit_name] |
|
admin |
ROLE_ID |
target.resource.attribute.labels[role_id] |
|
admin |
ROLE_NAME |
target.resource.attribute.roles.name |
|
admin |
API_SCOPES |
target.user.attribute.labels[api_scopes] |
|
admin |
API_CLIENT_NAME |
target.user.userid |
If the API_CLIENT_NAME log field value matches the regular expression ^(.){1,256}$, then the API_CLIENT_NAME log field is mapped to the target.user.userid UDM field. |
admin |
API_CLIENT_NAME |
target.user.attribute.labels[api_client_name] |
If the API_CLIENT_NAME log field value doesn't match the regular expression ^(.){1,256}$, then the API_CLIENT_NAME log field is mapped to the target.user.attribute.labels[api_client_name] UDM field. |
admin |
EMAIL_LOG_SEARCH_END_DATE |
about.labels[email_log_search_end_date] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_END_DATE |
additional.fields[email_log_search_end_date] |
|
admin |
EMAIL_LOG_SEARCH_MSG_ID |
network.email.mail_id |
|
admin |
EMAIL_LOG_SEARCH_RECIPIENT |
network.email.to |
|
admin |
EMAIL_LOG_SEARCH_SENDER |
network.email.from |
|
admin |
EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP |
about.labels[email_log_search_smtp_recipient_ip] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP |
additional.fields[email_log_search_smtp_recipient_ip] |
|
admin |
EMAIL_LOG_SEARCH_SMTP_SENDER_IP |
about.labels[email_log_search_smtp_sender_ip] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_SMTP_SENDER_IP |
additional.fields[email_log_search_smtp_sender_ip] |
|
admin |
EMAIL_LOG_SEARCH_START_DATE |
about.labels[email_log_search_start_date] (deprecated) |
|
admin |
EMAIL_LOG_SEARCH_START_DATE |
additional.fields[email_log_search_start_date] |
|
admin |
ALERT_ID |
security_result.detection_fields[alert_id] |
|
admin |
INVESTIGATION_DATA_SOURCE |
security_result.detection_fields[investigation_data_source] |
|
admin |
INVESTIGATION_QUERY |
security_result.detection_fields[investigation_query] |
|
admin |
GROUP_EMAIL |
target.group.email_addresses |
|
admin |
PRODUCT_NAME |
target.resource.attribute.labels[product_name] |
|
admin |
INVESTIGATION_ACTION |
security_result.detection_fields[investigation_action] |
|
admin |
INVESTIGATION_ENTITY_IDS |
security_result.detection_fields[investigation_entity_ids] |
|
admin |
INVESTIGATION_OBJECT_IDENTIFIER |
security_result.detection_fields[investigation_object_identifier] |
|
admin |
INVESTIGATION_URL_DISPLAY_TEXT |
security_result.detection_fields[investigation_display_text] |
|
admin |
CHART_NAME |
about.labels [chart_name] (deprecated) |
|
admin |
CHART_NAME |
additional.fields [chart_name] |
|
admin |
CHART_FILTERS |
about.labels [chart_filters] (deprecated) |
|
admin |
CHART_FILTERS |
additional.fields [chart_filters] |
|
admin |
START_DATE |
about.labels [start_date] (deprecated) |
|
admin |
START_DATE |
additional.fields [start_date] |
|
admin |
END_DATE |
about.labels [end_date] (deprecated) |
|
admin |
END_DATE |
additional.fields [end_date] |
|
admin |
target.resource.resource_type |
If the event.name log field value is not equal to one of the following values, then the target.resource.resource_type UDM field is set to SETTING:
If the event.name log field value is equal to GENERATE_CERTIFICATE, then the target.resource.resource_type UDM field is set to CREDENTIAL. | |
admin |
SYSTEM_DEFINED_RULE_ACTION_STATUS_CHANGE |
security_result.rule_labels[system_defined_rule_action_status_change] |
|
admin |
SYSTEM_DEFINED_RULE_ACTION_SEVERITY_CHANGE |
security_result.rule_labels[system_defined_rule_action_severity_change] |
|
admin |
SYSTEM_DEFINED_RULE_ACTION_RECEIVERS_CHANGE |
security_result.rule_labels[system_defined_rule_action_receivers_change] |
|
admin |
COMPANY_DEVICE_ID |
target.asset_id |
|
admin |
APPLICATION_ENABLED |
target.labels[application_enabled] (deprecated) |
|
admin |
APPLICATION_ENABLED |
additional.fields[application_enabled] |
|
admin |
DISTRIBUTION_ENTITY_NAME |
target.labels[distribution_entity_name] (deprecated) |
|
admin |
DISTRIBUTION_ENTITY_NAME |
additional.fields[distribution_entity_name] |
|
admin |
DISTRIBUTION_ENTITY_TYPE |
target.labels[distribution_entity_type] (deprecated) |
|
admin |
DISTRIBUTION_ENTITY_TYPE |
additional.fields[distribution_entity_type] |
|
admin |
MOBILE_APP_PACKAGE_ID |
target.labels[mobile_app_package_id] (deprecated) |
|
admin |
MOBILE_APP_PACKAGE_ID |
additional.fields[mobile_app_package_id] |
|
admin |
APPLICATION_EDITION |
target.labels[application_edition] (deprecated) |
|
admin |
APPLICATION_EDITION |
additional.fields[application_edition] |
|
admin |
REAUTH_SETTING_NEW |
target.labels[reauth_setting_new] (deprecated) |
|
admin |
REAUTH_SETTING_NEW |
additional.fields[reauth_setting_new] |
|
admin |
REAUTH_SETTING_OLD |
target.labels[reauth_setting_old] (deprecated) |
|
admin |
REAUTH_SETTING_OLD |
additional.fields[reauth_setting_old] |
|
admin |
ALLOWED_TWO_STEP_VERIFICATION_METHOD |
target.labels[allowed_2sv_method] (deprecated) |
|
admin |
ALLOWED_TWO_STEP_VERIFICATION_METHOD |
additional.fields[allowed_2sv_method] |
|
admin |
CERTIFICATE_TYPE |
target.resource.resource_subtype |
|
admin |
SAML2_SERVICE_PROVIDER_ENTITY_ID |
about.labels[saml2_service_provider_entity_id] (deprecated) |
|
admin |
SAML2_SERVICE_PROVIDER_ENTITY_ID |
additional.fields[saml2_service_provider_entity_id] |
|
admin |
SAML2_SERVICE_PROVIDER_NAME |
about.labels[saml2_service_provider_name] (deprecated) |
|
admin |
SAML2_SERVICE_PROVIDER_NAME |
additional.fields[saml2_service_provider_name] |
|
admin |
SERVICE_ACCOUNT_EMAIL |
about.user.email_addresses |
|
admin |
about.user.account_type |
If the event.name log field value is equal to ENABLE_DIRECTORY_SYNC and the SERVICE_ACCOUNT_EMAIL log field value is not empty, then the about.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE. |
|
admin |
DEVICE_NEW_STATE |
target.asset.attribute.labels[device_new_state] |
|
admin |
DEVICE_PREVIOUS_STATE |
target.asset.attribute.labels[device_previous_state] |
|
admin |
DEVICE_SERIAL_NUMBER |
target.asset.hardware.serial_number |
|
admin |
INVESTIGATION_ACTION_NUM_ATTEMPTED |
security_result.detection_fields[investigation_action_num_attempt] |
|
admin |
INVESTIGATION_ACTION_NUM_SUCCESS |
security_result.detection_fields[investigation_action_num_success] |
|
admin |
INVESTIGATION_ACTION_NUM_FAILED |
security_result.detection_fields[investigation_action_num_failed] |
|
admin |
INVESTIGATION_ACTION_IDENTIFIER |
security_result.detection_fields[investigation_action_identifier] |
|
admin |
INVESTIGATION_ACTION_ID |
security_result.detection_fields[investigation_action_id] |
|
admin |
SETTING_DESCRIPTION |
target.resource.attribute.labels[setting_description] |
|
admin |
USER_DEFINED_SETTING_NAME |
target.resource.attribute.labels[user_defined_setting_name] |
|
admin |
ACTION_TYPE |
security_result.action_details |
|
admin |
security_result.action |
If the ACTION_TYPE log field value is equal to BLOCK, then the security_result.action UDM field is set to BLOCK.Else, the security_result.action UDM field is set to ALLOW. |
|
admin |
ACTION_ID |
security_result.detection_fields[action_id] |
|
admin |
OAUTH2_APP_ID |
additional.fields [oauth2_app_id] |
|
admin |
OAUTH2_APP_TYPE |
additional.fields [oauth2_app_type] |
|
admin |
ACCESS_LEVEL_TITLE |
target.resource.attribute.labels [access_level_title] |
|
admin |
ACCESS_LEVEL_CURR_STATE |
target.resource.attribute.labels [access_level_curr_state] |
|
admin |
ACCESS_LEVEL_PREV_STATE |
target.resource.attribute.labels [access_level_prev_state] |
|
admin |
AUTH_PRINCIPLE_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is not equal to the AUTH_PRINCIPLE_EMAIL, then the AUTH_PRINCIPLE_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
admin |
INVESTIGATION_ADMIN_EMAIL |
principal.user.email_addresses |
If the actor.email log field value is not equal to the INVESTIGATION_ADMIN_EMAIL, then the INVESTIGATION_ADMIN_EMAIL log field is mapped to the principal.user.email_addresses UDM field. |
admin |
target.resource.resource_type |
If the event.name log field value is equal to UPDATE_ACCESS_LEVEL_V2, then the target.resource.resource_type UDM field is set to ACCESS_POLICY. |
|
admin |
APP_RESOURCE_ID | additional.fields [app_resource_id] |
|
admin |
SECURITY_CENTER_RULE_TRIGGER_WINDOW | security_result.rule_labels[security_center_rule_trigger_window] |
|
admin |
SECURITY_CENTER_RULE_CONDITION | security_result.rule_labels[security_center_rule_condition] |
|
admin |
SECURITY_CENTER_RULE_THRESHOLD | security_result.rule_labels[security_center_rule_threshold] |
|
admin |
SECURITY_CENTER_RULE_TIME_FRAME | security_result.rule_labels[security_center_rule_time_frame] |
|
admin |
SECURITY_CENTER_RULE_ACTION | security_result.rule_labels[security_center_rule_action] |
|
admin |
QUARANTINE_NAME | additional.fields[quarantine_name] |
|
jamboard |
CURRENT_JAMBOARD_NAME |
target.asset.attribute.labels [current_jamboard_name] |
If the event.name log field value is equal to one of the following values, then the CURRENT_JAMBOARD_NAME log field is mapped to the target.asset.attribute.labels UDM field:
|
jamboard |
JAMBOARD_ID |
target.asset.asset_id |
|
jamboard |
LICENSE_ENROLLMENT_STATE |
target.asset.attribute.labels [license_enrollment_state] |
|
jamboard |
PROVISION_STATE |
target.asset.attribute.labels [provision_state] |
|
jamboard |
ON_OFF |
target.asset.attribute.labels [on_off] |
|
jamboard |
NEW_ADDITIONAL_IMES |
target.asset.attribute.labels [new_additional_imes] |
|
jamboard |
OLD_ADDITIONAL_IMES |
target.asset.attribute.labels [old_additional_imes] |
|
jamboard |
NEW_DEMO_MODE_AVAILABILITY |
target.asset.attribute.labels [new_demo_mode_availability] |
|
jamboard |
OLD_DEMO_MODE_AVAILABILITY |
target.asset.attribute.labels [old_demo_mode_availability] |
|
jamboard |
NEW_LANGUAGE |
target.asset.attribute.labels [new_language] |
|
jamboard |
OLD_LANGUAGE |
target.asset.attribute.labels [old_language] |
|
jamboard |
NEW_LOCATION |
target.asset.location.name |
If the event.name log field value is equal to DEVICE_LOCATION_CHANGE, then the NEW_LOCATION log field is mapped to the target.asset.location.name UDM field. |
jamboard |
OLD_LOCATION |
target.asset.attribute.labels [old_location] |
|
jamboard |
OLD_JAMBOARD_NAME |
target.asset.attribute.labels [old_jamboard_name] |
|
jamboard |
NEW_NOTE |
target.resource.attribute.labels [new_note] |
|
jamboard |
OLD_NOTE |
target.resource.attribute.labels [old_note] |
|
jamboard |
DEVICE_TYPE |
target.asset.attribute.labels [device_type] |
|
jamboard |
NEW_DEVICE |
target.asset.attribute.labels [new_device] |
|
jamboard |
OLD_DEVICE |
target.asset.attribute.labels [old_device] |
|
jamboard |
NEW_TIMEOUT_VALUE |
target.asset.attribute.labels [new_timeout_value] |
|
jamboard |
OLD_TIMEOUT_VALUE |
target.asset.attribute.labels [old_timeout_value] |
|
jamboard |
JAMBOARD_SETTING |
target.asset.attribute.labels [jamboard_setting] |
|
jamboard |
COMPONENT |
target.asset.attribute.labels [component] |
|
jamboard |
NEW_VERSION |
target.asset.software.version |
If the event.name log field value is equal to DEVICE_UPDATE, then the NEW_VERSION log field is mapped to the target.asset.software.version UDM field. |
jamboard |
OLD_VERSION |
target.asset.attribute.labels [old_version] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[description] |
metadata.description |
|
gmail |
events.parameters[delivery].msgValue[event_info].parameter.intValue[timestamp_usec] |
metadata.event_timestamp |
|
gmail |
events.parameters[delivery].msgValue[event_info].parameter.intValue[mail_event_type] |
metadata.product_event_type |
|
gmail |
id.applicationName |
metadata.product_name |
|
gmail |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Workspace. | |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[rfc2822_message_id] |
network.email.mail_id |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[subject] |
network.email.subject |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[payload_size] |
network.sent_bytes |
|
gmail |
events.parameters[delivery].msgValue[event_info].parameter.intValue[elapsed_time_usec] |
network.session_duration |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_tls_state] |
network.smtp.is_tls |
If this log field value is equal to 0, then the network.smtp.is_tls UDM field is set to false.Else, if this log field value is equal to 1, then the network.smtp.is_tls UDM field is set to true. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[address] |
network.smtp.rcpt_to |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_response_reason] |
network.smtp.server_response |
If this log field value is equal to 1, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Default reason messages are rejected or accepted.Else, if this log field value is equal to 3, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Malware.Else, if this log field value is equal to 4, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - DMARC policy.Else, if this log field value is equal to 5, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Unsupported attachment (by Gmail).Else, if this log field value is equal to 6, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Receive limit exceeded.Else, if this log field value is equal to 7, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Account over quota.Else, if this log field value is equal to 8, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Bad PTR record.Else, if this log field value is equal to 9, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Recipient doesn't exist.Else, if this log field value is equal to 10, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Customer policy.Else, if this log field value is equal to 12, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - RFC violation.Else, if this log field value is equal to 13, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Blatant spam.Else, if this log field value is equal to 14, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Denial of service.Else, if this log field value is equal to 15, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Malicious or spammy links.Else, if this log field value is equal to 16, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Low IP reputation.Else, if this log field value is equal to 17, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Low domain reputation.Else, if this log field value is equal to 18, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - IP listed in public Real-time Blackhole List (RBL).Else, if this log field value is equal to 19, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Temporarily rejected due to DoS limits.Else, if this log field value is equal to 20, then the network.smtp.server_response UDM field is set to events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.intValue[smtp_reply_code] - Permanently rejected due to DoS limits. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_tls_cipher] |
network.tls.cipher |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_tls_version] |
network.tls.version |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[client_host_zone] |
principal.administrative_domain |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[service] |
principal.application |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.value[customer_domain] |
principal.domain.name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[client_ip] |
principal.ip |
|
gmail |
actor.gaiaId |
principal.labels[actor_gaiaid] (deprecated) |
|
gmail |
actor.gaiaId |
additional.fields[actor_gaiaid] |
|
gmail |
actor.orgunitPath |
principal.labels[actor_orgunitpath] (deprecated) |
|
gmail |
actor.orgunitPath |
additional.fields[actor_orgunitpath] |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.multiIntValue[gaia_ids] |
principal.labels[message_owner_gaia_id] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.multiIntValue[gaia_ids] |
additional.fields[message_owner_gaia_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[selector] |
principal.labels[source_selector] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[selector] |
additional.fields[source_selector] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[from_header_address],events.parameters[delivery].msgValue[message_owner].parameter.multiStrValue[addresses] |
principal.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[address] |
principal.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_owner].parameter.multiStrValue[addresses] |
principal.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.value[from_header_displayname] |
principal.user.user_display_name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[source].parameter.intValue[user_id] |
principal.user.userid |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[flattened_destinations] |
target.labels[flattened_destinations] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[flattened_destinations] |
additional.fields[flattened_destinations] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[service] |
target.application |
This log field is mapped to target.application UDM field when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to the about.application. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.intValue[rcpt_response] |
target.labels[destination_rcpt_response] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_rcpt_response, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_rcpt_response. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.intValue[rcpt_response] |
additional.fields[destination_rcpt_response] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[selector] |
target.labels[destination_selector] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_selector, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_selector. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[selector] |
additional.fields[destination_selector] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_decryption_success] |
target.labels[destination_smime_decryption_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_decryption_success, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_decryption_success. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_decryption_success] |
additional.fields[destination_smime_decryption_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_extraction_success] |
target.labels[destination_smime_extraction_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_extraction_success, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_extraction_success. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_extraction_success] |
additional.fields[destination_smime_extraction_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_parsing_success] |
target.labels[destination_smime_parsing_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_parsing_success, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_parsing_success. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_parsing_success] |
additional.fields[destination_smime_parsing_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_signature_verification_success] |
target.labels[destination_smime_signature_verification_success] (deprecated) |
This log field is mapped to target.labels.value UDM field and target.labels.key is set to destination_smime_signature_verification_success, when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to about.labels.value UDM field and about.labels.key is set to destination_smime_signature_verification_success. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.boolValue[smime_signature_verification_success] |
additional.fields[destination_smime_signature_verification_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.value[address] |
target.user.email_addresses |
This log field is mapped to target.user.email_addresses UDM field when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to the about.user.email_addresses. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination].parameter.intValue[user_id] |
target.user.userid |
This log field is mapped to target.user.userid UDM field when index value in events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[destination] is equal to 0. For every other index value, this log field is mapped to the about.user.userid. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_out_remote_host] |
intermediary.hostname |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[host_name] |
intermediary.hostname |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[failed_smtp_out_connect_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_in_connect_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_out_connect_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[smtp_user_agent_ip] |
intermediary.ip |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[job_name] |
intermediary.labels[job_name] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[job_name] |
additional.fields[job_name] |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[server_type] |
intermediary.labels[server_type] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[server_type] |
additional.fields[server_type] |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[service_pool] |
intermediary.labels[service_pool] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.value[service_pool] |
additional.fields[service_pool] |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[task_number] |
intermediary.labels[task_number] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[server_info].parameter.intValue[task_number] |
additional.fields[task_number] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.value[policy_holder_address] |
security_result.about.user.email_addresses |
If this log field value doesn't match the regular expression ^.+@.+$, then it is mapped to the security_result.about.administrative_domain UDM field.Else, it is mapped to the security_result.about.administrative_domain UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.value[policy_holder_email] |
security_result.about.user.email_addresses |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.intValue[policy_holder_user_id] |
security_result.about.user.userid |
|
gmail |
security_result.action |
If the events.parameters[delivery].msgValue[event_info].parameter.boolValue[success] log field value is equal to true, then the security_result.action UDM field is set to ALLOW.Else, the security_result.action UDM field is set to BLOCK. | |
gmail |
events.parameters[delivery].msgValue[event_info].parameter.boolValue[success] |
security_result.action_details |
|
gmail |
security_result.category |
If the events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.intValue[malware_family] log field value is not empty, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.If the events.parameters[delivery].msgValue[message_info].parameter.boolValue[is_spam] log field value is equal to true, then the security_result.category UDM field is set to MAIL_SPAM. | |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.intValue[malware_family] |
security_result.category_details |
If this log field value is equal to 1, then the security_result.category_details UDM field is set to 1 - A known malicious program type of malware.Else, if this log field value is equal to 2, then the security_result.category_details UDM field is set to 2 - A virus or worm type of malware.Else, if this log field value is equal to 3, then the security_result.category_details UDM field is set to 3 - Possible harmful email content.Else, if this log field value is equal to 4, then the security_result.category_details UDM field is set to 4 - Possible unwanted email content.Else, if this log field value is equal to 5, then the security_result.category_details UDM field is set to 5 - Other type of malware. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.value[flattened_triggered_rule_info] |
security_result.detection_fields[flattened_triggered_rule_info] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[is_internal] |
security_result.detection_fields[is_internal] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[is_intra_domain] |
security_result.detection_fields[is_intra_domain] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[is_policy_check_for_sender] |
security_result.detection_fields[is_policy_check_for_sender] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[is_spam] |
security_result.detection_fields[is_spam] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[smtp_replay_error] |
security_result.detection_fields[smtp_replay_error] |
If this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the security_result.detection_fields.value UDM field is set to 1 - Authentication error.Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 2 - Daily rate limit was exceeded. log field is mapped to the security_result.detection_fields.value UDM field.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 3 - Peak rate limit was exceeded. log field is mapped to the security_result.detection_fields.value UDM field.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 4 - SMTP relay was abused. log field is mapped to the security_result.detection_fields.value UDM field.Else, if this log field value is equal to 5, then the security_result.detection_fields.key UDM field is set to smtp_replay_error and the 5 - Per-user rate limit was exceeded. log field is mapped to the security_result.detection_fields.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.intValue[classification_reason] |
security_result.detection_fields[spam_info_classification_reason] |
If this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 1 - Default spam classification reason.Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 2 - Message classified because of sender's past actions.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 3 - Suspicious content.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 4 - Suspicious link.Else, if this log field value is equal to 5, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 5 - Suspicious attachment.Else, if this log field value is equal to 6, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 6 - Custom policy defined in Google Workspace Admin Console > Gmail settings.Else, if this log field value is equal to 7, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 7 - DMARC.Else, if this log field value is equal to 8, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 8 - Domain in public RBLs.Else, if this log field value is equal to 9, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 9 - RFC standards violation.Else, if this log field value is equal to 10, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 10 - Gmail policy violation.Else, if this log field value is equal to 11, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 11 - Machine learning verdict.Else, if this log field value is equal to 12, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 12 - Sender reputation.Else, if this log field value is equal to 13, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 13 - Blatant spam.Else, if this log field value is equal to 14, then the security_result.detection_fields.key UDM field is set to spam_info_classification_reason and the security_result.detection_fields.value UDM field is set to 14 - Advanced phishing and malware protection. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.intValue[classification_timestamp_usec] |
security_result.detection_fields[spam_info_classification_timestamp_usec] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.boolValue[delayed_for_deepscan] |
security_result.detection_fields[spam_info_delayed_for_deepscan] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.intValue[disposition] |
security_result.detection_fields[spam_info_disposition] |
If this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 1 - Message considered clean (not spam or malware).Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 2 - Spam.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 3 - Phishing.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 4 - Suspicious.Else, if this log field value is equal to 5, then the security_result.detection_fields.key UDM field is set to spam_info_disposition and the security_result.detection_fields.value UDM field is set to 5 - Malware. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.value[ip_whitelist_entry] |
security_result.detection_fields[spam_info_ip_whitelist_entry] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.multiMsgValue[safety_settings_info].parameter.intValue[safety_settings_action] |
security_result.detection_fields[spam_info_safety_setting_action] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[spam_info].parameter.multiMsgValue[safety_settings_info].parameter.intValue[safety_settings_condition] |
security_result.detection_fields[spam_info_safety_settings_condition] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[attachment_name] |
security_result.detection_fields[triggered_rule_info_string_match_attachment_name] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[matched_string] |
security_result.detection_fields[triggered_rule_info_string_match_matched_string] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.intValue[source] |
security_result.detection_fields[triggered_rule_info_string_match_source] |
If this log field value is equal to 0, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 0 - Unknown.Else, if this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 1 - Message body or including text format attachments.Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 2 - Binary format attachments.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 3 - Message headers.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 4 - Subject.Else, if this log field value is equal to 5, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 5 - Sender header.Else, if this log field value is equal to 6, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 6 - Recipient header.Else, if this log field value is equal to 7, then the security_result.detection_fields.key UDM field is set to triggered_rule_info_string_match_source and the security_result.detection_fields.value UDM field is set to 7 - Raw message. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[upload_error_category] |
security_result.detection_fields[upload_error_category] |
If this log field value is equal to 0, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 0 - Uncategorized transient error.Else, if this log field value is equal to 1, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 1 - Recipient account is too busy.Else, if this log field value is equal to 2, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 2 - DNS error resolving recipient domain.Else, if this log field value is equal to 3, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 3 - Recipient's server refused connection.Else, if this log field value is equal to 4, then the security_result.detection_fields.key UDM field is set to upload_error_category and the security_result.detection_fields.value UDM field is set to 4 - Recipient is out of storage. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.intValue[rule_id] |
security_result.rule_id |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.intValue[action] |
security_result.rule_labels[triggered_rule_info_consequence_action] |
If this log field value is equal to 0, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 0 - Consequence is a no-op.Else, if this log field value is equal to 3, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 3 - Put message in Admin Quarantine.Else, if this log field value is equal to 4, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 4 - Modify the primary delivery target.Else, if this log field value is equal to 5, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 5 - Add a delivery target.Else, if this log field value is equal to 6, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 6 - Added a message header.Else, if this log field value is equal to 7, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 7 - Overwrite the envelope recipient.Else, if this log field value is equal to 9, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 9 - Add message to specified message set.Else, if this log field value is equal to 10, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 10 - Modify the message labels.Else, if this log field value is equal to 11, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 11 - Prefix text to message subject.Else, if this log field value is equal to 12, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 12 - Add a footer to the message.Else, if this log field value is equal to 13, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 13 - Strip the message body.Else, if this log field value is equal to 14, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the 14 - Store a copy of the message in the user's mailbox or according to comprehensive mail storage setting. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 15, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 15 - Replace attachment with canned text.Else, if this log field value is equal to 16, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 16 - Require secure message delivery.Else, if this log field value is equal to 17, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 17 - Message can't be delivered and bounced.Else, if this log field value is equal to 18, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 18 - Archive to Google Vault for recipients.Else, if this log field value is equal to 20, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the security_result.rule_labels.value UDM field is set to 20 - Encrypt outbound message using S/MIME.Else, if this log field value is equal to 21, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_action and the 21 - Change the recipient user when message is received at SMTP. log field is mapped to the security_result.rule_labels.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.value[reason] |
security_result.rule_labels[triggered_rule_info_consequence_reason] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.multiMsgValue[subconsequence].parameter.value[action] |
security_result.rule_labels[triggered_rule_info_consequence_subconsequence_action] |
If this log field value is equal to 0, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 0 - Consequence is a no-op.Else, if this log field value is equal to 3, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 3 - Put message in Admin Quarantine.Else, if this log field value is equal to 4, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 4 - Modify the primary delivery target.Else, if this log field value is equal to 5, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 5 - Add a delivery target.Else, if this log field value is equal to 6, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 6 - Added a message header.Else, if this log field value is equal to 7, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 7 - Overwrite the envelope recipient.Else, if this log field value is equal to 9, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 9 - Add message to specified message set.Else, if this log field value is equal to 10, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 10 - Modify the message labels.Else, if this log field value is equal to 11, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 11 - Prefix text to message subject.Else, if this log field value is equal to 12, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 12 - Add a footer to the message.Else, if this log field value is equal to 13, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 13 - Strip the message body.Else, if this log field value is equal to 14, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the 14 - Store a copy of the message in the user's mailbox or according to comprehensive mail storage setting. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 15, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 15 - Replace attachment with canned text.Else, if this log field value is equal to 16, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 16 - Require secure message delivery.Else, if this log field value is equal to 17, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 17 - Message can't be delivered and bounced.Else, if this log field value is equal to 18, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 18 - Archive to Google Vault for recipients.Else, if this log field value is equal to 20, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the security_result.rule_labels.value UDM field is set to 20 - Encrypt outbound message using S/MIME.Else, if this log field value is equal to 21, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_consequence_subconsequence_action and the 21 - Change the recipient user when message is received at SMTP. log field is mapped to the security_result.rule_labels.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[consequence].parameter.multiMsgValue[subconsequence].parameter.value[reason] |
security_result.rule_labels[triggered_rule_info_consequence_subconsequence_reason] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.intValue[policy_id] |
security_result.rule_labels[triggered_rule_info_policy_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.value[spam_label_modifier] |
security_result.rule_labels[triggered_rule_info_spam_label_modifier] |
If this log field value is equal to 0, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_spam_label_modifier and the 0 - No action—the rule honored the Gmail spam classification verdict. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 1, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_spam_label_modifier and the 1 - Spam—the rule classified the message as spam. log field is mapped to the security_result.rule_labels.value UDM field.Else, if this log field value is equal to 2, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_spam_label_modifier and the 2 - Not spam—the rule classified the message as not spam. log field is mapped to the security_result.rule_labels.value UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[match_expression] |
security_result.rule_labels[triggered_rule_info_string_match_match_expression] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.value[predefined_detector_name] |
security_result.rule_labels[triggered_rule_info_string_match_predefined_detector_name] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.multiMsgValue[string_match].parameter.intValue[type] |
security_result.rule_labels[triggered_rule_info_string_match_type] |
If this log field value is equal to 0, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 0 - Undefined.Else, if this log field value is equal to 1, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 1 - Regular expression match.Else, if this log field value is equal to 2, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 2 - Predefined detector match.Else, if this log field value is equal to 3, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 3 - Simple content match.Else, if this log field value is equal to 4, then the security_result.rule_labels.key UDM field is set to triggered_rule_info_string_match_type and the security_result.rule_labels.value UDM field is set to 4 - Non-ASCII match. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.value[rule_name] |
security_result.rule_name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[triggered_rule_info].parameter.intValue[rule_type] |
security_result.rule_type |
If this log field value is equal to 0, then the security_result.rule_type UDM field is set to 0 - Walled garden.Else, if this log field value is equal to 7, then the security_result.rule_type UDM field is set to 7 - Objectionable content.Else, if this log field value is equal to 8, then the security_result.rule_type UDM field is set to 8 - Content compliance.Else, if this log field value is equal to 10, then the security_result.rule_type UDM field is set to 10 - Received mail routing.Else, if this log field value is equal to 11, then the security_result.rule_type UDM field is set to 11 - Sent mail routing.Else, if this log field value is equal to 12, then the security_result.rule_type UDM field is set to 12 - Spam override.Else, if this log field value is equal to 14, then the security_result.rule_type UDM field is set to 14 - Blocked senders.Else, if this log field value is equal to 15, then the security_result.rule_type UDM field is set to 15 - Append footer.Else, if this log field value is equal to 16, then the security_result.rule_type UDM field is set to 16 - Attachment compliance.Else, if this log field value is equal to 17, then the security_result.rule_type UDM field is set to 17 - TLS compliance.Else, if this log field value is equal to 18, then the security_result.rule_type UDM field is set to 18 - Domain default routing.Else, if this log field value is equal to 19, then the security_result.rule_type UDM field is set to 19 - Inbound email journal acceptance in Vault.Else, if this log field value is equal to 20, then the security_result.rule_type UDM field is set to 20 - Outbound relay.Else, if this log field value is equal to 21, then the security_result.rule_type UDM field is set to 21 - Quarantine summary.Else, if this log field value is equal to 22, then the security_result.rule_type UDM field is set to 22 - Alternate secure route.Else, if this log field value is equal to 23, then the security_result.rule_type UDM field is set to 23 - Alias table.Else, if this log field value is equal to 24, then the security_result.rule_type UDM field is set to 24 - Comprehensive mail storage.Else, if this log field value is equal to 25, then the security_result.rule_type UDM field is set to 25 - Routing rule.Else, if this log field value is equal to 26, then the security_result.rule_type UDM field is set to 26 - Inbound gateway.Else, if this log field value is equal to 27, then the security_result.rule_type UDM field is set to 27 - S/MIME.Else, if this log field value is equal to 28, then the security_result.rule_type UDM field is set to 28 - Third-party email archiving.Else, if this log field value is equal to 31, then the security_result.rule_type UDM field is set to 31 - S/MIME restrict delivery. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.multiMsgValue[authenticated_domain].parameter.value[name] |
about.domain.name |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.value[file_extension_type] |
about.file.file_type |
about.file.file_type UDM field. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.value[file_extension_type] |
about.file.mime_type |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.multiMsgValue[detected_file_types].parameter.value[mime_type] |
about.file.mime_type |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[attachment].parameter.value[sha256] |
about.file.sha256 |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[ip_geo_city] |
about.ip_geo_artifact.location.city |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[ip_geo_country] |
about.ip_geo_artifact.location.country_or_region |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[action_type] |
about.labels[action_type] (deprecated) |
If this log field value is equal to 1, then the about.labels UDM field is set to 1 - Message received by inbound SMTP server.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - Message accepted by Gmail and prepared for delivery.Else, if this log field value is equal to 3, then the about.labels UDM field is set to 3 - Message was handled by Gmail.Else, if this log field value is equal to 10, then the about.labels UDM field is set to 10 - Message sent out by outbound SMTP server.Else, if this log field value is equal to 14, then the about.labels UDM field is set to 14 - A temporary error occurred when Gmail tried to deliver the message or and the message has been scheduled for retry.Else, if this log field value is equal to 18, then the about.labels UDM field is set to 18 - Message could not be delivered and bounced.Else, if this log field value is equal to 19, then the about.labels UDM field is set to 19 - Message was dropped by Gmail.Else, if this log field value is equal to 45, then the about.labels UDM field is set to 45 - Message was accepted for delivery by the Google Groups subsystem.Else, if this log field value is equal to 46, then the about.labels UDM field is set to 46 - Message's recipient address was a Google Group or and the recipient was expanded to each member of the Google Group that has message delivery enabled.Else, if this log field value is equal to 48, then the about.labels UDM field is set to 48 - Message received by inbound SMTP server for relay.Else, if this log field value is equal to 49, then the about.labels UDM field is set to 49 - Message sent through relay by outbound SMTP server.Else, if this log field value is equal to 51, then the about.labels UDM field is set to 51 - Message was written to Google Groups storage.Else, if this log field value is equal to 54, then the about.labels UDM field is set to 54 - Message was rejected by the Google Groups storage system.Else, if this log field value is equal to 55, then the about.labels UDM field is set to 55 - Message was re-inserted into Gmail by policies that modify the primary delivery route or envelope recipient.Else, if this log field value is equal to 68, then the about.labels UDM field is set to 68 - Message accepted by Gmail and prepared for delivery.Else, if this log field value is equal to 69, then the about.labels UDM field is set to 69 - A user changed the message's spam classification in Gmail.Else, if this log field value is equal to 70, then the about.labels UDM field is set to 70 - The message was reclassified as spam or phishing after it was delivered to Gmail.Else, if this log field value is equal to 71, then the about.labels UDM field is set to 71 - A user took an action in the inbox after receiving the message. Post-delivery actions include opening a message or clicking a link in a message or and downloading an attachment. BigQuery export doesn't provide details about the action. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[action_type] |
additional.fields[action_type] |
If this log field value is equal to 1, then the additional.fields UDM field is set to 1 - Message received by inbound SMTP server.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - Message accepted by Gmail and prepared for delivery.Else, if this log field value is equal to 3, then the additional.fields UDM field is set to 3 - Message was handled by Gmail.Else, if this log field value is equal to 10, then the additional.fields UDM field is set to 10 - Message sent out by outbound SMTP server.Else, if this log field value is equal to 14, then the additional.fields UDM field is set to 14 - A temporary error occurred when Gmail tried to deliver the message or and the message has been scheduled for retry.Else, if this log field value is equal to 18, then the additional.fields UDM field is set to 18 - Message could not be delivered and bounced.Else, if this log field value is equal to 19, then the additional.fields UDM field is set to 19 - Message was dropped by Gmail.Else, if this log field value is equal to 45, then the additional.fields UDM field is set to 45 - Message was accepted for delivery by the Google Groups subsystem.Else, if this log field value is equal to 46, then the additional.fields UDM field is set to 46 - Message's recipient address was a Google Group or and the recipient was expanded to each member of the Google Group that has message delivery enabled.Else, if this log field value is equal to 48, then the additional.fields UDM field is set to 48 - Message received by inbound SMTP server for relay.Else, if this log field value is equal to 49, then the additional.fields UDM field is set to 49 - Message sent through relay by outbound SMTP server.Else, if this log field value is equal to 51, then the additional.fields UDM field is set to 51 - Message was written to Google Groups storage.Else, if this log field value is equal to 54, then the additional.fields UDM field is set to 54 - Message was rejected by the Google Groups storage system.Else, if this log field value is equal to 55, then the additional.fields UDM field is set to 55 - Message was re-inserted into Gmail by policies that modify the primary delivery route or envelope recipient.Else, if this log field value is equal to 68, then the additional.fields UDM field is set to 68 - Message accepted by Gmail and prepared for delivery.Else, if this log field value is equal to 69, then the additional.fields UDM field is set to 69 - A user changed the message's spam classification in Gmail.Else, if this log field value is equal to 70, then the additional.fields UDM field is set to 70 - The message was reclassified as spam or phishing after it was delivered to Gmail.Else, if this log field value is equal to 71, then the additional.fields UDM field is set to 71 - A user took an action in the inbox after receiving the message. Post-delivery actions include opening a message or clicking a link in a message or and downloading an attachment. BigQuery export doesn't provide details about the action. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.multiMsgValue[authenticated_domain].parameter.intValue[type] |
about.labels[authenticated_domain_type] (deprecated) |
If this log field value is equal to 1, then the about.labels UDM field is set to 1 - SPF.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - DKIM.Else, if this log field value is equal to 3, then the about.labels UDM field is set to 3 - DKIM_PROXY.Else, if this log field value is equal to 4, then the about.labels UDM field is set to 4 - XOAR_SPF.Else, if this log field value is equal to 5, then the about.labels UDM field is set to 5 - XOAR_DKIM.Else, if this log field value is equal to 6, then the about.labels UDM field is set to 6 - ARC_SPF.Else, if this log field value is equal to 7, then the about.labels UDM field is set to 7 - ARC_DKIM. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.multiMsgValue[authenticated_domain].parameter.intValue[type] |
additional.fields[authenticated_domain_type] |
If this log field value is equal to 1, then the additional.fields UDM field is set to 1 - SPF.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - DKIM.Else, if this log field value is equal to 3, then the additional.fields UDM field is set to 3 - DKIM_PROXY.Else, if this log field value is equal to 4, then the additional.fields UDM field is set to 4 - XOAR_SPF.Else, if this log field value is equal to 5, then the additional.fields UDM field is set to 5 - XOAR_DKIM.Else, if this log field value is equal to 6, then the additional.fields UDM field is set to 6 - ARC_SPF.Else, if this log field value is equal to 7, then the additional.fields UDM field is set to 7 - ARC_DKIM. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[delivery_timestamp_usec] |
about.labels[delivery_timestamp_usec] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[delivery_timestamp_usec] |
additional.fields[delivery_timestamp_usec] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.multiMsgValue[detected_file_types].parameter.intValue[category] |
about.labels[detected_file_types_category] (deprecated) |
If this log field value is equal to 1, then the about.labels UDM field is set to 1 - Unrecognized file type.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - Microsoft Office documents, including word processing, spreadsheet, presentation, and database documents. Includes PDF files. The file might or might not be encrypted.Else, if this log field value is equal to 3, then the about.labels UDM field is set to 3 - Video and multimedia, for example, MPEG, Quicktime, WMV.Else, if this log field value is equal to 4, then the about.labels UDM field is set to 4 - Music and audio, for example, MP3, AAC, WAV.Else, if this log field value is equal to 5, then the about.labels UDM field is set to 5 - Images, for example, JPEG, BMP, GIF.Else, if this log field value is equal to 6, then the about.labels UDM field is set to 6 - Archives, for example, ZIP, TAR, TGZ.Else, if this log field value is equal to 7, then the about.labels UDM field is set to 7 - Executables, for example EXE, COM, JS.Else, if this log field value is equal to 8, then the about.labels UDM field is set to 8 - Office documents that are encrypted.Else, if this log field value is equal to 9, then the about.labels UDM field is set to 9 - Office documents that are not encrypted. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.multiMsgValue[detected_file_types].parameter.intValue[category] |
additional.fields[detected_file_types_category] |
If this log field value is equal to 1, then the additional.fields UDM field is set to 1 - Unrecognized file type.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - Microsoft Office documents, including word processing, spreadsheet, presentation, and database documents. Includes PDF files. The file might or might not be encrypted.Else, if this log field value is equal to 3, then the additional.fields UDM field is set to 3 - Video and multimedia, for example, MPEG, Quicktime, WMV.Else, if this log field value is equal to 4, then the additional.fields UDM field is set to 4 - Music and audio, for example, MP3, AAC, WAV.Else, if this log field value is equal to 5, then the additional.fields UDM field is set to 5 - Images, for example, JPEG, BMP, GIF.Else, if this log field value is equal to 6, then the additional.fields UDM field is set to 6 - Archives, for example, ZIP, TAR, TGZ.Else, if this log field value is equal to 7, then the additional.fields UDM field is set to 7 - Executables, for example EXE, COM, JS.Else, if this log field value is equal to 8, then the additional.fields UDM field is set to 8 - Office documents that are encrypted.Else, if this log field value is equal to 9, then the additional.fields UDM field is set to 9 - Office documents that are not encrypted. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dkim_pass] |
about.labels[dkim_pass] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dkim_pass] |
additional.fields[dkim_pass] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dmarc_pass] |
about.labels[dmarc_pass] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[dmarc_pass] |
additional.fields[dmarc_pass] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[dmarc_published_domain] |
about.labels[dmarc_published_domain] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.value[dmarc_published_domain] |
additional.fields[dmarc_published_domain] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[recipients] |
about.labels[exchange_journal_info_recipients] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[recipients] |
additional.fields[exchange_journal_info_recipients] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.value[rfc822_message_id] |
about.labels[exchange_journal_info_rfc822_message_id] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.value[rfc822_message_id] |
additional.fields[exchange_journal_info_rfc822_message_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.intValue[timestamp] |
about.labels[exchange_journal_info_timestamp] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.intValue[timestamp] |
additional.fields[exchange_journal_info_timestamp] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[unknown_recipients] |
about.labels[exchange_journal_info_unknown_recipients] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[structured_policy_log_info].parameter.msgValue[exchange_journal_info].parameter.multiStrValue[unknown_recipients] |
additional.fields[exchange_journal_info_unknown_recipients] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[internal_message_id] |
about.labels[internal_message_id] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[internal_message_id] |
additional.fields[internal_message_id] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiStrValue[link_domain] |
about.labels[link_domain] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiStrValue[link_domain] |
additional.fields[link_domain] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[message_set].parameter.intValue[type] |
about.labels[message_set_type] (deprecated) |
If this log field value is equal to 1, then the about.labels UDM field is set to 1 - Message is inbound (received from outside your domains). This message set doesn't appear with message set 10.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - Message is outbound (sent to a recipient outside your domains). This message set doesn't appear with message set 10.Else, if this log field value is equal to 4, then the about.labels UDM field is set to 4 - Message contains objectionable content, as defined by one of your policies.Else, if this log field value is equal to 6, then the about.labels UDM field is set to 6 - Message triggered the walled garden rule you configured that restricts messages to authorized addresses or domains.Else, if this log field value is equal to 7, then the about.labels UDM field is set to 7 - Gmail classified the message as spam.Else, if this log field value is equal to 8, then the about.labels UDM field is set to 8 - Message being sent (outgoing message).Else, if this log field value is equal to 9, then the about.labels UDM field is set to 9 - Message being received (incoming message).Else, if this log field value is equal to 10, then the about.labels UDM field is set to 10 - Message that is internal to your domains.Else, if this log field value is equal to 11, then the about.labels UDM field is set to 11 - Message has a sender or recipients outside your domains.Else, if this log field value is equal to 12, then the about.labels UDM field is set to 12 - Message has some recipients inside your domain and some recipients outside your domain. This message set might appear when:Else, if this log field value is equal to 13, then the about.labels UDM field is set to 13 - The type of the message set is unknown.Else, if this log field value is equal to 15, then the about.labels UDM field is set to 15 - The policy being checked against is tied to a Gmail user.Else, if this log field value is equal to 18, then the about.labels UDM field is set to 18 - Message doesn't have a default route.Else, if this log field value is equal to 19, then the about.labels UDM field is set to 19 - The address list you configured for domain default routing matches the correspondent of the message.Else, if this log field value is equal to 20, then the about.labels UDM field is set to 20 - Message is from an address in your blocked senders list.Else, if this log field value is equal to 21, then the about.labels UDM field is set to 21 - Message was sent over TLS and the SSL certificate is valid.Else, if this log field value is equal to 22, then the about.labels UDM field is set to 22 - Message was sent over TLS.Else, if this log field value is equal to 24, then the about.labels UDM field is set to 24 - The recipient of this message is unknown.Else, if this log field value is equal to 25, then the about.labels UDM field is set to 25 - Message is a non-delivery report responding to a message that was not delivered.Else, if this log field value is equal to 26, then the about.labels UDM field is set to 26 - Message triggered a rerouting rule, which you configured in domain default routing.Else, if this log field value is equal to 27, then the about.labels UDM field is set to 27 - Sender successfully passed SPF/DKIM/DMARC authentication. If the sender isn't authenticated, the sender domain is untrusted and the message is not considered internal.Else, if this log field value is equal to 28, then the about.labels UDM field is set to 28 - Exchange journal is archiving the message to Google Vault.Else, if this log field value is equal to 29, then the about.labels UDM field is set to 29 - Message was routed through SMTP relay.Else, if this log field value is equal to 30, then the about.labels UDM field is set to 30 - A recipient of the message matched one of the enumerated recipients (instead of a regular expression pattern) you configured for domain routing, or domain default routing.Else, if this log field value is equal to 31, then the about.labels UDM field is set to 31 - Message matched a domain default routing condition you configured.Else, if this log field value is equal to 32, then the about.labels UDM field is set to 32 - Message was created from an Exchange journal message for archiving to Google Vault.Else, if this log field value is equal to 33, then the about.labels UDM field is set to 33 - Message has to be transmitted through a secure connection, such as TLS.Else, if this log field value is equal to 34, then the about.labels UDM field is set to 34 - The policy being checked against is tied to a group instead of an individual Gmail user.Else, if this log field value is equal to 35, then the about.labels UDM field is set to 35 - Message could not be authenticated in SMTP relay because it has an empty SMTP envelope-from address or is possibly an Exchange Journal message. It will be checked later at SMTP RCPT command time.Else, if this log field value is equal to 36, then the about.labels UDM field is set to 36 - Message has aggressive spam filtering enabled.Else, if this log field value is equal to 37, then the about.labels UDM field is set to 37 - Message is authenticated for SMTP relay.Else, if this log field value is equal to 39, then the about.labels UDM field is set to 39 - Sender is from an authenticated domain for relay.Else, if this log field value is equal to 40, then the about.labels UDM field is set to 40 - Message is from a Google Workspace user in the domain being authenticated for relay.Else, if this log field value is equal to 41, then the about.labels UDM field is set to 41 - Sender has successfully authenticated with SMTP AUTH, and Gmail is trying to authenticate SMTP relay for the sender's domain.Else, if this log field value is equal to 42, then the about.labels UDM field is set to 42 - Message was sent from an address that isn't authenticated.Else, if this log field value is equal to 43, then the about.labels UDM field is set to 43 - Message was rerouted through an alias table.Else, if this log field value is equal to 44, then the about.labels UDM field is set to 44 - Message triggered a rule that changes the route of the mail flow.Else, if this log field value is equal to 45, then the about.labels UDM field is set to 45 - Message is to a catch-all account and is being relayed to an on-premise server. System-of-record policies won't be applied to it.Else, if this log field value is equal to 46, then the about.labels UDM field is set to 46 - Message bypassed the spam filter.Else, if this log field value is equal to 47, then the about.labels UDM field is set to 47 - Message was detected to be spam by tag-and-deliver information in the inbound gateway settings.Else, if this log field value is equal to 48, then the about.labels UDM field is set to 48 - Message was not checked for spam (by SMTP) due to a spam-override policy.Else, if this log field value is equal to 49, then the about.labels UDM field is set to 49 - Always override spam rejection for the message.Else, if this log field value is equal to 50, then the about.labels UDM field is set to 50 - Message matches a domain routing condition you configured.Else, if this log field value is equal to 51, then the about.labels UDM field is set to 51 - Message triggered a rerouting rule that you configured for domain routing.Else, if this log field value is equal to 55, then the about.labels UDM field is set to 55 - Message was created by the Exchange Journal generation setting.Else, if this log field value is equal to 57, then the about.labels UDM field is set to 57 - Message was received from an inbound gateway rule that you configured.Else, if this log field value is equal to 60, then the about.labels UDM field is set to 60 - Message is protected with Gmail confidential mode.Else, if this log field value is equal to 61, then the about.labels UDM field is set to 61 - Message was caught by Security sandbox.Else, if this log field value is equal to 62, then the about.labels UDM field is set to 62 - The address list you configured for domain default routing matches the SMTP envelope recipient instead of the correspondent of the message.Else, if this log field value is equal to 63, then the about.labels UDM field is set to 63 - Message triggered a domain-level rerouting rule, which you configured for domain routing, or domain default routing. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.multiMsgValue[message_set].parameter.intValue[type] |
additional.fields[message_set_type] |
If this log field value is equal to 1, then the additional.fields UDM field is set to 1 - Message is inbound (received from outside your domains). This message set doesn't appear with message set 10.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - Message is outbound (sent to a recipient outside your domains). This message set doesn't appear with message set 10.Else, if this log field value is equal to 4, then the additional.fields UDM field is set to 4 - Message contains objectionable content, as defined by one of your policies.Else, if this log field value is equal to 6, then the additional.fields UDM field is set to 6 - Message triggered the walled garden rule you configured that restricts messages to authorized addresses or domains.Else, if this log field value is equal to 7, then the additional.fields UDM field is set to 7 - Gmail classified the message as spam.Else, if this log field value is equal to 8, then the additional.fields UDM field is set to 8 - Message being sent (outgoing message).Else, if this log field value is equal to 9, then the additional.fields UDM field is set to 9 - Message being received (incoming message).Else, if this log field value is equal to 10, then the additional.fields UDM field is set to 10 - Message that is internal to your domains.Else, if this log field value is equal to 11, then the additional.fields UDM field is set to 11 - Message has a sender or recipients outside your domains.Else, if this log field value is equal to 12, then the additional.fields UDM field is set to 12 - Message has some recipients inside your domain and some recipients outside your domain. This message set might appear when:Else, if this log field value is equal to 13, then the additional.fields UDM field is set to 13 - The type of the message set is unknown.Else, if this log field value is equal to 15, then the additional.fields UDM field is set to 15 - The policy being checked against is tied to a Gmail user.Else, if this log field value is equal to 18, then the additional.fields UDM field is set to 18 - Message doesn't have a default route.Else, if this log field value is equal to 19, then the additional.fields UDM field is set to 19 - The address list you configured for domain default routing matches the correspondent of the message.Else, if this log field value is equal to 20, then the additional.fields UDM field is set to 20 - Message is from an address in your blocked senders list.Else, if this log field value is equal to 21, then the additional.fields UDM field is set to 21 - Message was sent over TLS and the SSL certificate is valid.Else, if this log field value is equal to 22, then the additional.fields UDM field is set to 22 - Message was sent over TLS.Else, if this log field value is equal to 24, then the additional.fields UDM field is set to 24 - The recipient of this message is unknown.Else, if this log field value is equal to 25, then the additional.fields UDM field is set to 25 - Message is a non-delivery report responding to a message that was not delivered.Else, if this log field value is equal to 26, then the additional.fields UDM field is set to 26 - Message triggered a rerouting rule, which you configured in domain default routing.Else, if this log field value is equal to 27, then the additional.fields UDM field is set to 27 - Sender successfully passed SPF/DKIM/DMARC authentication. If the sender isn't authenticated, the sender domain is untrusted and the message is not considered internal.Else, if this log field value is equal to 28, then the additional.fields UDM field is set to 28 - Exchange journal is archiving the message to Google Vault.Else, if this log field value is equal to 29, then the additional.fields UDM field is set to 29 - Message was routed through SMTP relay.Else, if this log field value is equal to 30, then the additional.fields UDM field is set to 30 - A recipient of the message matched one of the enumerated recipients (instead of a regular expression pattern) you configured for domain routing, or domain default routing.Else, if this log field value is equal to 31, then the additional.fields UDM field is set to 31 - Message matched a domain default routing condition you configured.Else, if this log field value is equal to 32, then the additional.fields UDM field is set to 32 - Message was created from an Exchange journal message for archiving to Google Vault.Else, if this log field value is equal to 33, then the additional.fields UDM field is set to 33 - Message has to be transmitted through a secure connection, such as TLS.Else, if this log field value is equal to 34, then the additional.fields UDM field is set to 34 - The policy being checked against is tied to a group instead of an individual Gmail user.Else, if this log field value is equal to 35, then the additional.fields UDM field is set to 35 - Message could not be authenticated in SMTP relay because it has an empty SMTP envelope-from address or is possibly an Exchange Journal message. It will be checked later at SMTP RCPT command time.Else, if this log field value is equal to 36, then the additional.fields UDM field is set to 36 - Message has aggressive spam filtering enabled.Else, if this log field value is equal to 37, then the additional.fields UDM field is set to 37 - Message is authenticated for SMTP relay.Else, if this log field value is equal to 39, then the additional.fields UDM field is set to 39 - Sender is from an authenticated domain for relay.Else, if this log field value is equal to 40, then the additional.fields UDM field is set to 40 - Message is from a Google Workspace user in the domain being authenticated for relay.Else, if this log field value is equal to 41, then the additional.fields UDM field is set to 41 - Sender has successfully authenticated with SMTP AUTH, and Gmail is trying to authenticate SMTP relay for the sender's domain.Else, if this log field value is equal to 42, then the additional.fields UDM field is set to 42 - Message was sent from an address that isn't authenticated.Else, if this log field value is equal to 43, then the additional.fields UDM field is set to 43 - Message was rerouted through an alias table.Else, if this log field value is equal to 44, then the additional.fields UDM field is set to 44 - Message triggered a rule that changes the route of the mail flow.Else, if this log field value is equal to 45, then the additional.fields UDM field is set to 45 - Message is to a catch-all account and is being relayed to an on-premise server. System-of-record policies won't be applied to it.Else, if this log field value is equal to 46, then the additional.fields UDM field is set to 46 - Message bypassed the spam filter.Else, if this log field value is equal to 47, then the additional.fields UDM field is set to 47 - Message was detected to be spam by tag-and-deliver information in the inbound gateway settings.Else, if this log field value is equal to 48, then the additional.fields UDM field is set to 48 - Message was not checked for spam (by SMTP) due to a spam-override policy.Else, if this log field value is equal to 49, then the additional.fields UDM field is set to 49 - Always override spam rejection for the message.Else, if this log field value is equal to 50, then the additional.fields UDM field is set to 50 - Message matches a domain routing condition you configured.Else, if this log field value is equal to 51, then the additional.fields UDM field is set to 51 - Message triggered a rerouting rule that you configured for domain routing.Else, if this log field value is equal to 55, then the additional.fields UDM field is set to 55 - Message was created by the Exchange Journal generation setting.Else, if this log field value is equal to 57, then the additional.fields UDM field is set to 57 - Message was received from an inbound gateway rule that you configured.Else, if this log field value is equal to 60, then the additional.fields UDM field is set to 60 - Message is protected with Gmail confidential mode.Else, if this log field value is equal to 61, then the additional.fields UDM field is set to 61 - Message was caught by Security sandbox.Else, if this log field value is equal to 62, then the additional.fields UDM field is set to 62 - The address list you configured for domain default routing matches the SMTP envelope recipient instead of the correspondent of the message.Else, if this log field value is equal to 63, then the additional.fields UDM field is set to 63 - Message triggered a domain-level rerouting rule, which you configured for domain routing, or domain default routing. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_reason] |
about.labels[moderation_reason] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_reason] |
additional.fields[moderation_reason] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_status] |
about.labels[moderation_status] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[moderation_status] |
additional.fields[moderation_status] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[num_message_attachments] |
about.labels[num_message_attachments] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[num_message_attachments] |
additional.fields[num_message_attachments] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[sequence_number] |
about.labels[sequence_number] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[sequence_number] |
additional.fields[sequence_number] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[smime_content_type] |
about.labels[smime_content_type] (deprecated) |
If this log field value is equal to 0, then the about.labels UDM field is set to 0 - Message does not have a recognized S/MIME Content-Type.Else, if this log field value is equal to 1, then the about.labels UDM field is set to 1 - An S/MIME message with a detached signature Indicated by content type multipart/signed with parameter protocol=application/pkcs7-signature.Else, if this log field value is equal to 2, then the about.labels UDM field is set to 2 - An S/MIME message with an opaque signature Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=signed-data.Else, if this log field value is equal to 3, then the about.labels UDM field is set to 3 - An S/MIME message that is encrypted Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=enveloped-data.Else, if this log field value is equal to 4, then the about.labels UDM field is set to 4 - An S/MIME message that is compressed Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=compressed-data. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.intValue[smime_content_type] |
additional.fields[smime_content_type] |
If this log field value is equal to 0, then the additional.fields UDM field is set to 0 - Message does not have a recognized S/MIME Content-Type.Else, if this log field value is equal to 1, then the additional.fields UDM field is set to 1 - An S/MIME message with a detached signature Indicated by content type multipart/signed with parameter protocol=application/pkcs7-signature.Else, if this log field value is equal to 2, then the additional.fields UDM field is set to 2 - An S/MIME message with an opaque signature Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=signed-data.Else, if this log field value is equal to 3, then the additional.fields UDM field is set to 3 - An S/MIME message that is encrypted Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=enveloped-data.Else, if this log field value is equal to 4, then the additional.fields UDM field is set to 4 - An S/MIME message that is compressed Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=compressed-data. |
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_encrypt_message] |
about.labels[smime_encrypt_message] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_encrypt_message] |
additional.fields[smime_encrypt_message] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_extraction_success] |
about.labels[smime_extraction_success] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_extraction_success] |
additional.fields[smime_extraction_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_packaging_success] |
about.labels[smime_packaging_success] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_packaging_success] |
additional.fields[smime_packaging_success] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_sign_message] |
about.labels[smime_sign_message] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.boolValue[smime_sign_message] |
additional.fields[smime_sign_message] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[spf_pass] |
about.labels[spf_pass] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[spf_pass] |
additional.fields[spf_pass] |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[tls_required_but_unavailable] |
about.labels[tls_required_but_unavailable] (deprecated) |
|
gmail |
events.parameters[delivery].msgValue[message_info].parameter.msgValue[connection_info].parameter.boolValue[tls_required_but_unavailable] |
additional.fields[tls_required_but_unavailable] |
字段映射参考:WORKSPACE_ALERTS 日志类型到 UDM 事件类型
下表列出了 WORKSPACE_ALERTS 日志类型及其对应的 UDM 事件类型。
| Event Identifier | Event Type | Security Category |
|---|---|---|
Customer takeout initiated |
STATUS_UPDATE |
|
Malware reclassification |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Misconfigured whitelist |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Phishing reclassification |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Suspicious message reported |
EMAIL_TRANSACTION |
MAIL_PHISHING |
User reported phishing |
EMAIL_TRANSACTION |
MAIL_PHISHING |
User reported spam spike |
EMAIL_TRANSACTION |
MAIL_PHISHING |
Leaked password |
USER_LOGIN |
ACL_VIOLATION |
Suspicious login |
USER_LOGIN |
ACL_VIOLATION |
Suspicious login (less secure app) |
USER_LOGIN |
ACL_VIOLATION |
Suspicious programmatic login |
USER_LOGIN |
ACL_VIOLATION |
User suspended |
USER_UNCATEGORIZED |
ACL_VIOLATION |
User suspended (spam) |
USER_UNCATEGORIZED |
ACL_VIOLATION |
User suspended (spam through relay) |
USER_UNCATEGORIZED |
ACL_VIOLATION |
User suspended (suspicious activity) |
USER_UNCATEGORIZED |
ACL_VIOLATION |
Google Operations |
STATUS_UPDATE |
|
Configuration problem |
STATUS_UNCATEGORIZED |
|
Government attack warning |
STATUS_UNCATEGORIZED |
|
Device compromised |
GENERIC_EVENT |
|
Suspicious activity |
USER_UNCATEGORIZED |
|
AppMaker Default Cloud SQL setup |
USER_RESOURCE_ACCESS |
|
Activity Rule |
STATUS_UNCATEGORIZED / USER_UNCATEGORIZED / EMAIL_UNCATEGORIZED |
POLICY_VIOLATION |
Data Loss Prevention |
USER_UNCATEGORIZED |
POLICY_VIOLATION |
Apps outage |
STATUS_UPDATE |
|
Primary admin changed |
USER_UNCATEGORIZED |
|
SSO profile added |
USER_RESOURCE_CREATION |
|
SSO profile updated |
USER_RESOURCE_UPDATE_CONTENT |
|
SSO profile deleted |
USER_RESOURCE_DELETION |
|
Super admin password reset |
USER_CHANGE_PASSWORD |
|
User deleted |
USER_DELETION |
|
New user added |
USER_CREATION |
|
User password changed |
USER_CHANGE_PASSWORD |
|
Users Admin privilege revoked |
USER_CHANGE_PERMISSIONS |
|
Suspended user made active |
USER_UNCATEGORIZED |
|
User granted Admin privilege |
USER_CHANGE_PERMISSIONS |
|
User suspended (Administrator email alert) |
USER_UNCATEGORIZED |
|
Drive settings changed |
USER_RESOURCE_ACCESS |
|
Calendar settings changed |
USER_RESOURCE_ACCESS |
|
Reporting Rule |
STATUS_UPDATE |
字段映射参考文档:WORKSPACE_ALERTS
下表列出了 WORKSPACE_ALERTS 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
data.domainId.customerPrimaryDomain |
about.administrative_domain |
|
data.messages.attachmentsSha256Hash |
about.file.sha256 |
|
data.mergeInfo.newAlertId |
about.labels[new_alert_id] (deprecated) |
|
data.mergeInfo.newAlertId |
additional.fields[new_alert_id] |
|
data.mergeInfo.newIncidentTrackingId |
about.labels[new_incident_tracking_id] (deprecated) |
|
data.mergeInfo.newIncidentTrackingId |
additional.fields[new_incident_tracking_id] |
|
data.nextUpdateTime |
about.labels[next_update_time] (deprecated) |
|
data.nextUpdateTime |
additional.fields[next_update_time] |
|
data.resolutionTime |
about.labels[resolution_time] (deprecated) |
|
data.resolutionTime |
additional.fields[resolution_time] |
|
data.status |
about.labels[status] (deprecated) |
|
data.status |
additional.fields[status] |
|
data.incidentTrackingId |
about.labels[tracking_id] (deprecated) |
|
data.incidentTrackingId |
additional.fields[tracking_id] |
|
customerId |
about.resource.product_object_id |
If the customerId log field value is not empty, then the customerId log field is mapped to the about.resource.product_object_id UDM field.Else, the metadata.customerId log field is mapped to the about.resource.product_object_id UDM field. |
metadata.customerId |
about.resource.product_object_id |
If the customerId log field value is not empty, then the customerId log field is mapped to the about.resource.product_object_id UDM field.Else, the metadata.customerId log field is mapped to the about.resource.product_object_id UDM field. |
about.resource.resource_type |
The about.resource.resource_type UDM field is set to CLOUD_ORGANIZATION. | |
data.dashboardUri |
about.url |
|
data.attachmentData.csv.dataRows.entries |
additional.fields.entries |
|
data.attachmentData.csv.headers |
additional.fields.header |
|
event.idm.is_alert |
The event.idm.is_alert UDM field is set to TRUE. | |
event.idm.is_significant |
If the data.@type log field value is equal to ActivityRule and the metadata.severity log field value is equal to HIGH, then the event.idm.is_significant UDM field is set to true. | |
extensions.auth.mechanism |
If the data.@type log field value is equal to AccountWarning, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD. | |
extensions.auth.type |
If the data.@type log field value is equal to AccountWarning, then the extensions.auth.type UDM field is set to SSO. | |
data.description |
metadata.description |
|
createTime |
metadata.event_timestamp |
|
data.@type |
metadata.product_event_type |
|
etag |
metadata.product_log_id |
If the etag log field value is not empty, then the etag log field is mapped to the metadata.product_log_id UDM field.Else, the alertId log field is mapped to the metadata.product_log_id UDM field. |
metadata.etag |
metadata.product_log_id |
If the metadata.etag log field value is not empty, then the metadata.etag log field is mapped to the metadata.product_log_id UDM field.Else, the alertId log field is mapped to the metadata.product_log_id UDM field. |
metadata.product_name |
The metadata.product_name UDM field is set to WORKSPACE_ALERTS. | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
data.maliciousEntity.fromHeader |
network.email.from |
|
data.messages.messageId |
network.email.mail_id |
|
data.messages.subjectText |
network.email.subject |
|
data.messages.recipient |
network.email.to |
|
data.ruleViolationInfo.recipients |
network.email.to |
If the data.ruleViolationInfo.recipients log field value matches the regular expression pattern ^.+@.+$, then the data.ruleViolationInfo.recipients log field is mapped to the network.email.to UDM field. |
data.ruleViolationInfo.recipients |
additional.fields[recipients] |
If the data.ruleViolationInfo.recipients log field value is equal to anyone, then the data.ruleViolationInfo.recipients log field is mapped to the additional.fields UDM field. |
data.ruleViolationInfo.recipients |
target.domain.name |
If the data.ruleViolationInfo.recipients log field value matches the regular expression pattern ^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9](?:\.[a-zA-Z]{2,})+$, then the first occurrence of the matching value in the data.ruleViolationInfo.recipients log field is mapped to the target.domain.name UDM field and the other occurrences are mapped to the additional.fields[domain_recipients] UDM field. |
data.sourceIp |
principal.ip |
|
data.loginDetails.ipAddress |
principal.ip |
|
data.maliciousEntity.displayName |
principal.labels[malicious_entity_display_name] (deprecated) |
|
data.maliciousEntity.displayName |
additional.fields[malicious_entity_display_name] |
|
data.requestInfo.appDeveloperEmail |
principal.user.email_addresses |
|
data.actorEmail |
principal.user.email_addresses |
|
data.ruleViolationInfo.triggeringUserEmail |
principal.user.email_addresses |
|
data.email |
principal.user.email_addresses |
|
data.domain |
security_result.about.administrative_domain |
|
metadata.assignee |
security_result.about.labels[assignee] (deprecated) |
|
metadata.assignee |
additional.fields[assignee] |
|
data.header |
security_result.about.labels[header] (deprecated) |
|
data.header |
additional.fields[header] |
|
data.ruleViolationInfo.suppressedActionTypes |
security_result.about.labels[suppressed_action_types] (deprecated) |
|
data.ruleViolationInfo.suppressedActionTypes |
additional.fields[suppressed_action_types] |
|
data.title |
security_result.about.labels[title] (deprecated) |
|
data.title |
additional.fields[title] |
|
alertId |
security_result.about.object_reference |
|
data.affectedUserEmails |
security_result.about.user.email_addresses |
|
data.ruleViolationInfo.triggeredActionTypes |
security_result.action_details |
|
security_result.action_type |
If the data.ruleViolationInfo.triggeredActionTypes log field value is equal to ACTION_TYPE_UNSPECIFIED, then the security_result.action_type UDM field is set to UNKNOWN_ACTION.If the data.ruleViolationInfo.triggeredActionTypes log field value is equal to DRIVE_BLOCK_EXTERNAL_SHARING, then the security_result.action_type UDM field is set to BLOCK.If the data.ruleViolationInfo.triggeredActionTypes log field value is equal to DRIVE_WARN_ON_EXTERNAL_SHARING or ALERT or RULE_ACTIVATE or RULE_DEACTIVATE, then the security_result.action_type UDM field is set to ALLOW. | |
security_result.category |
If the source log field value is equal to Gmail Phishing, then the security_result.category UDM field is set to MAIL_PHISHING.If the source log field value is equal to Google Identity, then the security_result.category UDM field is set to ACL_VIOLATION.If the source log field value is equal to Security Center rules or Data Loss Prevention, then the security_result.category UDM field is set to POLICY_VIOLATION. | |
source |
security_result.category_details |
|
data.actionNames |
security_result.detection_fields[action_names] |
|
data.alertDetails |
security_result.detection_fields[alert_details] |
|
data.createTime |
security_result.detection_fields[create_time] |
|
data.messages.date |
security_result.detection_fields[date] |
If the source log field value is equal to Gmail phishing, then the data.messages.date log field is mapped to the security_result.detection_fields UDM field. |
data.events.deviceCompromisedState |
security_result.detection_fields[device_compromised_state] |
|
data.displayName |
security_result.detection_fields[display_name] |
|
data.eventTime |
security_result.detection_fields[event_time] |
|
data.isInternal |
security_result.detection_fields[is_internal] |
|
data.loginDetails.loginTime |
security_result.detection_fields[login_time] |
|
data.messages.md5HashMessageBody |
security_result.detection_fields[md5_hash_message_body] |
If the source log field value is equal to Gmail phishing, then the data.messages.md5HashMessageBody log field is mapped to the security_result.detection_fields UDM field. |
data.messages.md5hashsubject |
security_result.detection_fields[md5_hash_subject] |
If the source log field value is equal to Gmail phishing, then the data.messages.md5hashsubject log field is mapped to the security_result.detection_fields UDM field. |
data.messages.messageBodySnippet |
security_result.detection_fields[message_body_snippet] |
|
metadata.status |
security_result.detection_fields[metadata_status] |
|
data.query |
security_result.detection_fields[query] |
|
securityInvestigationToolLink |
security_result.detection_fields[security_investigation_tool_link] |
|
startTime |
security_result.detection_fields[start_time] |
|
data.supersededAlerts |
security_result.detection_fields[superseded_alerts] |
|
data.supersedingAlert |
security_result.detection_fields[superseding_alert] |
|
data.systemActionType |
security_result.detection_fields[system_action_type] |
|
data.threshold |
security_result.detection_fields[threshold] |
|
data.triggerSource |
security_result.detection_fields[trigger_source] |
|
data.ruleViolationInfo.trigger |
security_result.detection_fields[trigger] |
|
data.updateTime |
security_result.detection_fields[update_time] |
|
data.windowSize |
security_result.detection_fields[windows_size] |
|
data.ruleViolationInfo.ruleInfo.resourceName |
security_result.rule_id |
|
data.ruleViolationInfo.matchInfo.userDefinedDetector.displayName |
security_result.rule_labels[detector_display_name] |
|
data.ruleViolationInfo.matchInfo.predefinedDetector.detectorName |
security_result.rule_labels[detector_name] |
|
data.ruleViolationInfo.matchInfo.userDefinedDetector.resourceName |
security_result.rule_labels[detector_resource_name] |
|
data.name |
security_result.rule_name |
|
data.ruleViolationInfo.ruleInfo.displayName |
security_result.rule_name |
|
metadata.severity |
security_result.severity |
|
type |
security_result.summary |
|
data.type |
security_result.summary |
If the type log field value is empty, then the data.type log field is mapped to the security_result.summary UDM field. |
security_result.alert_state |
The security_result.alert_state UDM field is set to ALERTING. | |
data.requestInfo.appKey |
target.application |
|
data.events.deviceId |
target.asset.asset_id |
|
data.events.deviceProperty |
target.asset.attribute.labels[device_property] |
|
data.events.iosVendorId |
target.asset.attribute.labels[ios_vendor_id] |
|
data.events.newValue |
target.asset.attribute.labels[new_value] |
|
data.events.oldValue |
target.asset.attribute.labels[old_value] |
|
data.events.resourceId |
target.asset.attribute.labels[resource_id] |
|
data.events.deviceModel |
target.asset.hardware.model |
|
data.events.serialNumber |
target.asset.hardware.serial_number |
|
data.events.deviceType |
target.asset.type |
|
data.primaryAdminChangedEvent.domain |
target.domain.name |
|
data.ssoProfileUpdatedEvent.inboundSsoProfileChanges |
target.labels[inbound_sso_profile_changes] (deprecated) |
|
data.ssoProfileUpdatedEvent.inboundSsoProfileChanges |
additional.fields[inbound_sso_profile_changes] |
|
data.requestInfo.numberOfRequests |
target.labels[number_of_requests] (deprecated) |
|
data.requestInfo.numberOfRequests |
additional.fields[number_of_requests] |
|
data.primaryAdminChangedEvent.previousAdminEmail |
target.labels[previous_admin_email] (deprecated) |
|
data.primaryAdminChangedEvent.previousAdminEmail |
additional.fields[previous_admin_email] |
|
data.products |
target.labels[product] (deprecated) |
|
data.products |
additional.fields[product] |
|
data.ruleViolationInfo.resourceInfo.resourceTitle |
target.labels[resource_title] (deprecated) |
|
data.ruleViolationInfo.resourceInfo.resourceTitle |
additional.fields[resource_title] |
|
data.takeoutRequestId |
target.labels[takeout_request_id] (deprecated) |
|
data.takeoutRequestId |
additional.fields[takeout_request_id] |
|
data.ruleViolationInfo.dataSource |
target.resource.name |
|
data.ssoProfileCreatedEvent.inboundSsoProfileName |
target.resource.name |
|
data.ssoProfileUpdatedEvent.inboundSsoProfileName |
target.resource.name |
|
data.ssoProfileDeletedEvent.inboundSsoProfileName |
target.resource.name |
|
data.ruleViolationInfo.resourceInfo.documentId |
target.resource.product_object_id |
|
target.resource.resource_type |
If the data.@type log field value is equal to DlpRuleViolation, then the target.resource.resource_type UDM field is set to STORAGE_OBJECT.If the data.@type log field value is equal to AppMakerSqlSetupNotification, then the target.resource.resource_type UDM field is set to DATABASE.If the data.type log field value is equal to SSO profile added or SSO profile updated or SSO profile deleted, then the target.resource.resource_type UDM field is set to SETTING. | |
data.maliciousEntity.entity.emailAddress |
target.user.email_addresses |
|
data.email |
target.user.email_addresses |
If the data.@type log field value is equal to StateSponsoredAttack, DeviceCompromised, or AccountWarning, then the data.email log field is mapped to the target.user.email_addresses UDM field.Else, the data.email log field is mapped to the principal.user.email_addresses UDM field. |
data.primaryAdminChangedEvent.updatedAdminEmail |
target.user.email_addresses |
|
data.superAdminPasswordResetEvent.userEmail |
target.user.email_addresses |
|
data.maliciousEntity.entity.displayName |
target.user.user_display_name |
|
data.ruleViolationInfo.triggeredActionInfo |
字段映射参考:WORKSPACE_GROUPS
下表列出了 WORKSPACE_GROUPS 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
adminCreated |
entity.group.attribute.labels[admin_created] |
If the adminCreated log field value is equal to true, then the admin_created.value UDM field is set to true.Else, the admin_created.value UDM field is set to false. |
description |
metadata.description |
|
directMembersCount |
entity.group.attribute.labels[direct_members_count] |
|
email |
entity.group.email_addresses |
|
nonEditableAliases |
entity.group.email_addresses |
|
aliases |
entity.group.email_addresses |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
id |
entity.group.product_object_id |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
name |
entity.group.group_display_name |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
metadata.product_name |
The metadata.product_name UDM field is set to WORKSPACE GROUPS. | |
metadata.entity_type |
The metadata.entity_type UDM field is set to GROUP. |
字段映射参考:WORKSPACE_USERS
下表列出了 WORKSPACE_USERS 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
addresses.country |
entity.user.personal_address.country_or_region |
|
addresses.countryCode |
entity.user.attribute.labels[addresses_country_code] |
|
addresses.customType |
entity.user.attribute.labels[addresses_custom_type] |
|
addresses.extendedAddress |
entity.user.attribute.labels[addresses_extended_address] |
|
addresses.formatted |
entity.user.office_address.name |
The addresses.formatted log field is mapped to the user.office_address.name UDM field if the following conditions are met:
|
addresses.locality |
entity.user.attribute.labels[addresses_locality] |
|
addresses.poBox |
entity.user.attribute.labels[addresses_pobox] |
|
addresses.postalCode |
entity.user.attribute.labels[addresses_postal_code] |
|
addresses.primary |
entity.user.attribute.labels[addresses_primary] |
|
addresses.region |
entity.user.attribute.labels[addresses_region] |
|
addresses.sourceIsStructured |
entity.user.attribute.labels[addresses_source_is_structured] |
|
addresses.streetAddress |
entity.user.attribute.labels[addresses_street_address] |
|
addresses.type |
entity.user.attribute.labels[addresses_type] |
|
agreedToTerms |
entity.user.attribute.labels[agreed_to_terms] |
|
aliases |
entity.user.attribute.labels[aliases_email] |
|
changePasswordAtNextLogin |
entity.user.attribute.labels[change_password_at_next_login] |
If the changePasswordAtNextLogin log field value is equal to true, then the change_password_at_next_login.value UDM field is set to true.Else, the change_password_at_next_login.value UDM field is set to false. |
creationTime |
entity.user.attribute.creation_time |
|
customerId |
entity.user.attribute.labels[customer_id] |
|
deletionTime |
entity.user.attribute.labels[deletion_time] |
|
emails.customType |
entity.user.attribute.labels[email_acustom_type] |
|
emails.primary |
entity.user.attribute.labels[email_primary] |
|
emails.type |
entity.user.attribute.labels[email_type] |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
externalIds.customType |
entity.user.attribute.labels[external_id_custom_type] |
|
externalIds.type |
entity.user.attribute.labels[external_id_type] |
|
externalIds.value |
entity.user.employee_id |
If the externalIds.type log field value is equal to organization, then the externalIds.value log field is mapped to the user.employee_id UDM field. |
gender.addressMeAs |
entity.user.attribute.labels[gender_address_me_as] |
|
gender.customGender |
entity.user.attribute.labels[custom_gender] |
|
gender.type |
entity.user.attribute.labels[gender] |
|
hashFunction |
entity.user.attribute.labels[hash_function] |
|
id |
entity.user.product_object_id |
|
ims.customProtocol |
entity.user.attribute.labels[ims_custom_protocol] |
|
ims.customType |
entity.user.attribute.labels[ims_custom_type] |
|
ims.im |
entity.user.attribute.labels[ims_im] |
|
ims.primary |
entity.user.attribute.labels[ims_primary] |
|
ims.protocol |
entity.user.attribute.labels[ims_protocol] |
|
ims.type |
entity.user.attribute.labels[ims_type] |
|
includeInGlobalAddressList |
entity.user.attribute.labels[included_in_global_address_list] |
If the includeInGlobalAddressList log field value is equal to true, then the included_in_global_address_list.value UDM field is set to true, else, then the included_in_global_address_list.value UDM field is set to false. |
ipWhitelisted |
entity.user.attribute.labels[ip_whitelisted] |
|
isAdmin |
entity.user.attribute.labels[is_admin] |
|
isDelegatedAdmin |
entity.user.attribute.labels[is_delegated_admin] |
|
user.attribute.roles.type |
If the isAdmin log field value or the isDelegatedAdmin log field value is equal to true, then the user.attribute.roles.type UDM field is set to ADMINISTRATOR. | |
isEnforcedIn2Sv |
entity.user.attribute.labels[is_enforced_in_2sv] |
If the isEnforcedIn2Sv log field value is equal to true, then the is_enforced_in_2sv.value UDM field is set to true, else, then the is_enforced_in_2sv.value UDM field is set to false. |
isEnrolledIn2Sv |
entity.user.attribute.labels[is_enrolled_in_2sv] |
If the isEnrolledIn2Sv log field value is equal to true, then the is_enrolled_in_2sv.value UDM field is set to true, else, then the is_enrolled_in_2sv.value UDM field is set to false. |
isMailboxSetup |
entity.user.attribute.labels[is_mailbox_setup] |
If the isMailboxSetup log field value is equal to true, then the is_mail_box_setup.value UDM field is set to true, else, then the is_mail_box_setup.value UDM field is set to false. |
keywords.customType |
entity.user.attribute.labels[keywords_custom_type] |
|
keywords.type |
entity.user.attribute.labels[keywords_type] |
|
keywords.value |
entity.user.attribute.labels[keywords_value] |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
languages.customLanguage |
entity.user.attribute.labels[language_custom_language] |
|
languages.languageCode |
entity.user.attribute.labels[language_code] |
|
languages.preference |
entity.user.attribute.labels[preferred_language] |
|
lastLoginTime |
entity.user.last_login_time |
|
locations.area |
entity.user.office_address.country_or_region |
|
locations.buildingId |
entity.user.attribute.labels[locations_buildingId] |
|
locations.customType |
entity.user.attribute.labels[locations_customType] |
|
locations.deskCode |
entity.user.officel_address.desk_name |
|
locations.floorName |
entity.user.office_address.floor_name |
|
locations.floorSection |
entity.user.attribute.labels[locations_floorSection] |
|
locations.type |
entity.user.attribute.labels[locations_type] |
|
name.familyName |
entity.user.last_name |
|
name.fullName |
entity.user.user_display_name |
|
name.givenName |
entity.user.first_name |
|
notes.contentType |
entity.user.attribute.labels[notes_content_type] |
|
notes.value |
entity.user.attribute.labels[notes_value] |
|
organizations.costCenter |
entity.user.attribute.labels[organization_cost_center] |
|
organizations.customType |
entity.user.attribute.labels[organization_custom_type] |
|
organizations.department |
entity.user.department |
The organizations.department log field is mapped to the user.department UDM field if the following conditions are met:
|
organizations.description |
entity.user.attribute.labels [organizations_description] |
|
organizations.domain |
entity.user.attribute.labels[organization_domain] |
|
organizations.fullTimeEquivalent |
entity.user.attribute.labels[organization_full_time_equivalent] |
|
organizations.location |
entity.user.attribute.labels[organization_location] |
|
organizations.name |
entity.user.attribute.labels[organization_name] |
|
organizations.primary |
entity.user.attribute.labels[organization_primary] |
|
organizations.symbol |
entity.user.attribute.labels[organization_symbol] |
|
organizations.title |
entity.user.title |
|
organizations.type |
entity.user.attribute.labels[organization_type] |
|
orgUnitPath |
entity.user.attribute.labels[org_unit_path] |
|
password |
entity.user.attribute.labels[password] |
|
phones.customType |
entity.user.attribute.labels[phone_custom_type] |
|
phones.primary |
entity.user.attribute.labels[phone_primary] |
|
phones.type |
entity.user.attribute.labels[phone_type] |
|
phones.value |
entity.user.phone_numbers |
If the phones.value log field value matches the regular expression pattern (^the , then the phones.value log field is mapped to the user.phone_numbers UDM field. |
recoveryPhone |
entity.user.phone_numbers |
|
posixAccounts.accountId |
entity.user.attribute.labels[posix_account_id] |
|
posixAccounts.gecos |
entity.user.attribute.labels[posix_account_gecos] |
|
posixAccounts.gid |
entity.user.group_identifiers |
|
posixAccounts.homeDirectory |
entity.user.attribute.labels[posix_account_home_directory] |
|
posixAccounts.operatingSystemType |
entity.platform |
If the posixAccounts.operatingSystemType log field value is equal to linux, then the entity.platform UDM field is set to LINUX.If the posixAccounts.operatingSystemType log field value is equal to windows, then the entity.platform UDM field is set to WINDOWS.Else, the entity.platform UDM field is set to UNKNOWN_PLATFORM. |
posixAccounts.primary |
entity.user.attribute.labels[posix_account_primary] |
|
posixAccounts.shell |
entity.user.attribute.labels[posix_account_shell] |
|
posixAccounts.systemId |
entity.asset.asset_id |
|
posixAccounts.uid |
entity.user.attribute.labels[posix_account_uid] |
|
posixAccounts.username |
entity.user.userid |
If the posixAccounts.username log field value is not empty, then the posixAccounts.username log field is mapped to the entity.user.userid UDM field. |
primaryEmail |
entity.user.email_addresses |
|
recoveryEmail |
entity.user.email_addresses |
|
nonEditableAliases |
entity.user.email_addresses |
|
emails.address |
entity.user.email_addresses |
If the emails.address log field value is not equal to primaryEmail, then the emails.address log field is mapped to the entity.user.email_addresses UDM field. |
relations.customType |
entity.user.attribute.labels[relations_custom_type] |
|
relations.type |
entity.user.attribute.labels[relation_type] |
|
relations.value |
entity.user.managers.email_addresses |
If the relation.type log field value is equal to manager, then the relations.value log field is mapped to the user.managers.email_addresses UDM field.Else, the relations.value log field is mapped to the user.attribute.labels UDM field. |
relations.value |
entity.user.attribute.labels[relations_type] |
If the relation.type log field value is equal to manager, then the relations.value log field is mapped to the user.managers.email_addresses UDM field.Else, the relations.value log field is mapped to the user.attribute.labels UDM field. |
sshPublicKeys.expirationTimeUsec |
entity.user.attribute.labels[ssh_key_expiration_timec] |
|
sshPublicKeys.fingerprint |
entity.user.attribute.labels[ssh_key_fingerprint] |
|
sshPublicKeys.key |
entity.user.attribute.labels[ssh_key] |
|
suspended |
entity.user.user_authentication_status |
If the suspended log field value is equal to true and the archived log field value is not equal to true, then the entity.user.user_authentication_status UDM field is set to SUSPENDED.If the archived log field value is equal to true, then the entity.user.user_authentication_status UDM field is set to DELETED.Else, the entity.user.user_authentication_status UDM field is set to ACTIVE. |
archived |
entity.user.user_authentication_status |
If the suspended log field value is equal to true and the archived log field value is not equal to true, then the entity.user.user_authentication_status UDM field is set to SUSPENDED.If the archived log field value is equal to true, then the entity.user.user_authentication_status UDM field is set to DELETED.Else, the entity.user.user_authentication_status UDM field is set to ACTIVE. |
suspensionReason |
entity.user.attribute.labels[suspension_reason] |
|
thumbnailPhotoEtag |
entity.user.attribute.labels[thumbnail_photo_etag] |
|
thumbnailPhotoUrl |
entity.url |
|
websites.customType |
entity.user.attribute.labels[websites_custom_type] |
|
websites.primary |
entity.user.attribute.labels[websites_primary] |
|
websites.type |
entity.user.attribute.labels[websites_type] |
|
websites.value |
entity.user.attribute.labels[websites_value] |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
metadata.product_name |
The metadata.product_name UDM field is set to Cloud Identity. | |
metadata.entity_type |
The metadata.entity_type UDM field is set to USER. |
字段映射参考:WORKSPACE_MOBILE_DEVICES
下表列出了 WORKSPACE_MOBILE_DEVICES 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
adbStatus |
entity.asset.attribute.labels[abd status] |
|
applications.displayName |
entity.asset.software.name |
|
applications.packageName |
entity.asset.attribute.labels[application_package_name] |
|
applications.permission |
entity.asset.software.permissions.name |
|
applications.versionCode |
entity.asset.attribute.labels[application_version_code] |
|
applications.versionName |
entity.asset.software.version |
|
basebandVersion |
entity.asset.attribute.labels[baseband_version] |
|
bootloaderVersion |
entity.asset.attribute.labels[bootloader_version] |
|
brand |
entity.asset.attribute.labels[brand] |
|
buildNumber |
entity.asset.attribute.labels[build_number] |
|
defaultLanguage |
entity.asset.attribute.labels[default_language] |
|
developerOptionsStatus |
entity.asset.attribute.labels[developer_options_status] |
|
deviceCompromisedStatus |
entity.asset.attribute.labels[device_compromised_status] |
|
deviceId |
entity.asset.asset_id |
|
devicePasswordStatus |
entity.asset.attribute.labels[device_password_status] |
|
email |
entity.user.email_addresses |
|
encryptionStatus |
entity.asset.attribute.labels[encryption_status] |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
firstSync |
entity.asset.attribute.labels[first_sync] |
|
hardware |
entity.asset.attribute.labels[hardware] |
|
hardwareId |
entity.asset.attribute.labels[hardware_id] |
|
imei |
entity.asset.asset_id |
|
deviceId |
entity.asset.asset_id |
If the imei log field value is empty, then the deviceId log field is mapped to the entity.asset.asset_id UDM field. |
kernelVersion |
entity.asset.attribute.labels[kernel_version] |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
lastSync |
entity.asset.attribute.labels[last_sync] |
|
managedAccountIsOnOwnerProfile |
entity.asset.attribute.labels[managed_account_is_on_owner_profile] |
|
manufacturer |
entity.asset.hardware.manufacturer |
|
meid |
entity.asset.attribute.labels[meid] |
|
model |
entity.asset.hardware.model |
|
name |
entity.user.user_display_name |
|
networkOperator |
entity.asset.attribute.labels[network_operator] |
|
os |
entity.asset.platform_software.platform |
If the os log field value matches iOS, then the entity.asset.platform_software.platform UDM field is set to IOS.If the os log field value matches Android, then the entity.asset.platform_software.platform UDM field is set to ANDROID.Else, the entity.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
otherAccountsInfo[] |
entity.asset.attribute.labels[other_accounts_info] |
|
privilege |
entity.asset.attribute.labels[privilege] |
|
releaseVersion |
entity.asset.attribute.labels[release_version] |
|
resourceId |
entity.asset.product_object_id |
|
securityPatchLevel |
entity.asset.platform_software.platform_patch_level |
|
serialNumber |
entity.asset.hardware.serial_number |
|
status |
entity.user.user_authentication_status |
If the status log field value is equal to approved, then the entity.user.user_authentication_status UDM field is set to ACTIVE.If the status log field value is equal to unprovisined, then the entity.user.user_authentication_status UDM field is set to SUSPENDED. |
supportsWorkProfile |
entity.asset.attribute.labels[supports_work_profile] |
|
type |
entity.asset.attribute.labels[type] |
|
unknownSourcesStatus |
entity.asset.attribute.labels[unknown_sources_status] |
|
userAgent |
entity.asset.attribute.labels[user_agent] |
|
wifiMacAddress |
entity.asset.mac |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET. | |
metadata.product_name |
The metadata.product_name UDM field is set to WORKSPACE_MOBILE. | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
relations.entity_type |
The relations.entity_type UDM field is set to USER. | |
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
字段映射参考:WORKSPACE_CHROMEOS
下表列出了 WORKSPACE_CHROMEOS 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
activeTimeRanges.activeTime |
entity.asset.attribute.labels[active_time] |
|
activeTimeRanges.date |
entity.asset.attribute.labels[active_time_range_date] |
|
annotatedAssetId |
entity.asset.asset_id |
If the annotatedAssetId log field value is not empty, then the ASSET ID: annotatedAssetId log field is mapped to the entity.asset.asset_id UDM field. |
deviceId |
entity.asset.asset_id |
If the annotatedAssetId log field value is empty, then the CHROMEOS:deviceId log field is mapped to the entity.asset.asset_id UDM field. |
annotatedLocation |
entity.asset.location.name |
|
annotatedUser |
relations.entity.user.user_display_name |
If the annotatedUser log field value is not empty and the annotatedUser log field value does not match the regular expression @, then the annotatedUser log field is mapped to the relations.entity.user.user_display_name UDM field. |
autoUpdateExpiration |
entity.asset.attribute.labels[auto_update_expiration] |
|
bootMode |
entity.asset.attribute.labels[boot_mode] |
|
cpuInfo.architecture |
entity.asset.attribute.labels[cpu_architecture] |
|
cpuInfo.logicalCpus.cStates.displayName |
entity.asset.attribute.labels[cpu_logical_cups_cstates_display_name] |
|
cpuInfo.logicalCpus.cStates.sessionDuration |
entity.asset.attribute.labels[cpu_logical_cups_cstates_session_duration] |
|
cpuInfo.logicalCpus.currentScalingFrequencyKhz |
entity.asset.attribute.labels[cpu_current_scaling_frequency] |
|
cpuInfo.logicalCpus.idleDuration |
entity.asset.attribute.labels[cpu_ideal_duration] |
|
cpuInfo.logicalCpus.maxScalingFrequencyKhz |
entity.asset.attribute.labels[cpu_max_scaling_frequency] |
|
cpuInfo.maxClockSpeedKhz |
entity.asset.attribute.labels[cpu_max_clock_speed] |
|
cpuInfo.model |
entity.asset.hardware.cpu_model |
|
cpuStatusReports.cpuTemperatureInfo.label |
entity.asset.attribute.labels[cpu_temperature_label] |
|
cpuStatusReports.cpuTemperatureInfo.temperature |
entity.asset.attribute.labels[cpu_temperature] |
|
cpuStatusReports.cpuUtilizationPercentageInfo |
entity.asset.attribute.labels[cpu_utilization_percentage_info] |
|
cpuStatusReports.reportTime |
entity.asset.attribute.labels[cpu_report_time] |
|
deviceFiles.createTime |
relations.entity.file.first_seen_time |
|
deviceFiles.downloadUrl |
relations.entity.file.full_path |
|
deviceFiles.name |
relations.entity.file.names |
|
deviceFiles.type |
relations.entity.file.mime_type |
|
relations.entity_type |
The relations.entity_type UDM field is set to FILE. | |
relations.relationship |
The relations.relationship UDM field is set to MEMBER. | |
deviceId |
entity.asset.product_object_id |
|
diskVolumeReports.volumeInfo.storageFree |
entity.asset.attribute.labels[volume_info_storage_free] |
|
diskVolumeReports.volumeInfo.storageTotal |
entity.asset.attribute.labels[volume_info_storage_total] |
|
diskVolumeReports.volumeInfo.volumeId |
entity.asset.attribute.labels[volume_id] |
|
dockMacAddress |
entity.asset.attribute.labels[dock_mac_address] |
|
etag |
entity.labels[etag] (deprecated) |
|
etag |
additional.fields[etag] |
|
ethernetMacAddress0 |
entity.asset.attribute.labels[ethernet_mac_address] |
|
firmwareVersion |
entity.asset.attribute.labels[firmware_version] |
|
kind |
entity.labels[kind] (deprecated) |
|
kind |
additional.fields[kind] |
|
lastEnrollmentTime |
entity.asset.last_discover_time |
|
lastKnownNetwork.ipAddress |
entity.asset.ip |
|
lastKnownNetwork.wanIpAddress |
entity.asset.nat_ip |
|
lastSync |
entity.asset.system_last_update_time |
|
macAddress |
entity.asset.mac |
|
ethernetMacAddress |
entity.asset.mac |
|
manufactureDate |
entity.asset.attribute.labels[manufacture_date] |
|
meid |
entity.asset.attribute.labels[meid] |
|
model |
entity.asset.hardware.model |
|
notes |
entity.asset.attribute.labels[notes] |
|
orderNumber |
entity.asset.attribute.labels[order_number] |
|
orgUnitId |
entity.asset.attribute.labels[org_unit_id] |
|
orgUnitPath |
entity.user.attribute.labels[org_unit_path] |
|
osVersion |
entity.asset.attribute.labels[os_version] |
|
platformVersion |
entity.asset.platform_software.platform_version |
|
annotatedUser |
entity.user.email_addresses |
If the annotatedUser log field value is not empty and the annotatedUser log field value matches the regular expression @, then the annotatedUser log field is mapped to the entity.user.email_addresses UDM field. |
recentUsers.email |
entity.user.email_addresses |
|
recentUsers.type |
relations.entity.user.attribute.roles.name |
|
relations.entity.user.attribute.roles.description |
If the recentUsers.type log field value is equal to USER_TYPE_MANAGED, then the relations.entity.user.attribute.roles.description UDM field is set to The user is managed by the domain.Else, if the recentUsers.type log field value is equal to USER_TYPE_UNMANAGED, then the relations.entity.user.attribute.roles.description UDM field is set to The user is not managed by the domain. | |
screenshotFiles.createTime |
relations.entity.file.first_seen_time |
|
screenshotFiles.downloadUrl |
relations.entity.file.full_path |
|
screenshotFiles.name |
relations.entity.file.names |
|
screenshotFiles.type |
relations.entity.file.mime_type |
|
serialNumber |
entity.asset.hardware.serial_number |
|
status |
entity.asset.deployment_status |
If the status log field value is equal to DEPROVISIONED, then the entity.asset.deployment_status UDM field is set to DECOMMISSIONED.Else, the entity.asset.deployment_status UDM field is set to ACTIVE. |
supportEndDate |
entity.asset.attribute.labels[support_end_date] |
|
systemRamFreeReports.reportTime |
entity.asset.attribute.labels[system_ram_report_time] |
|
systemRamFreeReports.systemRamFreeInfo |
entity.asset.attribute.labels[system_ram_free_info] |
|
systemRamTotal |
entity.asset.hardware.ram |
|
tpmVersionInfo.family |
entity.asset.attribute.labels[tpm_ver_info_family] |
|
tpmVersionInfo.firmwareVersion |
entity.asset.attribute.labels[tpm_ver_info_firmware_version] |
|
tpmVersionInfo.manufacturer |
entity.asset.attribute.labels[tpm_ver_info_manufacturer] |
|
tpmVersionInfo.specLevel |
entity.asset.attribute.labels[tpm_ver_info_spec_level] |
|
tpmVersionInfo.tpmModel |
entity.asset.attribute.labels[tpm_ver_info_tpm_model] |
|
tpmVersionInfo.vendorSpecific |
entity.asset.attribute.labels[tpm_ver_info_vendor_specific] |
|
willAutoRenew |
entity.asset.attribute.labels[will_auto_renew] |
|
entity.asset.type |
The entity.asset.type UDM field is set to WORKSTATION. | |
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET. | |
metadata.product_name |
The metadata.product_name UDM field is set to ChromeOS. | |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. | |
relations.entity_type |
The relations.entity_type UDM field is set to USER. | |
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
字段映射参考:WORKSPACE_PRIVILEGES
下表列出了 WORKSPACE_PRIVILEGES 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping |
|---|---|
roleAssignments.assignedTo |
metadata.product_entity_id |
roleAssignments.roleAssignmentId |
entity.user.attribute.labels[role_assignment_id] |
roleAssignments.roleDetails.roleDescription |
entity.user.attribute.roles.description |
roleAssignments.roleDetails.roleId |
entity.user.attribute.labels[role_details_role_id] |
roleAssignments.roleDetails.roleName |
entity.user.attribute.roles.name |
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.etag |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.isOuScopable |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.kind |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.privilegeName |
entity.user.attribute.labels[%{rolePrivilege.privilegeName}_CHILD_PRIVILEGES] |
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.serviceId |
|
roleAssignments.roleDetails.rolePrivileges.details.childPrivileges.serviceName |
|
roleAssignments.roleDetails.rolePrivileges.details.etag |
entity.labels[etag] (deprecated) |
roleAssignments.roleDetails.rolePrivileges.details.etag |
additional.fields[etag] |
roleAssignments.roleDetails.rolePrivileges.details.isOuScopable |
entity.user.attribute.labels[is_ou_scopable] |
roleAssignments.roleDetails.rolePrivileges.details.kind |
entity.labels[kind] (deprecated) |
roleAssignments.roleDetails.rolePrivileges.details.kind |
additional.fields[kind] |
roleAssignments.roleDetails.rolePrivileges.details.privilegeName |
|
roleAssignments.roleDetails.rolePrivileges.details.serviceId |
|
roleAssignments.roleDetails.rolePrivileges.details.serviceName |
entity.user.attribute.labels[service_name] |
roleAssignments.roleDetails.rolePrivileges.privilegeName |
entity.user.attribute.permissions.name |
roleAssignments.roleDetails.rolePrivileges.serviceId |
entity.user.attribute.permissions.description |
roleAssignments.roleId |
entity.user.attribute.labels[role_id] |
roleAssignments.scopeType |
entity.user.attribute.labels[scope_type] |
userId |
entity.user.userid |
metadata.vendor_name | |
metadata.product_name | |
metadata.entity_type |