Collect Google Cloud Audit Logs

Supported in:

This document describes how you can export Cloud Audit Logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how Cloud Audit Logs fields map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview.

A typical deployment consists of Cloud Audit Logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.

The deployment contains the following components:

  • Google Cloud: The Google Cloud services and products from which you collect logs

  • Cloud Audit Logs: The Cloud Audit Logs that are enabled for ingestion to Google Security Operations

  • Google Workspace audit logs: The Google Workspace audit logs that are enabled for ingestion to Google Security Operations

  • Google Security Operations: Retains and analyzes Cloud Audit Logs and Google Workspace audit logs

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with GCP_CLOUDAUDIT ingestion label.

Before you begin

  • Ensure that you have set up a Google Cloud.

  • Ensure that you have set up access control for your organization and resources using Identity and Access Management (IAM). For more information about access control, see Access control for organizations with IAM.

  • Configure data access audit logs for your Google Cloud resources and services.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

  • Verify the log types that the Cloud Audit Logs parser supports. The following table lists the log sources and types supported by the Cloud Audit Logs parser:

Log sources Log source type
Cloud DNS N/A
syslog N/A
Google Workspace audit logs Login Audit
Google Workspace audit logs Admin Audit
Cloud Audit Logs Admin Activity
Cloud Audit Logs VPC Service Controls Audit
Cloud Audit Logs Google Kubernetes Engine Data Access
Cloud Audit Logs Resource Manager Data Access
Cloud Audit Logs BigQuery Audit Metadata data access
Cloud Audit Logs MySQL data access, admin activity
Cloud Audit Logs PostgreSQL data access, admin activity
Cloud Audit Logs SQL Server data access, admin activity
Cloud Load Balancing Cloud HTTP Load Balancer
Cloud DNS Admin Activity
Virtual Private Cloud Flow Virtual Private Cloud Flow
Firewall Rules Firewall Rules
Cloud NAT Cloud NAT

Configure ingestion of Cloud Audit Logs

To ingest Cloud Audit Logs to Google Security Operations, follow the steps on the Ingest Google Cloud logs to Google Security Operations page.

If you encounter issues when you ingest Cloud Audit Logs, contact Google Security Operations support.

Supported Cloud Audit Logs log formats

The Cloud Audit Logs parser supports logs in JSON format.

Supported Cloud Audit Logs sample logs

  • JSON:

    {
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "dummyuser@mail.com"
    },
    "requestMetadata": {
      "callerIp": "198.51.10.0",
      "callerSuppliedUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)",
      "requestAttributes": {
        "time": "2025-02-26T16:35:37.410328Z",
        "auth": {}
      },
      "destinationAttributes": {}
    },
    "serviceName": "compute.googleapis.com",
    "methodName": "beta.compute.securityPolicies.patchRule",
    "authorizationInfo": [
      {
        "resource": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext",
        "permission": "compute.securityPolicies.update",
        "granted": true,
        "resourceAttributes": {
          "service": "compute",
          "name": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext",
          "type": "compute.securityPolicies"
        },
        "permissionType": "ADMIN_WRITE"
      }
    ],
    "resourceName": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext",
    "request": {
      "description": "SQL injection",
      "priority": "10100",
      "match": {
        "expr": {
          "expression": "evaluatePreconfiguredExpr(\\u0027sqli-v33-stable\\u0027)"
        }
      },
      "action": "deny(403)",
      "preview": false,
      "validateOnly": true,
      "@type": "type.googleapis.com/compute.securityPolicies.patchRule"
    },
    "response": {
      "id": "4332115325946625078",
      "name": "operation-1740587736928-62f0e29c291e2-b0056719-3023c13f",
      "operationType": "PatchRule",
      "targetLink": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext",
      "targetId": "6935975992577010740",
      "status": "DONE",
      "user": "dummyuser@domain.com",
      "progress": "100",
      "insertTime": "2025-02-26T08:35:37.278-08:00",
      "startTime": "2025-02-26T08:35:37.279-08:00",
      "endTime": "2025-02-26T08:35:37.279-08:00",
      "selfLink": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/operations/operation-1740587736928-62f0e29c291e2-b0056719-3023c13f",
      "selfLinkWithId": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/operations/4332115325946625078",
      "@type": "type.googleapis.com/operation"
    },
    "resourceLocation": {
      "currentLocations": [
        "global"
      ]
    }
  },
  "insertId": "-5srtt8e1oe7o",
  "resource": {
    "type": "network_security_policy",
    "labels": {
      "policy_name": "hashtag-ext",
      "project_id": "icd-gcp-prod-net-landing-0",
      "location": "global"
    }
  },
  "timestamp": "2025-02-26T16:35:36.961863Z",
  "severity": "NOTICE",
  "labels": {
    "compute.googleapis.com/root_trigger_id": "f0fe0460-63df-4978-8256-e70ce093effa"
  },
  "logName": "projects/icd-gcp-prod-net-landing-0/logs/cloudaudit.googleapis.com%2Factivity",
  "operation": {
    "id": "operation-1740587736928-62f0e29c291e2-b0056719-3023c13f",
    "producer": "compute.googleapis.com",
    "first": true,
    "last": true
  },
  "receiveTimestamp": "2025-02-26T16:35:38.342438110Z"
}

Field mapping reference

This section explains how the Google Security Operations parser maps Cloud Audit Logs fields to Google Security Operations Unified Data Model (UDM) fields.

GCP_CLOUDAUDIT log types to UDM event type

The following table lists the GCP_CLOUDAUDIT event identifiers and their corresponding event types.

Event identifier Event type
dns.managedZones.get USER_RESOURCE_ACCESS
dns.managedZones.list USER_RESOURCE_ACCESS
dns.changes.get USER_RESOURCE_ACCESS
dns.changes.list USER_RESOURCE_ACCESS
dns.activePeeringZones.list USER_RESOURCE_ACCESS
dns.activePeeringZones.getpeeringzoneinfo USER_RESOURCE_ACCESS
dns.resourceRecordSets.get USER_RESOURCE_ACCESS
dns.resourceRecordSets.list USER_RESOURCE_ACCESS
dns.responsePolicies.get USER_RESOURCE_ACCESS
dns.responsePolicies.list USER_RESOURCE_ACCESS
dns.responsePolicyRules.get USER_RESOURCE_ACCESS
dns.responsePolicyRules.list USER_RESOURCE_ACCESS
dns.policies.get USER_RESOURCE_ACCESS
dns.policies.list USER_RESOURCE_ACCESS
dns.projects.get USER_RESOURCE_ACCESS
dns.managedZones.create USER_RESOURCE_CREATION
dns.managedZones.delete RESOURCE_DELETION
dns.managedZones.update RESOURCE_WRITTEN
dns.managedZones.patch USER_RESOURCE_UPDATE_CONTENT
dns.changes.create USER_RESOURCE_CREATION
dns.changes.delete RESOURCE_DELETION
dns.activePeeringZones.deactivate USER_RESOURCE_UPDATE_CONTENT
dns.resourceRecordSets.create USER_RESOURCE_CREATION
dns.resourceRecordSets.delete RESOURCE_DELETION
dns.resourceRecordSets.update RESOURCE_WRITTEN
dns.resourceRecordSets.patch USER_RESOURCE_UPDATE_CONTENT
dns.responsePolicies.create USER_RESOURCE_CREATION
dns.responsePolicies.delete RESOURCE_DELETION
dns.responsePolicies.update RESOURCE_WRITTEN
dns.responsePolicies.patch USER_RESOURCE_UPDATE_CONTENT
dns.responsePolicyRules.create USER_RESOURCE_CREATION
dns.responsePolicyRules.delete RESOURCE_DELETION
dns.responsePolicyRules.update RESOURCE_WRITTEN
dns.responsePolicyRules.patch USER_RESOURCE_UPDATE_CONTENT
dns.policies.create USER_RESOURCE_CREATION
dns.policies.delete RESOURCE_DELETION
dns.policies.update RESOURCE_WRITTEN
dns.policies.patch USER_RESOURCE_UPDATE_CONTENT
CreateRole USER_RESOURCE_CREATION
DeleteRole RESOURCE_DELETION
UndeleteRole RESOURCE_CREATION
UpdateRole RESOURCE_WRITTEN
google.iam.v2beta.Policies.CreatePolicy USER_RESOURCE_CREATION
google.iam.v2beta.Policies.DeletePolicy RESOURCE_DELETION
google.iam.v2beta.Policies.UpdatePolicy RESOURCE_WRITTEN
CreateServiceAccount USER_CREATION
DeleteServiceAccount RESOURCE_DELETION
DisableServiceAccount USER_CHANGE_PERMISSIONS
EnableServiceAccount USER_CHANGE_PERMISSIONS
GetServiceAccount USER_RESOURCE_ACCESS
PatchServiceAccount USER_RESOURCE_UPDATE_CONTENT
SetIAMPolicy USER_RESOURCE_UPDATE_PERMISSIONS
UndeleteServiceAccount USER_CREATION
UpdateServiceAccount RESOURCE_WRITTEN
CreateServiceAccountKey USER_CHANGE_PASSWORD
DeleteServiceAccountKey USER_DELETION
UploadServiceAccountKey USER_CHANGE_PASSWORD
CreateWorkloadIdentityPool USER_RESOURCE_CREATION
DeleteWorkloadIdentityPool RESOURCE_DELETION
UndeleteWorkloadIdentityPool RESOURCE_CREATION
UpdateWorkloadIdentityPool RESOURCE_WRITTEN
CreateWorkloadIdentityPoolProvider USER_RESOURCE_CREATION
DeleteWorkloadIdentityPoolProvider RESOURCE_DELETION
UndeleteWorkloadIdentityPoolProvider RESOURCE_DELETION
UpdateWorkloadIdentityPoolProvider RESOURCE_WRITTEN
CreateWorkforcePool USER_RESOURCE_CREATION
DeleteWorkforcePool RESOURCE_DELETION
UndeleteWorkforcePool RESOURCE_DELETION
UpdateWorkforcePool RESOURCE_WRITTEN
CreateWorkforcePoolProvider USER_RESOURCE_CREATION
DeleteWorkforcePoolProvider RESOURCE_DELETION
UndeleteWorkforcePoolProvider RESOURCE_DELETION
UpdateWorkforcePoolProvider RESOURCE_WRITTEN
GetEffectivePolicy1 USER_RESOURCE_ACCESS
google.iam.admin.v1.GetPolicyDetails2 USER_RESOURCE_ACCESS
ExchangeToken USER_RESOURCE_ACCESS
Google Cloud console (federated) sign in USER_RESOURCE_UPDATE_PERMISSIONS
GetRole USER_RESOURCE_ACCESS
ListRoles USER_RESOURCE_ACCESS
google.iam.v2beta.Policies.GetPolicy USER_RESOURCE_ACCESS
google.iam.v2beta.Policies.ListPolicies USER_RESOURCE_ACCESS
QueryGrantableRoles USER_RESOURCE_ACCESS
GenerateAccessToken USER_RESOURCE_UPDATE_CONTENT
GenerateIdToken USER_RESOURCE_UPDATE_CONTENT
ListServiceAccounts USER_RESOURCE_ACCESS
SignBlob USER_RESOURCE_UPDATE_CONTENT
SignJwt USER_RESOURCE_UPDATE_CONTENT
GetServiceAccountKey USER_RESOURCE_ACCESS
ListServiceAccountKeys USER_RESOURCE_ACCESS
GetWorkloadIdentityPool USER_RESOURCE_ACCESS
ListWorkloadIdentityPools USER_RESOURCE_ACCESS
GetWorkloadIdentityPoolProvider USER_RESOURCE_ACCESS
ListWorkloadIdentityPoolProviders USER_RESOURCE_ACCESS
GetWorkforcePool USER_RESOURCE_ACCESS
ListWorkforcePools USER_RESOURCE_ACCESS
GetWorkforcePoolProvider USER_RESOURCE_ACCESS
ListWorkforcePoolProviders USER_RESOURCE_ACCESS
io.k8s.authorization.rbac.v1 STATUS_UPDATE
io.k8s.authorization.rbac.v1.roles STATUS_UPDATE
io.k8s.batch.v1.jobs.create RESOURCE_CREATION
io.k8s.authorization.rbac.v1.clusterroles.create RESOURCE_CREATION
io.k8s.apps.v1.daemonsets.create RESOURCE_CREATION
io.k8s.authorization.v1.selfsubjectaccessreviews.create RESOURCE_CREATION
google.container.v1.ClusterManager.CreateCluster USER_RESOURCE_CREATION
google.cloud.bigquery.v2.TableService.InsertTable USER_RESOURCE_CREATION
google.cloud.bigquery.v2.TableService.UpdateTable RESOURCE_WRITTEN
google.cloud.bigquery.v2.TableService.PatchTable USER_RESOURCE_UPDATE_CONTENT
google.cloud.bigquery.v2.TableService.DeleteTable RESOURCE_DELETION
google.cloud.bigquery.v2.DatasetService.InsertDataset USER_RESOURCE_CREATION
google.cloud.bigquery.v2.DatasetService.UpdateDataset RESOURCE_WRITTEN
google.cloud.bigquery.v2.DatasetService.PatchDataset USER_RESOURCE_UPDATE_CONTENT
google.cloud.bigquery.v2.DatasetService.DeleteDataset USER_RESOURCE_DELETION
google.cloud.bigquery.v2.TableDataService.List USER_RESOURCE_ACCESS
google.cloud.bigquery.v2.JobService.InsertJob USER_RESOURCE_CREATION
google.cloud.bigquery.v2.JobService.Query USER_RESOURCE_ACCESS
google.cloud.bigquery.v2.JobService.GetQueryResults USER_RESOURCE_ACCESS
InternalTableExpired USER_RESOURCE_DELETION
google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection USER_RESOURCE_CREATION
google.cloud.bigquery.connection.v1.ConnectionService.DeleteConnection RESOURCE_DELETION
google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection RESOURCE_WRITTEN
google.cloud.bigquery.connection.v1.ConnectionService.SetIamPolicy RESOURCE_PERMISSIONS_CHANGE
google.cloud.bigquery.reservation.v1.ReservationService.CreateReservation USER_RESOURCE_CREATION
google.cloud.bigquery.reservation.v1.ReservationService.DeleteReservation RESOURCE_DELETION
google.cloud.bigquery.reservation.v1.ReservationService.UpdateReservation RESOURCE_WRITTEN
google.cloud.bigquery.reservation.v1.ReservationService.CreateCapacityCommitment USER_RESOURCE_CREATION
google.cloud.bigquery.reservation.v1.ReservationService.DeleteCapacityCommitment RESOURCE_DELETION
google.cloud.bigquery.reservation.v1.ReservationService.CreateAssignment USER_RESOURCE_CREATION
google.cloud.bigquery.reservation.v1.ReservationService.DeleteAssignment RESOURCE_DELETION
google.cloud.bigquery.reservation.v1.ReservationService.MoveAssignment STATUS_UPDATE
cloudsql.backupRuns.get USER_RESOURCE_ACCESS
cloudsql.backupRuns.list USER_RESOURCE_ACCESS
cloudsql.databases.create USER_RESOURCE_CREATION
cloudsql.databases.delete RESOURCE_DELETION
cloudsql.databases.get USER_RESOURCE_ACCESS
cloudsql.databases.list USER_RESOURCE_ACCESS
cloudsql.databases.update RESOURCE_WRITTEN
cloudsql.instances.export USER_RESOURCE_ACCESS
cloudsql.instances.get USER_RESOURCE_ACCESS
cloudsql.instances.import STATUS_UNCATEGORIZED
cloudsql.instances.list USER_RESOURCE_ACCESS
cloudsql.instances.listEffectiveTags USER_RESOURCE_ACCESS
cloudsql.instances.listServerCas USER_RESOURCE_ACCESS
cloudsql.instances.listTagBindings USER_RESOURCE_ACCESS
cloudsql.instances.login USER_LOGIN
cloudsql.sslCerts.get USER_RESOURCE_ACCESS
cloudsql.sslCerts.list USER_RESOURCE_ACCESS
cloudsql.users.create USER_RESOURCE_CREATION
cloudsql.users.delete RESOURCE_DELETION
cloudsql.users.get USER_RESOURCE_ACCESS
cloudsql.users.list USER_RESOURCE_ACCESS
cloudsql.users.update RESOURCE_WRITTEN
cloudsql.backupRuns.create USER_RESOURCE_CREATION
cloudsql.backupRuns.delete RESOURCE_DELETION
cloudsql.instances.addServerCa USER_RESOURCE_CREATION
cloudsql.instances.clone USER_RESOURCE_CREATION
cloudsql.instances.connect USER_LOGIN
cloudsql.instances.create USER_RESOURCE_CREATION
cloudsql.instances.createTagBinding USER_RESOURCE_CREATION
cloudsql.instances.delete RESOURCE_DELETION
cloudsql.instances.deleteTagBinding RESOURCE_DELETION
cloudsql.instances.demoteMaster STATUS_UPDATE
cloudsql.instances.failover STATUS_UPDATE
cloudsql.instances.promoteReplica STATUS_UPDATE
cloudsql.instances.resetSslConfig USER_RESOURCE_UPDATE_CONTENT
cloudsql.instances.restart STATUS_STARTUP
cloudsql.instances.restoreBackup STATUS_UPDATE
cloudsql.instances.rotateServerCa STATUS_UPDATE
cloudsql.instances.startReplica STATUS_STARTUP
cloudsql.instances.stopReplica STATUS_UPDATE
cloudsql.instances.truncateLog STATUS_UPDATE
cloudsql.instances.update RESOURCE_WRITTEN
cloudsql.sslCerts.create USER_RESOURCE_CREATION
cloudsql.sslCerts.createEphemeral USER_RESOURCE_CREATION
cloudsql.sslCerts.delete RESOURCE_DELETION
compute.instances.insert RESOURCE_CREATION
compute.instanceGroups.removeInstances RESOURCE_DELETION
compute.instances.setMetadata USER_RESOURCE_UPDATE_CONTENT
compute.instances.setLabels USER_RESOURCE_CREATION
compute.instances.setTags USER_RESOURCE_CREATION
compute.instances.setIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
compute.instances.list USER_RESOURCE_ACCESS
compute.images.get USER_RESOURCE_ACCESS
compute.interconnectAttachments.aggregatedList USER_RESOURCE_ACCESS
compute.instance.getSerialPortOutput USER_RESOURCE_ACCESS
compute.instances.migrateOnHostMaintenance RESOURCE_CREATION
compute.instances.automaticRestart USER_RESOURCE_UPDATE_CONTENT
compute.instanceGroupManagers.resizeAdvanced USER_RESOURCE_UPDATE_CONTENT
google.ssh-serialport.v1.connect NETWORK_CONNECTION
firewalls.delete RESOURCE_DELETION
firewalls.insert RESOURCE_CREATION
firewalls.patch USER_RESOURCE_UPDATE_CONTENT
firewalls.update RESOURCE_WRITTEN
forwardingRules.delete RESOURCE_DELETION
forwardingRules.insert RESOURCE_CREATION
forwardingRules.patch USER_RESOURCE_UPDATE_CONTENT
forwardingRules.setTarget STATUS_UPDATE
networks.addPeering STATUS_UPDATE
networks.delete RESOURCE_DELETION
networks.insert RESOURCE_CREATION
networks.patch USER_RESOURCE_UPDATE_CONTENT
networks.removePeering RESOURCE_DELETION
networks.switchToCustomMode STATUS_UPDATE
networks.updatePeering RESOURCE_WRITTEN
routes.delete RESOURCE_DELETION
routes.insert USER_RESOURCE_CREATION
subnetworks.delete RESOURCE_DELETION
subnetworks.expandIpCidrRange STATUS_UPDATE
subnetworks.insert RESOURCE_CREATION
subnetworks.patch USER_RESOURCE_UPDATE_CONTENT
subnetworks.setIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
subnetworks.setPrivateIpGoogleAccess STATUS_UPDATE
subnetworks.testIamPermissions USER_RESOURCE_ACCESS
firewalls.get USER_RESOURCE_ACCESS
firewalls.list USER_RESOURCE_ACCESS
forwardingRules.aggregatedList USER_RESOURCE_ACCESS
forwardingRules.get USER_RESOURCE_ACCESS
forwardingRules.list USER_RESOURCE_ACCESS
networks.get USER_RESOURCE_ACCESS
networks.list USER_RESOURCE_ACCESS
networks.listPeeringRoutes USER_RESOURCE_ACCESS
routes.get USER_RESOURCE_ACCESS
routes.list USER_RESOURCE_ACCESS
subnetworks.aggregatedList USER_RESOURCE_ACCESS
subnetworks.get USER_RESOURCE_ACCESS
subnetworks.getIamPolicy USER_RESOURCE_ACCESS
subnetworks.list USER_RESOURCE_ACCESS
subnetworks.listUsable USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterBatchDeleteAlerts RESOURCE_DELETION
google.admin.AdminService.alertCenterBatchUndeleteAlerts RESOURCE_DELETION
google.admin.AdminService.alertCenterCreateAlert USER_RESOURCE_CREATION
google.admin.AdminService.alertCenterCreateFeedback USER_RESOURCE_CREATION
google.admin.AdminService.alertCenterDeleteAlert RESOURCE_DELETION
google.admin.AdminService.alertCenterGetAlertMetadata USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterGetCustomerSettings USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterGetSitLink USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterListChange USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterListFeedback USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterListRelatedAlerts USER_RESOURCE_ACCESS
google.admin.AdminService.alertCenterUndeleteAlert RESOURCE_DELETION
google.admin.AdminService.alertCenterUpdateAlert RESOURCE_WRITTEN
google.admin.AdminService.alertCenterUpdateAlertMetadata RESOURCE_WRITTEN
google.admin.AdminService.alertCenterUpdateCustomerSettings RESOURCE_WRITTEN
google.admin.AdminService.alertCenterView USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeApplicationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createApplicationSetting USER_RESOURCE_CREATION
google.admin.AdminService.deleteApplicationSetting RESOURCE_DELETION
google.admin.AdminService.reorderGroupBasedPoliciesEvent USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.gplusPremiumFeatures USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createManagedConfiguration USER_RESOURCE_CREATION
google.admin.AdminService.deleteManagedConfiguration RESOURCE_DELETION
google.admin.AdminService.updateManagedConfiguration RESOURCE_WRITTEN
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createBuilding USER_RESOURCE_CREATION
google.admin.AdminService.deleteBuilding RESOURCE_DELETION
google.admin.AdminService.updateBuilding RESOURCE_WRITTEN
google.admin.AdminService.createCalendarResource USER_RESOURCE_CREATION
google.admin.AdminService.deleteCalendarResource RESOURCE_DELETION
google.admin.AdminService.createCalendarResourceFeature USER_RESOURCE_CREATION
google.admin.AdminService.deleteCalendarResourceFeature RESOURCE_DELETION
google.admin.AdminService.updateCalendarResourceFeature RESOURCE_WRITTEN
google.admin.AdminService.renameCalendarResource USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateCalendarResource RESOURCE_WRITTEN
google.admin.AdminService.changeCalendarSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.cancelCalendarEvents USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.releaseCalendarResources USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.meetInteropCreateGateway USER_RESOURCE_CREATION
google.admin.AdminService.meetInteropDeleteGateway RESOURCE_DELETION
google.admin.AdminService.meetInteropModifyGateway USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChatSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsAndroidApplicationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsApplicationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.sendChromeOsDeviceCommand USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsDeviceAnnotation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsDeviceSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsDeviceState USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsPublicSessionSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.insertChromeOsPrinter USER_RESOURCE_CREATION
google.admin.AdminService.deleteChromeOsPrinter RESOURCE_DELETION
google.admin.AdminService.updateChromeOsPrinter RESOURCE_WRITTEN
google.admin.AdminService.changeChromeOsSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeChromeOsUserSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.removeChromeOsApplicationSettings RESOURCE_DELETION
google.admin.AdminService.changeContactsSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.assignRole USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.createRole USER_RESOURCE_CREATION
google.admin.AdminService.deleteRole RESOURCE_DELETION
google.admin.AdminService.addPrivilege USER_RESOURCE_CREATION
google.admin.AdminService.removePrivilege RESOURCE_DELETION
google.admin.AdminService.renameRole USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateRole RESOURCE_WRITTEN
google.admin.AdminService.unassignRole USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.deleteDevice RESOURCE_DELETION
google.admin.AdminService.moveDeviceToOrgUnit USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.transferDocumentOwnership USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.driveDataRestore USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDocsSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAccountAutoRenewal USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addApplication USER_RESOURCE_CREATION
google.admin.AdminService.addApplicationToWhitelist USER_RESOURCE_CREATION
google.admin.AdminService.changeAdvertisementOption USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createAlert USER_RESOURCE_CREATION
google.admin.AdminService.changeAlertCriteria USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.deleteAlert RESOURCE_DELETION
google.admin.AdminService.alertReceiversChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.renameAlert USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.alertStatusChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addDomainAlias USER_RESOURCE_CREATION
google.admin.AdminService.removeDomainAlias RESOURCE_DELETION
google.admin.AdminService.skipDomainAliasMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifyDomainAliasMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifyDomainAlias USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleOauthAccessToAllApis USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleAllowAdminPasswordReset USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableApiAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.authorizeApiClientAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.removeApiClientAccess RESOURCE_DELETION
google.admin.AdminService.chromeLicensesRedeemed USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleAutoAddNewService USER_RESOURCE_CREATION
google.admin.AdminService.changePrimaryDomain USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeWhitelistSetting USER_RESOURCE_ACCESS
google.admin.AdminService.communicationPreferencesSettingChange USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeConflictAccountAction USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableFeedbackSolicitation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleContactSharing USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createPlayForWorkToken USER_RESOURCE_CREATION
google.admin.AdminService.toggleUseCustomLogo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCustomLogo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDataLocalizationForRussia USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDataLocalizationSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDataProtectionOfficerContactInfo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.deletePlayForWorkToken RESOURCE_DELETION
google.admin.AdminService.viewDnsLoginDetails USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainDefaultLocale USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainDefaultTimezone USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleEnablePreReleaseFeatures USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeDomainSupportMessage USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addTrustedDomains USER_RESOURCE_CREATION
google.admin.AdminService.removeTrustedDomains RESOURCE_DELETION
google.admin.AdminService.changeEduType USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleEnableOauthConsumerKey USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleSsoEnabled USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleSsl USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeEuRepresentativeContactInfo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.generateTransferToken USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLoginBackgroundColor USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLoginBorderColor USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLoginActivityTrace USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.playForWorkEnroll USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.playForWorkUnenroll USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.mxRecordVerificationClaim USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleNewAppFeatures USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleUseNextGenControlPanel USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.uploadOauthCertificate USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.regenerateOauthConsumerSecret USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleOpenIdEnabled USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeOrganizationName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleOutboundRelay USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changePasswordMaxLength USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changePasswordMinLength USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateDomainPrimaryAdminEmail RESOURCE_WRITTEN
google.admin.AdminService.enableServiceOrFeatureNotifications USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.removeApplication RESOURCE_DELETION
google.admin.AdminService.removeApplicationFromWhitelist RESOURCE_DELETION
google.admin.AdminService.changeRenewDomainRegistration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeResellerAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.ruleActionsChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createRule USER_RESOURCE_CREATION
google.admin.AdminService.changeRuleCriteria USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.deleteRule RESOURCE_DELETION
google.admin.AdminService.renameRule USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.ruleStatusChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addSecondaryDomain USER_RESOURCE_CREATION
google.admin.AdminService.removeSecondaryDomain RESOURCE_DELETION
google.admin.AdminService.skipSecondaryDomainMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifySecondaryDomainMx USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.verifySecondaryDomain USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateDomainSecondaryEmail RESOURCE_WRITTEN
google.admin.AdminService.changeSsoSettings USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.generatePin USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateRule RESOURCE_WRITTEN
google.admin.AdminService.dropFromQuarantine USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.emailLogSearch USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.emailUndelete RESOURCE_DELETION
google.admin.AdminService.changeEmailSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGmailSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createGmailSetting USER_RESOURCE_CREATION
google.admin.AdminService.deleteGmailSetting RESOURCE_DELETION
google.admin.AdminService.rejectFromQuarantine USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.releaseFromQuarantine USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createGroup USER_RESOURCE_CREATION
google.admin.AdminService.deleteGroup RESOURCE_DELETION
google.admin.AdminService.changeGroupDescription USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.groupListDownload USER_RESOURCE_ACCESS
google.admin.AdminService.addGroupMember GROUP_MODIFICATION
google.admin.AdminService.removeGroupMember RESOURCE_DELETION
google.admin.AdminService.updateGroupMember RESOURCE_WRITTEN
google.admin.AdminService.updateGroupMemberDeliverySettings RESOURCE_WRITTEN
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride RESOURCE_WRITTEN
google.admin.AdminService.groupMemberBulkUpload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.groupMembersDownload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGroupName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeGroupSetting USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.whitelistedGroupsUpdated RESOURCE_WRITTEN
google.admin.AdminService.securityInvestigationAction USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionCancellation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionCompletion USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionRetry USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionVerificationConfirmation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionVerificationRequest USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationChartCreate USER_RESOURCE_CREATION
google.admin.AdminService.securityInvestigationContentAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationDownloadAttachment USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationExportActionResults USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationExportQuery USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation USER_RESOURCE_CREATION
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation RESOURCE_DELETION
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectSaveInvestigation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing RESOURCE_WRITTEN
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing RESOURCE_WRITTEN
google.admin.AdminService.securityInvestigationQuery USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityInvestigationSettingUpdate RESOURCE_WRITTEN
google.admin.AdminService.addToTrustedOauth2Apps USER_RESOURCE_CREATION
google.admin.AdminService.allowAspWithout2Sv USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.allowServiceForOauth2Access USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.allowStrongAuthentication USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.blockOnDeviceAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAllowedTwoStepVerificationMethods USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeAppAccessSettingsCollectionId USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCaaAppAssignments USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCaaDefaultAssignments USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeCaaErrorMessage USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeSessionLength USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeTwoStepVerificationFrequency USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeTwoStepVerificationStartDate USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.disallowServiceForOauth2Access USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableNonAdminUserPasswordRecovery USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enforceStrongAuthentication USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.removeFromTrustedOauth2Apps RESOURCE_DELETION
google.admin.AdminService.sessionControlSettingsChange USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleCaaEnablement USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.trustDomainOwnedOauth2Apps USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unblockOnDeviceAccess USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.untrustDomainOwnedOauth2Apps USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps RESOURCE_WRITTEN
google.admin.AdminService.weakProgrammaticLoginSettingsChanged USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.delete2SvScratchCodes RESOURCE_DELETION
google.admin.AdminService.generate2SvScratchCodes USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revoke3LoDeviceTokens USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revoke3LoToken USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.addRecoveryEmail USER_RESOURCE_CREATION
google.admin.AdminService.addRecoveryPhone USER_RESOURCE_CREATION
google.admin.AdminService.grantAdminPrivilege USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revokeAdminPrivilege USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revokeAsp USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.toggleAutomaticContactSharing USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.bulkUpload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.bulkUploadNotificationSent USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.cancelUserInvite USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserCustomField USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserExternalId USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserGender USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserIm USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.enableUserIpWhitelist USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserKeyword USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserLanguage USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserLocation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserOrganization USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserPhoneNumber USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeRecoveryEmail USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeRecoveryPhone USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserRelation USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeUserAddress USER_RESOURCE_CREATION
google.admin.AdminService.createEmailMonitor USER_RESOURCE_CREATION
google.admin.AdminService.createDataTransferRequest USER_RESOURCE_CREATION
google.admin.AdminService.grantDelegatedAdminPrivileges USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.deleteAccountInfoDump RESOURCE_DELETION
google.admin.AdminService.deleteEmailMonitor RESOURCE_DELETION
google.admin.AdminService.deleteMailboxDump RESOURCE_DELETION
google.admin.AdminService.changeFirstName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.gmailResetUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changeLastName USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.mailRoutingDestinationAdded USER_RESOURCE_CREATION
google.admin.AdminService.mailRoutingDestinationRemoved RESOURCE_DELETION
google.admin.AdminService.addNickname USER_RESOURCE_CREATION
google.admin.AdminService.removeNickname RESOURCE_DELETION
google.admin.AdminService.changePassword USER_CHANGE_PASSWORD
google.admin.AdminService.changePasswordOnNextLogin USER_CHANGE_PASSWORD
google.admin.AdminService.downloadPendingInvitesList USER_RESOURCE_ACCESS
google.admin.AdminService.removeRecoveryEmail RESOURCE_DELETION
google.admin.AdminService.removeRecoveryPhone RESOURCE_DELETION
google.admin.AdminService.requestAccountInfo USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.requestMailboxDump USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.resendUserInvite USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.resetSigninCookies USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.securityKeyRegisteredForUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.revokeSecurityKey USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.userInvite USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.viewTempPassword USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.turnOff2StepVerification USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unblockUserSession USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unenrollUserFromTitanium USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.archiveUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.updateBirthdate RESOURCE_WRITTEN
google.admin.AdminService.createUser USER_CREATION
google.admin.AdminService.deleteUser RESOURCE_DELETION
google.admin.AdminService.downgradeUserFromGplus USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.userEnrolledInTwoStepVerification USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.downloadUserlistCsv USER_RESOURCE_ACCESS
google.admin.AdminService.moveUserToOrgUnit USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.renameUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.unenrollUserFromStrongAuth USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.suspendUser USER_CHANGE_PERMISSIONS
google.admin.AdminService.unarchiveUser USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.undeleteUser RESOURCE_DELETION
google.admin.AdminService.upgradeUserToGplus USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.usersBulkUpload USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.usersBulkUploadNotificationSent USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.createAccessLevelV2 USER_RESOURCE_CREATION
google.admin.AdminService.systemDefinedRuleUpdated USER_RESOURCE_UPDATE_PERMISSIONS
google.admin.AdminService.createDeviceEnrollmentToken USER_RESOURCE_CREATION
google.login.LoginService.2svDisable STATUS_UPDATE
google.login.LoginService.2svEnroll STATUS_UPDATE
google.login.LoginService.accountDisabledPasswordLeak STATUS_UPDATE
google.login.LoginService.accountDisabledGeneric USER_LOGIN
google.login.LoginService.accountDisabledSpammingThroughRelay USER_LOGIN

Security category: NETWORK_SUSPICIOUS
google.login.LoginService.accountDisabledSpamming USER_LOGIN

Security category: NETWORK_SUSPICIOUS
google.login.LoginService.accountDisabledHijacked USER_LOGIN

Security category: NETWORK_SUSPICIOUS
google.login.LoginService.emailForwardingOutOfDomain EMAIL_TRANSACTION
google.login.LoginService.govAttackWarning USER_LOGIN

Security category: NETWORK_MALICIOUS
google.login.LoginService.loginChallenge USER_LOGIN
google.login.LoginService.loginFailure USER_LOGIN

Security category: AUTH_VIOLATION
google.login.LoginService.loginVerification USER_LOGIN
google.login.LoginService.logout USER_LOGOUT
google.login.LoginService.loginSuccess USER_LOGIN
google.login.LoginService.passwordEdit USER_CHANGE_PASSWORD
google.login.LoginService.recoveryEmailEdit USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.recoveryPhoneEdit USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.recoverySecretQaEdit USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.suspiciousLogin USER_LOGIN

Security category: ACL_VIOLATION
google.login.LoginService.suspiciousLoginLessSecureApp USER_LOGIN

Security category: ACL_VIOLATION
google.login.LoginService.suspiciousProgrammaticLogin USER_LOGIN

Security category: ACL_VIOLATION
google.login.LoginService.titaniumEnroll USER_RESOURCE_UPDATE_CONTENT
google.login.LoginService.titaniumUnenroll USER_RESOURCE_CREATION
google.identity.accesscontextmanager.v1.AccessContextManager.CreateAccessLevel USER_RESOURCE_CREATION
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership USER_RESOURCE_UPDATE_CONTENT
io.k8s.core.v1.pods.create RESOURCE_CREATION
io.k8s.authorization.rbac.v1.clusterrolebindings.create RESOURCE_CREATION
beta.compute.instanceTemplates.insert RESOURCE_CREATION
SetOrgPolicy USER_RESOURCE_UPDATE_PERMISSIONS
beta.compute.instanceGroupManagers.patch RESOURCE_WRITTEN
beta.compute.autoscalers.update RESOURCE_WRITTEN
compute.v1.InstancesService.Get USER_RESOURCE_ACCESS
google.storage.objects.list USER_RESOURCE_ACCESS
google.cloudresourcemanager.v1.Projects.SetIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
cloudsql.instances.query USER_RESOURCE_ACCESS
cloudtrace.googleapis.com/ListInsights RESOURCE_READ
google.cloud.functions.v1.CloudFunctionsService.CreateFunction RESOURCE_CREATION
google.api.servicemanagement.v1.ServiceManager.ActivateServices USER_RESOURCE_UPDATE_CONTENT
google.admin.AdminService.changePassword USER_CHANGE_PASSWORD
google.api.serviceusage.v1.ServiceUsage.DisableService USER_RESOURCE_UPDATE_CONTENT
AuthorizeUser USER_LOGIN
google.cloud.oslogin.v1.OsLoginService.CheckPolicy USER_LOGIN
google.admin.AdminService.unsuspendUser USER_CHANGE_PERMISSIONS
jobservice.jobcompleted RESOURCE_WRITTEN
compute.v1.ProjectsService.Get USER_RESOURCE_ACCESS
v1.compute.projects.setCommonInstanceMetadata USER_RESOURCE_UPDATE_CONTENT
CreateCryptoKey RESOURCE_CREATION
storage.buckets.get RESOURCE_READ
google.longrunning.Operations.GetOperation RESOURCE_READ
io.k8s.core.v1.pods.delete RESOURCE_DELETION
v1.compute.disks.delete RESOURCE_DELETION
v1.compute.disks.insert RESOURCE_CREATION
ScheduledSnapshots RESOURCE_WRITTEN
v1.compute.disks.setLabels RESOURCE_WRITTEN
google.cloud.healthcare.v1alpha2.dataset.DatasetService.AccessEhrSearch STATUS_UPDATE
io.k8s.apiextensions.v1.customresourcedefinitions.patch RESOURCE_WRITTEN
io.k8s.post USER_UNCATEGORIZED
v1.compute.instances.delete RESOURCE_DELETION
storage.buckets.list RESOURCE_READ
storage.objects.create RESOURCE_CREATION
google.pubsub.v1.Publisher.CreateTopic RESOURCE_CREATION
google.devtools.cloudbuild.v1.CloudBuild.ListBuilds USER_RESOURCE_ACCESS
google.cloud.asset.v1.AssetService.UpdateFeed USER_RESOURCE_UPDATE_PERMISSIONS
storage.objects.update RESOURCE_WRITTEN
datasetservice.insert USER_RESOURCE_CREATION
storage.setIamPermissions USER_RESOURCE_UPDATE_PERMISSIONS
io.k8s.coordination.v1.leases.update RESOURCE_WRITTEN
datasetservice.delete USER_RESOURCE_DELETION
compute.instances.repair.recreateInstance RESOURCE_CREATION
tableservice.delete USER_RESOURCE_DELETION
io.k8s.core.v1.configmaps.update RESOURCE_WRITTEN
io.k8s.core.v1.nodes.proxy.get RESOURCE_READ
compute.instances.repair.deleteInstance RESOURCE_DELETION
google.cloud.dataproc.v1.JobController.SubmitJob RESOURCE_WRITTEN
google.cloud.dataproc.v1beta2.ClusterController.UpdateCluster RESOURCE_WRITTEN
io.k8s.app.v1beta1.applications.update RESOURCE_WRITTEN
io.gke.networking.v1beta1.managedcertificates.update RESOURCE_WRITTEN
io.k8s.extensions.v1beta1.deployments.patch RESOURCE_WRITTEN
compute.instanceGroupManagers.deleteInstances RESOURCE_DELETION
io.k8s.authorization.rbac.v1.rolebindings.patch RESOURCE_WRITTEN
google.admin.AdminService.toggleServiceEnabled USER_UNCATEGORIZED
io.k8s.core.v1.services.proxy.get RESOURCE_READ
google.datastore.v1.Datastore.RunQuery STATUS_UPDATE
google.appengine.Datastore.Put STATUS_UPDATE
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateSecurityHealthAnalyticsSettings RESOURCE_WRITTEN
v1.compute.securityPolicies.patchRule RESOURCE_WRITTEN
beta.compute.images.setIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
google.iam.v1.IAMPolicy.SetIamPolicy USER_RESOURCE_UPDATE_PERMISSIONS
io.k8s.certificates.v1.certificatesigningrequests.create RESOURCE_CREATION
io.k8s.core.v0.id.create RESOURCE_CREATION
google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy RESOURCE_WRITTEN
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings RESOURCE_DELETION
UpdateCryptoKeyVersion RESOURCE_WRITTEN
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup RESOURCE_WRITTEN
v1 STATUS_UPDATE
google.cloud.run.v1.Services.ReplaceService SERVICE_UNCATEGORIZED
updatePolicy RESOURCE_WRITTEN
updateBackup RESOURCE_WRITTEN

Field mapping reference: GCP_CLOUDAUDIT

The following table lists the log fields of the GCP_CLOUDAUDIT log type and their corresponding UDM fields.
Log field UDM mapping Logic
jsonPayload.accesses[].resourceName about.resource.name
protoPayload.response.selfLink about.url
protoPayload.metadata.event.eventName.parameter.name[login_challenge_method] extensions.auth.auth_details If the protoPayload.metadata.event.eventName log field value is equal to login_failure or login_verification or login_challenge or login_success, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_method, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the extensions.auth.auth_details UDM field.
extensions.auth.auth_mechanism If protoPayload.metadata.event.eventName is equal to login_failure or login_verification or login_challenge or logic_success, then the extensions.auth.auth_mechanism UDM field is:
  • Set to MECHANISM_OTHER when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to is_second_factor.
    • The value protoPayload.metadata.event.eventName.parameter.value is not equal to True.
  • Set to USERNAME_PASSWORD when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to exchange or password or google_password or saml.
  • Set to OTP when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to backup_code or google_authenticator or idv_any_phone or idv_preregistered_phone or offline_otp or security_key_otp.
  • Set to INTERACTIVE when one of the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to is_second_factor and the value protoPayload.metadata.event.eventName.parameter.value is equal to True.
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type and the value protoPayload.metadata.event.eventName.parameter.value is equal to internal_two_factor or login_location.
  • Set to MECHANISM_OTHER when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to google_prompt or knowledge_employee_id or knowledge_preregistered_email or knowledge_preregistered_phone or other.
  • Set to HARDWARE_KEY when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to security_key.
  • Set to MECHANISM_UNSPECIFIED when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName.parameter.name is equal to login_challenge_method or login_type.
    • The value protoPayload.metadata.event.eventName.parameter.value is equal to reauth or unknown.
extensions.auth.type If the protoPayload.metadata.event.eventName log field value is equal to login_failure or login_verification or login_challenge or login_success, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_method, then the extensions.auth.type UDM field is set to MACHINE.
protoPayload.response.vulnerability.shortDescription extensions.vulns.vulnerabilities.cve_id
protoPayload.response.vulnerability.effectiveSeverity extensions.vulns.vulnerabilities.severity If the protoPayload.response.vulnerability.effectiveSeverity log field value contains one of the following values, then the protoPayload.response.vulnerability.effectiveSeverity log field is mapped to the extensions.vulns.vulnerabilities.severity UDM field.
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
protoPayload.request.occurrence.vulnerability.shortDescription extensions.vulns.vulnerabilities.cve_id
protoPayload.request.occurrence.vulnerability.effectiveSeverity extensions.vulns.vulnerabilities.severity If the protoPayload.request.occurrence.vulnerability.effectiveSeverity log field value contain one of the following values, then the protoPayload.request.occurrence.vulnerability.effectiveSeverity log field is mapped to the extensions.vulns.vulnerabilities.severity UDM field.
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
protoPayload.request.occurrence.resourceUri additional.fields[request_resourceuri]
protoPayload.request.spec.type target.resource.attribute.labels[request_spec_type]
protoPayload.response.spec.type target.resource.attribute.labels[response_spec_type]
protoPayload.request.spec.template.spec.shareProcessNamespace target.resource.attribute.labels[req_spec_template_spec_share_process_namespace]
protoPayload.response.spec.template.spec.shareProcessNamespace target.resource.attribute.labels[resp_spec_template_spec_share_process_namespace]
protoPayload.request.spec.jobTemplate.spec.template.spec.shareProcessNamespace target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_share_process_namespace]
protoPayload.request.spec.jobTemplate.spec.template.spec.restartPolicy target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_restart_policy]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.args target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_arg_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.command target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_command_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image_pull_policy]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.name target.resource_ancestors.name
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_cpu]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_memory]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.cpu target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_cpu]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.memory target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_memory]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_allow_privilege_escalation]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_capabilities_drop_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_privileged]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_read_only_root_filesystem]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_path]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_policy]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_mount_path_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_name_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_readonly_{index}]
protoPayload.metadata.event.eventName.parameter.name[GATEWAY_NAME] intermediary.resource.name
receiveTimestamp metadata.collected_timestamp
protoPayload.response.operationType metadata.description If the protoPayload.methodName log field value is equal to cloudsql.instances.create, then the protoPayload.response.operationType - protoPayload.response.kind log field is mapped to the metadata.description UDM field.
protoPayload.response.kind target.resource.attribute.labels[response_kind]
protoPayload.status.message metadata.description
protoPayload.metadata.event.eventName.parameter.name[SETTING_DESCRIPTION] metadata.description
timestamp metadata.event_timestamp
protoPayload.methodName metadata.product_event_type
resource.labels.method metadata.product_event_type
jsonPayload.event_subtype metadata.product_event_type
insertId metadata.product_log_id
protoPayload.metadata.event.eventName.parameter.name[PRODUCT_NAME] metadata.product_name If the protoPayload.serviceName log field value matches the regular expression (compute.googleapis.com), then the metadata.product_name UDM field is set to Google Compute Engine.

If the protoPayload.serviceName log field value matches the regular expression (bigquery.googleapis.com), then the metadata.product_name UDM field is set to BigQuery.

If the protoPayload.serviceName log field value matches the regular expression (admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com), then the metadata.product_name UDM field is set to G Suite.

If the protoPayload.serviceName log field value matches the regular expression (k8s.io), then the metadata.product_name UDM field is set to Google Kubernetes Engine.

If the protoPayload.serviceName log field value matches the regular expression (servicemanagement.googleapis.com), then the metadata.product_name UDM field is set to Google Service Management.

If the protoPayload.serviceName log field value matches the regular expression (storage.googleapis.com), then the metadata.product_name UDM field is set to Google Cloud Storage.

If the protoPayload.serviceName log field value matches the regular expression (cloudsql.googleapis.com), then the metadata.product_name UDM field is set to Google Cloud SQL.

If the protoPayload.serviceName log field value matches the regular expression (dataproc.googleapis.com), then the metadata.product_name UDM field is set to Google Dataproc.

If the protoPayload.serviceName log field value matches the regular expression (iam.googleapis.com), then the metadata.product_name UDM field is set to Google Cloud IAM.

If the protoPayload.serviceName log field value matches the regular expression (accesscontextmanager.googleapis.com), then the metadata.product_name UDM field is set to Context Manager API.
logName metadata.url_back_to_product
protoPayload.response.selfLinkWithId metadata.url_back_to_product
metadata.vendor_name The metadata.vendor_name UDM field is set to Google Cloud Platform.
httpRequest.protocol network.application_protocol
protoPayload.metadata.request_id network.community_id
protoPayload.resourceOriginalState.direction network.direction
protoPayload.request.direction network.direction
protoPayload.response.duration network.session_duration
protoPayload.request.serialConsoleOptions principal.port Iterate through log field protoPayload.request.serialConsoleOptions, then
If the protoPayload.request.serialConsoleOptions.name value is equal to port then, protoPayload.request.serialConsoleOptions.value log field is mapped to the principal.port UDM field.
Else, the protoPayload.request.serialConsoleOptions.name log field is mapped to the principal.resource.attribute.labels.key UDM field and protoPayload.request.serialConsoleOptions.value log field is mapped to the principal.resource.attribute.labels.value UDM field.
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SENDER] network.email.from
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_MSG_ID] network.email.mail_id
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_RECIPIENT] network.email.to
httpRequest.requestMethod network.http.method
protoPayload.requestMetadata.requestAttributes.method network.http.method
httpRequest.referer network.http.referral_url
protoPayload.requestMetadata.requestAttributes.path network.http.referral_url
httpRequest.requestUrl network.http.referral_url
protoPayload.resourceOriginalState.network network.http.referral_url
httpRequest.status network.http.response_code
protoPayload.response.error.code network.http.response_code
protoPayload.status.code security_result.detection_fields [status_code]
protoPayload.requestMetadata.callerSuppliedUserAgent network.http.user_agent If the protoPayload.requestMetadata.callerSuppliedUserAgent log field value matches the regular expression Group, then the protoPayload.requestMetadata.callerSuppliedUserAgent log field is mapped to the principal.group.group_display_name UDM field.
httpRequest.userAgent network.http.user_agent
protoPayload.resourceOriginalState.alloweds.IPProtocol network.ip_protocol
protoPayload.requestMetadata.requestAttributes.protocol network.ip_protocol
protoPayload.request.IPProtocol network.ip_protocol
protoPayload.request.alloweds.IPProtocol network.ip_protocol
jsonPayload.connection.protocol network.ip_protocol
protoPayload.metadata.event.eventName.parameter.name[ORG_UNIT_NAME] network.organization_name
httpRequest.responseSize network.received_bytes
httpRequest.requestSize network.sent_bytes
jsonPayload.bytes_sent network.sent_bytes
protoPayload.requestMetadata.requestAttributes.id network.session_id
ProtoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail principal.email
jsonPayload.src_instance.vm_name principal.hostname
protoPayload.requestMetadata.callerIp principal.ip
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_SENDER_IP] principal.ip
jsonPayload.connection.src_ip principal.ip
httpRequest.serverIp principal.ip
resourceLocation.originalLocations principal.location.name
jsonPayload.connection.nat_ip principal.nat_ip
jsonPayload.connection.nat_port principal.nat_port
jsonPayload.connection.src_port principal.port
protoPayload.authorizationInfo.resource principal.resource.name If the protoPayload.authorizationInfo.resource log field value is not empty, then the protoPayload.authorizationInfo.resource log field is mapped to the principal.resource.name UDM field.
protoPayload.authorizationInfo.resourceAttributes.name principal.resource.name If the protoPayload.authorizationInfo.resourceAttributes.name log field value is not empty, then the protoPayload.authorizationInfo.resourceAttributes.name log field is mapped to the principal.resource.name UDM field.
protoPayload.authorizationInfo.permission target.resource_ancestors.attribute.permissions.name
protoPayload.authorizationInfo.permissionType target.resource_ancestors.attribute.permissions.type
protoPayload.authorizationInfo.resourceAttributes.service target.resource_ancestors.attribute.labels[resource_attribute_service]
protoPayload.authorizationInfo.granted target.resource_ancestors.attribute.labels[authorization_granted]
protoPayload.resourceOriginalState.name principal.resource.name
protoPayload.authorizationInfo.resourceAttributes.type principal.resource.resource_subtype
principal.user.account_type If the access.principalSubject log field value matches the regular expression serviceAccount, then the principal.user.account_type UDM field is set to SERVICE_ACCOUNT_TYPE.

If, the access.principalSubject log field value matches the regular expression user, then the principal.user.account_type UDM field is set to CLOUD_ACCOUNT_TYPE.
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType principal.user.attribute.permissions.description
protoPayload.request.serviceAccounts[].scopes principal.user.attribute.permissions.name
protoPayload.authorizationInfo.permission principal.user.attribute.permissions.name
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType principal.user.attribute.permissions.type
protoPayload.serviceData.policyDelta.bindingDeltas[].action principal.user.attribute.roles.description
protoPayload.request.bindings.role principal.user.attribute.roles.name
protoPayload.serviceData.policyDelta.bindingDeltas[].role principal.user.attribute.roles.name
jsonPayload.location.principalEmployingEntity principal.user.company_name
jsonPayload.location.principalOfficeCountry principal.user.office_address.country_or_region
protoPayload.authenticationInfo.principalEmail principal.user.userid If the protoPayload.authenticationInfo.principalEmail log field value is not empty, then userid_auth is extracted from the protoPayload.authenticationInfo.principalEmail log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query additional.fields[job_insertion_query_org_id_{index}] If the protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query log field value is not empty, then org_ids are extracted from the protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query log field using a Grok pattern, and mapped to the additional.fields.job_insertion_query_org_id_{index} UDM field.
protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query additional.fields[job_insert_request_query_org_id_{index}] If the protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query log field value is not empty, then org_ids are extracted from the protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query log field using a Grok pattern, and mapped to the additional.fields.job_insert_request_query_org_id_{index} UDM field.
protoPayload.request.permissions target.resource.attribute.labels.permission
protoPayload.request.username principal.user.userid
protoPayload.metadata.event.eventName.parameter.value principal.user.userid If the protoPayload.metadata.event.eventName log field value is equal to CREATE_EMAIL_MONITOR or CREATE_DATA_TRANSFER_REQUEST:
  • If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to USER_EMAIL, then userid is extracted from the protoPayload.metadata.event.eventName.parameter.value log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
    		•
    protoPayload.authenticationInfo.authoritySelector principal.user.userid If the protoPayload.authenticationInfo.authoritySelector log field value is not empty, then userid_selector is extracted from the protoPayload.authenticationInfo.authoritySelector log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
    jsonPayload.actor.user principal.user.userid If the jsonPayload.actor.user log field value is not empty, then userid_actor is extracted from the jsonPayload.actor.user log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
    protoPayload.authenticationInfo.principalEmail principal.user.email_addresses If the protoPayload.authenticationInfo.principalEmail log field value is not empty and the protoPayload.authenticationInfo.principalEmail log field value matches the regular expression .@., then the protoPayload.authenticationInfo.principalEmail log field is mapped to the principal.user.email_addresses UDM field.
    protoPayload.metadata.event.eventName.parameter.value principal.user.email_addresses The protoPayload.metadata.event.eventName.parameter.value is mapped to principal.user.email_addresses when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName log field value is equal to CREATE_EMAIL_MONITOR or CREATE_DATA_TRANSFER_REQUEST.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to USER_EMAIL.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value matches the regular expression .@.
    protoPayload.authenticationInfo.authoritySelector principal.user.email_addresses If the protoPayload.authenticationInfo.authoritySelector log field value is not empty and the protoPayload.authenticationInfo.authoritySelector log field value matches the regular expression .@., then the protoPayload.authenticationInfo.authoritySelector log field is mapped to the principal.user.email_addresses UDM field.
    jsonPayload.actor.user principal.user.email_addresses If the jsonPayload.actor.user log field value is not empty and the jsonPayload.actor.user log field value matches the regular expression .@., then the jsonPayload.actor.user log field is mapped to the principal.user.email_addresses UDM field.
    protoPayload.metadata.event.eventName.parameter.name[login_challenge_status] security_result.action The security_result.action is set to ALLOW when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName log field value is equal to login_challenge or login_verification.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_status.
    • The value in the protoPayload.metadata.event.parameter.value log field value is equal to Challenge Passed.
    The security_result.action is set to FAIL when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName log field value is equal to login_challenge or login_verification.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_status.
    • The value in the protoPayload.metadata.event.parameter.value log field value is equal to Challenge Failed.
    protoPayload.metadata.event.eventName.parameter.name[ACTION_TYPE] security_result.action The security_result.action is set to ALLOW when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
    • The value in the protoPayload.metadata.event.parameter.value log field value is equal to ALLOW_ACCESS or APPROVE.
    The security_result.action is set to BLOCK when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
    • The value in the protoPayload.metadata.event.parameter.value log field value is equal to DISALLOW_ACCESS or BLOCK.
    • If the protoPayload.response.error.errors log field value is not empty.
    The security_result.action is set to ALLOW_WITH_MODIFICATION when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
    • The value in the protoPayload.metadata.event.parameter.value log field value is equal to RESET_PIN or REVOKE_TOKEN.
    The security_result.action is set to QUARANTINE when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
    • The value in the protoPayload.metadata.event.parameter.value log field value is equal to LOCK_DEVICE.
    The security_result.action is set to QUARANTINE when the following conditions are met:
    • The value in the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED.
    • The value in the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE.
    • The value in the protoPayload.metadata.event.parameter.value log field value is equal to ACCOUNT_WIPE or COLLECT_BUGREPORT or DEVICE_WIPE or LOCATE_DEVICE or REMOVE_APP_FROM_DEVICE or REMOVE_IOS_PROFILE or RING_DEVICE or SYNC_DEVICE or UNKNOWN.
    security_result.action_details If the protoPayload.metadata.event.eventName log field value is equal to login_challenge or login_verification, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_challenge_status, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the security_result.action_details UDM field.

    If the protoPayload.metadata.event.eventName log field value is equal to ACTION_CANCELLED or ACTION_REQUESTED, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ACTION_TYPE, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the security_result.action_details UDM field.
    protoPayload.metadata.event.eventName.parameter.name[is_suspicious] security_result.category If the protoPayload.metadata.event.eventName log field value is equal to login_success, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to is_suspicious, then if the protoPayload.metadata.event.eventName.parameter.value log field value is equal to True, then the security_result.category UDM field is set to NETWORK_SUSPICIOUS.
    logName security_result.category_details
    protoPayload.response.status security_result.description
    protoPayload.response.error.errors[].reason security_result.description
    protoPayload.metadata.tableCreation.reason security_result.description
    protoPayload.metadata.tableChange.reason security_result.description
    protoPayload.metadata.tableDeletion.reason security_result.description
    protoPayload.metadata.datasetCreation.reason security_result.description
    protoPayload.metadata.datasetDeletion.reason security_result.description
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.errorMessage security_result.description
    protoPayload.status.message security_result.description
    protoPayload.request.status security_result.description
    jsonPayload.reason[].detail security_result.description
    protoPayload.response.status.state security_result.description
    protoPayload.response.status.conditions[].message security_result.description If the message log field value matches the regular expression response.*status.*conditions.*message, then the protoPayload.response.status.conditions.0.message log field is mapped to the security_result.description UDM field.
    protoPayload.resourceOriginalState.priority security_result.priority_details
    protoPayload.request.priority security_result.priority_details
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.queryPriority security_result.priority_details
    protoPayload.metadata.vpcServiceControlsUniqueId security_result.rule_id
    protoPayload.request.body.settings.activationPolicy security_result.rule_name
    protoPayload.request.policy security_result.rule_name
    protoPayload.metadata.violationReason security_result.rule_name
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.policyType security_result.rule_type
    protoPayload.metadata.dryRun security_result.rule_type
    severity security_result.severity
    security_result.severity_details If the severity log field value is equal to CRITICAL, then the security_result.severity UDM field is set to CRITICAL.

    If the severity log field value is equal to ERROR, then the security_result.severity UDM field is set to ERROR.

    If the severity log field value is equal to ALERT or EMERGENCY, then the security_result.severity UDM field is set to HIGH.

    If the severity log field value is equal to INFO or NOTICE, then the security_result.severity UDM field is set to INFORMATIONAL.

    If the severity log field value is equal to DEBUG, then the security_result.severity UDM field is set to LOW.

    If the severity log field value is equal to WARNING, then the security_result.severity UDM field is set to MEDIUM.

    Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY.
    protoPayload.response.error.message security_result.summary
    protoPayload.response.error.errors[].message security_result.summary
    protoPayload.status.details.violations.description security_result.summary
    protoPayload.response.message security_result.summary
    protoPayload.request.description security_result.summary
    jsonPayload.reason[].type security_result.summary
    sourceLocation.file src.file.full_path
    protoPayload.serviceName target.application
    resource.labels.service target.application
    protoPayload.metadata.event.eventName.parameter.name[APPLICATION_NAME] target.application
    protoPayload.metadata.event.eventName.parameter.name[APP_NAME] target.application If the protoPayload.metadata.event.eventName.parameter.name1 log field value is equal to APP_NAME and the protoPayload.metadata.event.eventName.parameter.name2 log field value is equal to APP_ID, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 log field is mapped to the target.application UDM field.
    protoPayload.metadata.event.eventName.parameter.name[APP_ID] target.application If the protoPayload.metadata.event.eventName.parameter.name1 log field value is equal to APP_NAME and the protoPayload.metadata.event.eventName.parameter.name2 log field value is equal to APP_ID, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 log field is mapped to the target.application UDM field.
    protoPayload.metadata.event.eventName.parameter.name[SERVICE_NAME] target.application
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_SERVICE_NAME] target.application
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_NAME] target.application If the protoPayload.metadata.event.eventName.parameter.name1 log field value is equal to OAUTH2_APP_NAME and the protoPayload.metadata.event.eventName.parameter.name2 log field value is equal to OAUTH2_APP_ID, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 log field is mapped to the target.application UDM field.
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_ID] target.application If the protoPayload.metadata.event.eventName.parameter.name1 log field value is equal to OAUTH2_APP_NAME and the protoPayload.metadata.event.eventName.parameter.name2 log field value is equal to OAUTH2_APP_ID, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 log field is mapped to the target.application UDM field.
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_APPLICATION, SITE_NAME] target.application
    jsonPayload.product target.application
    protoPayload.metadata.device_id target.asset.asset_id
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_SERIAL_NUMBER] target.asset.hardware.serial_number
    protoPayload.metadata.event.eventName.parameter.name[PRINT_SERVER_NAME] target.asset.hostname
    protoPayload.metadata.event.eventName.parameter.name[PRINTER_NAME] target.asset.hostname
    protoPayload.request.instances.instance target.asset.product_object_id The protoPayload.request.instances.instance log field is mapped to the target.asset.product_object_id UDM field when the index value in protoPayload.request.instances.instance is equal to 0.

    For every other index value, target.asset.labels.key UDM field is set to request_instance and the protoPayload.request.instances.instance log field is mapped to the target.asset.labels.value UDM field.
    protoPayload.request.instance target.asset.product_object_id
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_ID] target.asset.product_object_id
    protoPayload.metadata.event.eventName.parameter.name[COMPANY_DEVICE_ID] target.asset.product_object_id
    target.asset.type If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to PRINTER_SERVER_NAME, then the target.asset.type UDM field is set to SERVER.

    If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to PRINTER_NAME, then the target.asset.type UDM field is set to PRINTER.

    If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to DEVICE_TYPE, then the target.asset.type UDM field is set to ROLE_UNSPECIFIED.
    protoPayload.metadata.event.eventName.parameter.name[SITE_LOCATION] target.file.full_path
    protoPayload.metadata.event.eventName.parameter.name[PERMISSION_GROUP_NAME] target.group.attribute.permissions.name
    protoPayload.metadata.event.eventName.parameter.name[GROUP_EMAIL] target.group.email_addresses
    protoPayload.metadata.event.eventName.parameter.name[DOMAIN_NAME] target.hostname
    jsonPayload.dest_instance.vm_name target.hostname
    protoPayload.requestMetadata.requestAttributes.host target.hostname
    httpRequest.remoteIp target.ip
    protoPayload.requestMetadata.destinationAttributes.ip target.ip
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP] target.ip
    protoPayload.request.ip target.ip
    jsonPayload.connection.dest_ip target.ip
    resource.labels.region target.location.country_or_region
    protoPayload.response.region target.location.country_or_region
    protoPayload.request.body.region target.location.country_or_region
    protoPayload.request.region target.location.country_or_region
    resource.labels.region target.location.country_or_region
    jsonPayload.dest_location.country target.location.country_or_region
    jsonPayload.dest_location.continent target.location.country_or_region
    protoPayload.request.override.overrideValue target.resource.attribute.labels[request_override_value]
    protoPayload.response.overrideValue target.resource.attribute.labels[response_override_value]
    resource.labels.location target.location.name
    protoPayload.resourceOriginalState.alloweds.ports target.port
    protoPayload.requestMetadata.destinationAttributes.port target.port
    jsonPayload.connection.dest_port target.port
    protoPayload.metadata.tableCreation.table.view.query target.process.command_line
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query target.process.command_line
    protoPayload.serviceData.jobQueryRequest.query target.process.command_line
    protoPayload.serviceData.tableInsertResponse.resource.view.query target.process.command_line
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query target.process.command_line
    protoPayload.metadata.tableChange.jobName target.process.pid
    protoPayload.metadata.tableCreation.jobName target.process.pid
    protoPayload.request.networkInterfaces[].subnetwork target.resource_ancestors.name
    protoPayload.request.body.instanceUid target.resource_ancestors.product_object_id
    protoPayload.response.instanceUid target.resource_ancestors.product_object_id
    protoPayload.request.disk[].mode target.resource_ancestors.attributes.permission.name
    protoPayload.request.disk[].autoDelete target.resource_ancestors.attributes.permission.name
    protoPayload.response.project_id target.resource_ancestors.id
    protoPayload.response.targetProject target.resource_ancestors.name
    protoPayload.request.target target.resource_ancestors.name
    protoPayload.resourceName target.resource_ancestors.name If the protoPayload.methodName log field value matches the regular expression (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider), then the protoPayload.resourceName log field is mapped to the target.resource_ancestors.name UDM field.
    protoPayload.resource.role_name target.resource_ancestors.name
    protoPayload.request.parent target.resource_ancestors.name
    protoPayload.request.disks[].deviceName target.resource_ancestors.name
    protoPayload.request.network target.resource_ancestors.name
    resource.labels.project_id target.cloud.project.name
    resource.labels.project_id target.resource_ancestors.name
    protoPayload.request.disk[].type target.resource_ancestors.resource_subtype If the protoPayload.request.cluster.subnetwork log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to subnetwork.

    If the protoPayload.request.cluster.network log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to network.

    If the protoPayload.request.cluster.nodePools.name log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to nodepool.
    resource.location target.resource.attribute.cloud.availability_zone
    resourceLocation.currentLocations target.resource.attribute.cloud.availability_zone
    resource.labels.zone target.resource.attribute.cloud.availability_zone
    protoPayload.request.body.settings.locationPreference.zone target.resource.attribute.cloud.availability_zone
    protoPayload.metadata.tableChange.table.createTime target.resource.attribute.creation_time
    protoPayload.metadata.tableCreation.table.createTime target.resource.attribute.creation_time
    protoPayload.resourceOriginalState.creationTimestamp target.resource.attribute.creation_time
    protoPayload.response.insertTime target.resource.attribute.creation_time
    protoPayload.metadata.tableChange.table.updateTime target.resource.attribute.last_update_time
    protoPayload.metadata.tableCreation.table.updateTime target.resource.attribute.last_update_time
    protoPayload.serviceData.policyDelta.auditConfigDeltas[].logType target.resource.attribute.permissions.type
    request.role.title target.resource.attribute.roles.name
    protoPayload.request.role.included_permissions[] target.resource.attributes.permission.name
    protoPayload.request.role.description target.resource.attributes.roles.description
    protoPayload.resource.labels.firewall_rule_id target.resource.id
    protoPayload.resourceName target.resource.name If the protoPayload.resourceName log field value is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.
    protoPayload.resource.labels.role_name target.resource.name If the protoPayload.methodName log field value is equal to google.iam.admin.v1.CreateRole, then the protoPayload.resource.labels.role_name log field is mapped to the target.resource.name UDM field.
    protoPayload.resource.role_name target.resource.name
    protoPayload.request.service_account.display_name target.resource.name
    protoPayload.request.workloadIdentityPool.displayName target.resource.name
    protoPayload.request.name target.resource.name If the protoPayload.methodName log field value is equal to beta.compute.instances.insert, then the protoPayload.request.name log field is mapped to the target.resource.name UDM field.
    protoPayload.request.cluster.name target.resource.name
    protoPayload.metadata.tableCreation.table.tableName target.resource.name
    protoPayload.metadata.datasetCreation.dataset.datasetName target.resource.name
    jsonPayload.accessApprovals[] target.resource.name
    jsonPayload.resource.name target.resource.name
    resource.labels.email_id target.resource.name If the resource.labels.email_id log field value is not empty, then the resource.labels.email_id log field is mapped to the target.resource.name UDM field.
    protoPayload.request.accessLevel.title target.resource.name
    resource.discoveryName target.resource.name
    protoPayload.response.name target.resource.name
    protoPayload.request.name target.resource.name
    resource.labels.network_id target.resource.name
    request.cluster.name target.resource.name
    resource.labels.cluster_name target.resource.name
    protoPayload.metadata.tableChange.table.tableName target.resource.name
    resource.labels.function_name target.resource.name If the resource.type log field value matches the regular expression cloud_function, then the resource.labels.function_name log field is mapped to the target.resource.name UDM field.
    resource.parent target.resource.parent
    resource.labels.bucket_name target.resource.parent If the resource.type log field value is equal to gcs_bucket, then the resource.labels.bucket_name log field is mapped to the target.resource.parent UDM field.
    resource.labels.dataset_id target.resource.product_object_id
    resource.labels.instance_group_id target.resource.product_object_id
    resource.labels.subnetwork_id target.resource.product_object_id
    resource.labels.firewall_rule_id target.resource.product_object_id
    resource.labels.forwarding_rule_id target.resource.product_object_id
    resource.labels.network_id target.resource.product_object_id
    resource.labels.unique_id target.resource.product_object_id
    protoPayload.metadata.event.eventName.parameter.name[RESOURCE_IDENTIFIER] target.resource.product_object_id
    protoPayload.metadata.event.eventName.parameter.name[SHARED_DRIVE_ID] target.resource.product_object_id
    protoPayload.response.unique_id target.resource.product_object_id If the protoPayload.methodName log field value matches the regular expression (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider), then the protoPayload.response.unique_id log field is mapped to the target.resource.product_object_Id UDM field.
    protoPayload.request.account_id target.resource.product_object_id
    protoPayload.request.role_id target.resource.product_object_id If the protoPayload.methodName log field value is equal to google.iam.admin.v1.CreateRole, then the protoPayload.request.role_id log field is mapped to the target.resource.product_object_id UDM field.
    protoPayload.request.workloadIdentityPoolId target.resource.product_object_id
    jsonPayload.resource.id target.resource.product_object_id
    resource.labels.instance_id target.resource.product_object_id
    resource.data.uniqueId target.resource.product_object_id
    protoPayload.request.workloadIdentityPoolProviderId target.resource.product_object_id
    protoPayload.request.machineType target.resource.resource_subtype If the resource.type log field value matches the regular expression gce_(autoscaler or instance_group) or gae_app", then the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.
    target.resource.resource_type If the resource.type log field value matches the regular expression gce_(firewall or forwarding_rule) or network_security_policy, then the target.resource.resource_type UDM field is set to FIREWALL_RULE and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

    Else if, the resource.type log field value matches the regular expression gce_(subnetwork or network), then the target.resource.resource_type UDM field is set to VPC_NETWORK.

    Else if, the resource.type log field value matches the regular expression cloud_dataproc_(batch or session), then the target.resource.resource_type UDM field is set to TASK.

    Else if, the resource.type log field value is equal to gce_backend_service, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

    Else if, the resource.type log field value is equal to build, then the target.resource.resource_type UDM field is set to TASK and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

    Else if, the resource.type log field value is equal to pubsub_topic, then the target.resource.resource_type UDM field is set to PIPE and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

    Else if, the resource.type log field value matches the regular expression cloudkms_cryptokey, then the target.resource.resource_type UDM field is set to CREDENTIAL and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

    Else if, the resource.type log field value is equal to iam_role, then the target.resource.resource_type UDM field is set to ACCESS_POLICY and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

    Else if, the resource.type log field value is equal to cloud_run_job, then the target.resource.resource_type UDM field is set to TASK and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

    Else if, the resource.type log field value is equal to cloud_run_revision, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.

    Else if, the resource.type log field value matches the regular expression gcs_bucket, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.

    Else if, the resource.type log field value matches the regular expression bigquery\.googleapis\.com/SparkJob, then the target.resource.resource_type UDM field is set to TASK.

    Else if, the resource.type log field value matches the regular expression bigquery_(biengine_model or dataset), then the target.resource.resource_type UDM field is set to DATASET.

    Else if, the resource.type log field value matches the regular expression bigquery_dts_config, then the target.resource.resource_type UDM field is set to SETTING.

    Else if, the resource.type log field value matches the regular expression cloudsql or bigquery_project or bigquery_resource, then the target.resource.resource_type UDM field is set to DATABASE.

    Else if, the resource.type log field value matches the regular expression service_account, then the target.resource.resource_type UDM field is set to SERVICE_ACCOUNT.

    Else if, the resource.type log field value matches the regular expression organization, then the target.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.

    Else if, the resource.type log field value matches the regular expression audited_resource or gae_app, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

    Else if, the resource.type log field value matches the regular expression cloud_function, then the target.resource.resource_type UDM field is set to FUNCTION.

    Else if, the resource.type log field value matches the regular expression gce_(network_endpoint_group or node_group), then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

    Else if, the resource.type log field value matches the regular expression gce_(node_template or resource_policy), then the target.resource.resource_type UDM field is set to SETTING.

    Else if, the resource.type log field value matches the regular expression gce_disk, then the target.resource.resource_type UDM field is set to DISK.

    Else if, the resource.type log field value matches the regular expression k8s_(scale or service), then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

    Else if, the resource.type log field value matches the regular expression k8s_(control_plane_component or container), then the target.resource.resource_type UDM field is set to CONTAINER.

    Else if, the resource.type log field value matches the regular expression k8s_node, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the resource.type log field value matches the regular expression k8s_pod, then the target.resource.resource_type UDM field is set to POD.

    Else if, the resource.type log field value matches the regular expression k8s_cluster or cloud_dataproc_cluster or gke_cluster or gke_nodepool, then the target.resource.resource_type UDM field is set to CLUSTER.

    Else if, the resource.type log field value matches the regular expression gke_container, then the target.resource.resource_type UDM field is set to CONTAINER.

    Else if, the resource.type log field value matches the regular expression gkebackup\.googleapis\.com/(BackupPlan or RestorePlan), then the target.resource.resource_type UDM field is set to SETTING.

    Else if, the resource.type log field value matches the regular expression gce_(instance or snapshot), then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    Else if, the resource.type log field value matches the regular expression gce_image, then the target.resource.resource_type UDM field is set to IMAGE.

    Else if,the resource.type log field value contain one of the following values, then the resource.type log field is set to UNSPECIFIED and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.
    • identitytoolkit_project
    • storage.googleapis.com/Project
    • videostitcher.googleapis.com/Project
    .

    Else if, the resource.type log field value matches the regular expression project, then the target.resource.resource_type UDM field is set to CLOUD_PROJECT.

    Else if, the resource.type log field value matches the regular expression gke_, then the target.resource.resource_type UDM field is set to CLUSTER.

    Else, the target.resource.resource_type UDM field is set to UNSPECIFIED and the resource.type raw log field is mapped to target.resource.resource_subtype UDM field.
    protoPayload.response.targetLink target.url
    protoPayload.metadata.event.eventName.parameter.name[WEB_ADDRESS] target.url
    protoPayload.request.httpRequest.url target.url
    resource.discoveryDocumentUri target.url
    httpRequest.requestUrl target.url
    protoPayload.request.role.included_permissions[] target.user.attribute.permissions.name
    protoPayload.metadata.event.eventName.parameter.name[ROLE_ID] target.user.attribute.roles.description If the protoPayload.metadata.event.eventName.parameter.name log field value is equal to ROLE_ID, then the Role_ID - protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.attribute.roles.description UDM field.
    protoPayload.response.bindings[].role target.user.attribute.roles.name
    protoPayload.metadata.event.eventName.parameter.name[ROLE_NAME] target.user.attribute.roles.name
    protoPayload.request.serviceAccounts[].email target.user.email_addresses
    protoPayload.metadata.event.eventName.parameter.value target.user.email_addresses If the protoPayload.metadata.event.eventName.parameter.value log field value is not empty and the protoPayload.metadata.event.eventName log field value is equal to USER_EMAIL or EMAIL_MONITOR_DEST_EMAIL or DESTINATION_USER_EMAIL, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.email_addresses UDM field.
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.user.first_name If the protoPayload.metadata.event.eventName log field value is equal to FIRST_NAME, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to NEW_VALUE, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.first_name UDM field.
    protoPayload.request.personIdentifier.canonicalPersonId target.user.group_identifiers
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.user.last_name If the protoPayload.metadata.event.eventName log field value is equal to LAST_NAME, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to NEW_VALUE, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.last_name UDM field.
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.user.user_display_name If the protoPayload.metadata.event.eventName log field value is equal to RENAME_USER, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to NEW_VALUE, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.user_display_name UDM field.
    protoPayload.response.user target.user.userid
    protoPayload.metadata.event.eventName.parameter.name[USER_EMAIL] target.user.userid If the protoPayload.metadata.event.eventName log field value is equal to CREATE_EMAIL_MONITOR or CREATE_DATA_TRANSFER_REQUEST, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to USER_EMAIL, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the principal.user.userid UDM field.

    Else if, the protoPayload.metadata.event.eventName.parameter.name log field value is equal to USER_EMAIL, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the target.user.userid UDM field.
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_DEST_EMAIL] target.user.userid
    protoPayload.metadata.event.eventName.parameter.name[DESTINATION_USER_EMAIL] target.user.userid
    protoPayload.request.user target.user.userid
    protoPayload.serviceData.policyDelta.bindingDeltas[].member target.user.userid
    protoPayload.request.objects.db about.labels [database_name] (deprecated)
    jsonPayload.accesses[].methodName about.labels [methodName] (deprecated)
    protoPayload.request.objects.name about.labels [objects_name] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] about.labels[api_client_name] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] about.labels[api_scopes] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] about.labels[begin_date_time] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] about.labels[bulk_upload_fail_users_number] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] about.labels[bulk_upload_total_users_number] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] about.labels[caa_assignments_new] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] about.labels[caa_assignments_old] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] about.labels[caa_enforcement_endpoints_new] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] about.labels[caa_enforcement_endpoints_old] (deprecated)
    protoPayload.requestMetadata.requestAttributes.size about.labels[caller_network_request_size] (deprecated)
    protoPayload.requestMetadata.requestAttributes.time about.labels[caller_network_request_time] (deprecated)
    protoPayload.requestMetadata.callerNetwork about.labels[caller_network] (deprecated)
    protoPayload.requestMetadata.requestAttributes.size principal.labels[caller_network_request_size] (deprecated)
    protoPayload.requestMetadata.requestAttributes.time principal.labels[request_attributes_time] (deprecated)
    protoPayload.requestMetadata.callerNetwork principal.labels[caller_network] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] about.labels[chrome_licenses_enabled] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] about.labels[end_date_time] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[END_DATE] about.labels[end_date] (deprecated)
    protoType.metadata.event[].eventName about.labels[event_name] (deprecated)
    protoPayload.metadata.event.parameter[].label about.labels[event_param_label] (deprecated)
    protoPayload.metadata.event.parameter[].type about.labels[event_param_type] (deprecated)
    protoType.metadata.event[].eventType about.labels[event_type] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] about.labels[field_name] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] about.labels[full_org_unit_path] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] about.labels[grp_member_bulk_upload_failed] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] about.labels[grp_member_bulk_upload_total] (deprecated)
    httpRequest.cacheFillBytes about.labels[httpreq_cache_fill_bytes] (deprecated)
    httpRequest.cacheHit about.labels[httpreq_cache_hit] (deprecated)
    httpRequest.cacheLookup about.labels[httpreq_cache_lookup] (deprecated)
    httpRequest.cacheValidatedWithOriginServer about.labels[httpreq_cache_validated_with_origin_server] (deprecated)
    httpRequest.latency about.labels[httprequest_latency] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] about.labels[info_type] (deprecated)
    protoPayload.metadata.activityId.timeUsec about.labels[metadata_activityId_time_usec] (deprecated)
    protoPayload.metadata.activityId.uniqQualifier about.labels[metadata_activityId_uniq_qualifier] (deprecated)
    protoPayload.metadata.@type about.labels[metadata_type] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] about.labels[new_permission_grant_state] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] about.labels[num_of_company_owned_device] (deprecated)
    protoPayload.numResponseItems about.labels[num_response_items] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] about.labels[old_permission_grant_state] (deprecated)
    operation.first about.labels[operation_first] (deprecated)
    operation.id about.labels[operation_id] (deprecated)
    operation.last about.labels[operation_last] (deprecated)
    operation.producer about.labels[operation_producer] (deprecated)
    protoPayload.resourceOriginalState.selfLinkWithId about.labels[rc_old_selflinkWithId] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] about.labels[reauth_setting_new] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] about.labels[reauth_setting_old] (deprecated)
    protoPayload.request.alloweds[].ports about.labels[req_alloweds_ports] (deprecated)
    protoPayload.request.body.name about.labels[req_body_name] (deprecated)
    protoPayload.request.body.settings.activityPolicy about.labels[req_body_settings_activity_policy] (deprecated)
    protoPayload.request.deletionProtection about.labels[req_deletion_protection] (deprecated)
    protoPayload.request.disabled about.labels[req_disabled] (deprecated)
    protoPayload.request.displayDevice.enableDisplay about.labels[req_display_device_enable_display] (deprecated)
    protoPayload.request.enableFlowLogs about.labels[req_enable_flow_logs] (deprecated)
    protoPayload.request.fingerprint about.labels[req_fingerprint] (deprecated)
    protoPayload.request.shieldedInstanceConfig.enableSecureBoot about.labels[req_instance_config_enable_secure_boot] (deprecated)
    protoPayload.request.shieldedInstanceConfig.enableVtpm about.labels[req_instance_config_enable_vtpm] (deprecated)
    protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring about.labels[req_instance_enable_integrity_monitoring] (deprecated)
    protoPayload.request.key_types[] about.labels[req_key_types] (deprecated)
    protoPayload.request.logconfig.enable about.labels[req_logconfig_enable] (deprecated)
    protoPayload.request.networkTier about.labels[req_network_tier] (deprecated)
    protoPayload.request.network about.labels[req_network] (deprecated)
    protoPayload.request.page_size about.labels[req_page_size] (deprecated)
    request.pagesize about.labels[req_page_size] (deprecated)
    protoPayload.request.policy.etag about.labels[req_policy_etag] (deprecated)
    protoPayload.request.portRange about.labels[req_port_range] (deprecated)
    protoPayload.request.privateIpGoogleAccess about.labels[req_private_ip_google_access] (deprecated)
    protoPayload.request.private_key_type about.labels[req_private_key_type] (deprecated)
    protoPayload.request.remove_deleted_service_accounts about.labels[req_remove_deleted_serviceAcc] (deprecated)
    protoPayload.request.showDeleted about.labels[req_show_deleted] (deprecated)
    protoPayload.request.skip_visibility_check about.labels[req_skip_visibility_check] (deprecated)
    protoPayload.request.stackType about.labels[req_stack_type] (deprecated)
    protoPayload.request.type about.labels[req_type] (deprecated)
    protoPayload.request.updateMask about.labels[req_update_mask] (deprecated)
    protoPayload.request.version about.labels[req_version] (deprecated)
    protoPayload.response.clientOperationId about.labels[res_client_operation_id] (deprecated)
    protoPayload.response.endTime about.labels[res_end_time] (deprecated)
    protoPayload.response.id about.labels[res_id] (deprecated)
    protoPayload.response.key_algorithm about.labels[res_key_algorithm] (deprecated)
    protoPayload.response.key_origin about.labels[res_key_origin] (deprecated)
    protoPayload.response.key_type about.labels[res_key_type] (deprecated)
    protoPayload.response.kind about.labels[res_kind] (deprecated)
    protoPayload.response.private_key_type about.labels[res_private_key_type] (deprecated)
    protoPayload.response.progress about.labels[res_progress] (deprecated)
    protoPayload.response.startTime about.labels[res_start_time] (deprecated)
    protoPayload.response.status about.labels[res_status] (deprecated) If the protoPayload.methodName log field value is equal to cloudsql.instances.create, then the protoPayload.response.status log field is mapped to the security_result.description UDM field.
    protoPayload.response.type about.labels[res_type] (deprecated)
    protoPayload.response.unique_id about.labels[res_unique_id] (deprecated) If the protoPayload.methodName log field value matches the regular expression (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider), then the protoPayload.response.unique_id log field is mapped to the target.resource.product_object_id UDM field.
    protoPayload.response.valid_after_time.seconds about.labels[res_valid_after_time] (deprecated)
    protoPayload.response.valid_before_time.seconds about.labels[res_valid_before_time] (deprecated)
    protoPayload.response.version about.labels[res_version] (deprecated)
    protoPayload.response.zone about.labels[res_zone] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] about.labels[search_query_for_dump] (deprecated)
    spanId about.labels[span_id] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[START_DATE] about.labels[start_date] (deprecated)
    traceSampled about.labels[trace_sampled] (deprecated)
    Trace about.labels[trace] (deprecated)
    protoPayload.@type about.labels[type] (deprecated)
    protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys metadata.ingestion_labels [instance_metadata_key_added]
    protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys metadata.ingestion_labels [instance_metadata_key_deletion]
    protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys metadata.ingestion_labels [instance_metadata_key_modification]
    protoPayload.metadata.projectMetadataDelta.addedMetadataKeys metadata.ingestion_labels [AddedMetadataKeys]
    protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys metadata.ingestion_labels [DeletedMetadataKeys]
    protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys metadata.ingestion_labels [ModifiedMetadataKeys]
    protoPayload.redactions.reason principal.labels [protoPayload.redactions.field] (deprecated)
    protoPayload.redactions.type principal.labels [protoPayload.redactions.field] (deprecated)
    authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata principal.labels [service_metadata] (deprecated)
    jsonPayload.sourceNetwork principal.labels [source_network] (deprecated)
    authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims principal.labels [third_party_claims] (deprecated)
    protoPayload.requestMetadata.requestAttributes.time principal.labels[caller_network_request_time] (deprecated)
    protoPayload.request.description principal.labels[req_description] (deprecated)
    protoPayload.request.ipCidrRange principal.labels[req_ip_cidr_range] (deprecated)
    protoPayload.request.sourceRanges[] principal.labels[req_source_ranges] (deprecated)
    protoPayload.requestMetadata.requestAttributes.reason principal.labels[request_attributes_reason] (deprecated)
    protoPayload.authenticationInfo.thirdPartyPrincipal principal.labels[third_party_principal] (deprecated)
    protoPayload.metadata.jobChange.after target.resource_ancestors.attribute.labels[jobchange_after]
    protoPayload.metadata.jobChange.before target.resource_ancestors.attribute.labels[jobchange_before]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_query]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.createDisposition target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_createdisposition]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.destinationTable target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_destinationtable]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.priority target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_priority]
    protoPayload.metadata.jobChange.job.jobConfig.queryConfig.writeDisposition target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_writedisposition]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.createDisposition target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_createdisposition]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.destinationTable target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_destinationtable]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.operationType target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_operationtype]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.writeDisposition target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_writedisposition]
    protoPayload.metadata.jobChange.job.jobConfig.type target.resource_ancestors.attribute.labels[jobchange_jobconfig_type]
    protoPayload.metadata.jobChange.job.jobName target.resource_ancestors.name
    protoPayload.metadata.jobChange.job.jobStats.createTime target.resource_ancestors.attribute.creation_time
    protoPayload.metadata.jobChange.job.jobStats.endTime target.resource_ancestors.attribute.labels[jobchange_jobstats_endtime]
    protoPayload.metadata.jobChange.job.jobStats.queryStats target.resource_ancestors.attribute.labels[jobchange_jobstats_querystats]
    protoPayload.metadata.jobChange.job.jobStats.reservation target.resource_ancestors.attribute.labels[jobchange_jobstats_reservation]
    protoPayload.metadata.jobChange.job.jobStats.startTime target.resource_ancestors.attribute.labels[jobchange_jobstats_starttime]
    protoPayload.metadata.jobChange.job.jobStatus.errorResult.code security_result.detection_fields[jobchange_jobstatus_errorresult_code]
    protoPayload.metadata.jobChange.job.jobStatus.errorResult.message security_result.detection_fields[jobchange_jobstatus_errorresult_message]
    protoPayload.metadata.jobChange.job.jobStatus.jobState target.resource_ancestors.attribute.labels[jobstatus_jobstate]
    protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.sourceTables target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_sourcetables]
    protoPayload.metadata.jobChange.job.jobStatus.errors.code security_result.detection_fields[jobchange_jobstatus_errors_code]
    protoPayload.metadata.jobChange.job.jobStatus.errors.message security_result.detection_fields[jobchange_jobstatus_errors_message]
    protoPayload.metadata.jobChange.job.jobConfig.extractConfig.sourceTable target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_sourcetable]
    protoPayload.metadata.jobChange.job.jobConfig.extractConfig.destinationUris target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_destinationuris]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_query]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.createDisposition target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_createdisposition]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.destinationTable target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_destinationtable]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.priority target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_priority]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.writeDisposition target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_writedisposition]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.createDisposition target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_createdisposition]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.destinationTable target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_destinationtable]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.operationType target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_operationtype]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.writeDisposition target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_writedisposition]
    protoPayload.metadata.jobInsertion.job.jobConfig.type target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_type]
    protoPayload.metadata.jobInsertion.job.jobName target.resource_ancestors.name
    protoPayload.metadata.jobInsertion.job.jobStats.createTime target.resource_ancestors.attribute.creation_time
    protoPayload.metadata.jobInsertion.job.jobStats.reservation target.resource_ancestors.attribute.labels[jobinsertion_jobstats_reservation]
    protoPayload.metadata.jobInsertion.job.jobStats.queryStats target.resource_ancestors.attribute.labels[jobinsertion_jobstats_querystats]
    protoPayload.metadata.jobInsertion.job.jobStats.startTime target.resource_ancestors.attribute.labels[jobinsertion_jobstats_starttime]
    protoPayload.metadata.jobInsertion.job.jobStats.endTime target.resource_ancestors.attribute.labels[jobinsertion_jobstats_endtime]
    protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.code security_result.detection_fields[jobinsertion_jobstatus_errorresult_code]
    protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.message security_result.detection_fields[jobinsertion_jobstatus_errorresult_message]
    protoPayload.metadata.jobInsertion.job.jobStatus.jobState target.resource_ancestors.attribute.labels[jobinsertion_jobstatus_jobstate]
    protoPayload.metadata.jobInsertion.reason target.resource_ancestors.attribute.labels[jobinsertion_reason]
    protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.sourceTables target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_sourcetables]
    protoPayload.metadata.jobInsertion.job.jobStatus.errors.code security_result.detection_fields[jobinsertion_jobstatus_errors_code]
    protoPayload.metadata.jobInsertion.job.jobStatus.errors.message security_result.detection_fields[jobinsertion_jobstatus_errors_message]
    protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.sourceTable target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_sourcetable]
    protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_destinationuris]
    protoPayload.response.buildConfig.entryPoint target.resource.attribute.labels[buildconfig_entrypoint]
    protoPayload.request.member target.user.email_addresses
    protoPayload.request.email target.user.email_addresses
    protoPayload.metadata.jobInsertion.reason target.resource.attribute.labels[job_insertion_reason]
    protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.statementType target.resource.attribute.labels[job_insertion_job_job_config_query_config_statement_type]
    protoPayload.metadata.jobInsertion.job.jobStatus.jobState target.resource.attribute.labels[job_insertion_job_job_status_job_state]
    protoPayload.response.state target.resource.attribute.labels[response_state]
    protoPayload.request.metadata.state target.resource.attribute.labels[request_state]
    protoPayload.authenticationInfo.principalSubject principal.user.userid If the protoPayload.authenticationInfo.principalSubject log field value is not empty, then new_user_id is extracted from the protoPayload.authenticationInfo.principalSubject log field using a Grok pattern, and mapped to the principal.user.userid UDM field.
    protoPayload.authenticationInfo.principalSubject principal.user.email_addresses If the protoPayload.authenticationInfo.principalSubject log field value is not empty, then new_email_id is extracted from the protoPayload.authenticationInfo.principalSubject log field using a Grok pattern, and mapped to the principal.user.email_addresses UDM field.
    protoPayload.authenticationInfo.serviceAccountDelegationInfo.principalSubject principal.user.attribute.labels[access_serviceAcc_principalSubject]
    protoPayload.response.oauth2_client_id principal.user.attribute.labels[response_oauth2_client_id]
    protoPayload.authorizationInfo.resourceAttributes.service principal.resource.attribute.labels[authorization_info_rcService]
    protoPayload.authorizationInfo.granted principal.user.attributes.labels[authorization_granted]
    protoPayload.request.cryptoKey.versionTemplate.algorithm security_result.detection_fields [algorithm]
    protoPayload.response.details[].@type security_result.detection_fields [details_type]
    protoPayload.request.cryptoKey.nextRotationTime security_result.detection_fields [next_rotation_time]
    protoPayload.request.cryptoKey.versionTemplate.protectionLevel security_result.detection_fields [protection_level]
    protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value security_result.detection_fields [protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind]
    protoPayload.request.cryptoKey.purpose security_result.detection_fields [purpose]
    protoPayload.resourceName security_result.detection_fields [resource_name]
    protoPayload.authorizationInfo.resource security_result.detection_fields [resource]
    protoPayload.response.code security_result.detection_fields [response_code]
    protoPayload.request.cryptoKey.rotationPeriod security_result.detection_fields [rotation_period]
    protoPayload.metadata.securityPolicyInfo.organizationId security_result.detection_fields [securityPolicyInfo.organizationId]
    protoPayload.request.serviceAccounts[].scopes security_result.detection_fields [service_account_scope]
    protoPayload.response.details[].violations[].subject security_result.detection_fields [violation_subject]
    protoPayload.response.details[].violations[].type security_result.detection_fields [violation_type]
    protoPayload.metadata.event.eventName.parameter.name[ACTION_ID] security_result.detection_fields[action_id]
    protoPayload.serviceData.policyDelta.auditConfigDeltas[].action security_result.detection_fields[action]
    protoPayload.metadata.event.eventName.parameter.name[ALERT_NAME] security_result.detection_fields[alert_name]
    protoPayload.metadata.event.eventName.parameter.name[ALLOWED_TWO_STEP_VERIFICATION_METHOD] security_result.detection_fields[allowed_two_step_verification_method]
    protoPayload.requestMetadata.callerNetwork.requestAttributes.reason security_result.detection_fields[caller_network_request_reason]
    protoPayload.metadata.event.eventName.parameter.name[is_second_factor] security_result.detection_fields[is_second_factor] If the protoPayload.metadata.event.eventName log field value is equal to login_verification, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to is_second_factor, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the security_result.detection_fields.value UDM field.
    protoPayload.metadata.event.eventName.parameter.name[is_suspicious] security_result.detection_fields[is_suspicious] If the protoPayload.metadata.event.eventName log field value is equal to login_success, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to is_suspicious, then the protoPayload.metadata.event.eventName.parameter.boolValue log field is mapped to the security_result.detection_fields.value UDM field.
    protoPayload.metadata.event.eventName.parameter.name[login_failure_type] security_result.detection_fields[login_failure_type] If the protoPayload.metadata.event.eventName log field value is equal to login_failure, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_failure_type, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the security_result.detection_fields.value UDM field.
    protoPayload.metadata.event.eventName.parameter.name[login_type] security_result.detection_fields[login_type] If the protoPayload.metadata.event.eventName log field value is equal to login_failure or login_challenge or login_verification or login_success or logout, then if the protoPayload.metadata.event.eventName.parameter.name log field value is equal to login_type, then the protoPayload.metadata.event.eventName.parameter.value log field is mapped to the about.labels.value UDM field.
    protoPayload.request.bindings.members[] security_result.detection_fields[members]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.checkedValue security_result.detection_fields[policy_violation_checked_value]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.constraint security_result.detection_fields[policy_violation_constraint]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags security_result.detection_fields[policy_violation_resource_tags]
    protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType security_result.detection_fields[policy_violation_resource_type]
    protoPayload.metadata.event.eventName.parameter.name[QUARANTINE_NAME] security_result.detection_fields[quarantine_name]
    protoPayload.resourceOriginalState.logconfig.enable security_result.detection_fields[rc_orgState_logconfig_enable]
    protoPayload.request.alloweds[].ports security_result.detection_fields[req_alloweds_ports]
    protoPayload.response.error.errors[].domain security_result.detection_fields[res_error_domain]
    protoPayload.resourceOriginalState.direction security_result.detection_fields[resource_original_state_direction]
    protoPayload.authenticationInfo.serviceAccountKeyName security_result.detection_fields[service_account_key_name]
    Referred this from Default parser. security_result.detection_fields[SERVICE]
    protoPayload.status.details.type security_result.detection_fields[status_details_type]
    protoPayload.status.details.violations.subject security_result.detection_fields[status_details_violation_subject]
    protoPayload.status.details.violations.type security_result.detection_fields[status_details_violation_type]
    sourceLocation.function src.labels[src_location_function]
    sourceLocation.line src.labels[src_location_line]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_STATE] target.asset.attribute.labels[dvc_new_state]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_STATE] target.asset.attribute.labels[dvc_previous_state]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_TYPE] target.asset.attribute.labels[dvc_type]
    protoPayload.metadata.event.eventName.parameter.name[MANAGED_CONFIGURATION_NAME] target.asset.attribute.labels[managed_config_name]
    protoPayload.metadata.event.eventName.parameter.name[MOBILE_APP_PACKAGE_ID] target.asset.attribute.labels[mobile_app_package_id]
    protoPayload.metadata.event.eventName.parameter.name[MOBILE_CERTIFICATE_COMMON_NAME] target.asset.attribute.labels[mobile_certificate_common_name]
    protoPayload.metadata.event.eventName.parameter.name[MOBILE_WIRELESS_NETWORK_NAME] target.asset.attribute.labels[mobile_wireless_network_name]
    protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_MDM_VENDOR_NAME] target.asset.attribute.labels[play_for_work_mdm_vendor_name]
    protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_TOKEN_ID] target.asset.attribute.labels[play_for_work_token_id]
    resource.labels.instance_id target.asset.attribute.labels[rc_instance_id]
    protoPayload.metadata.event.eventName.parameter.name[SKU_NAME] target.asset.attribute.labels[sku_name]
    protoPayload.response.targetId target.asset.attribute.labels[target_id] If the protoPayload.methodName log field value is not equal to cloudsql.instances.create, then the protoPayload.response.targetId log field is mapped to the target.asset.attribute.labels.value UDM field.
    resource.labels.backend_service_name target.labels [backend_service_name] (deprecated)
    protoPayload.requestMetadata.requestAttributes.auth.claims target.labels [request_auth_claims] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] target.labels[application_edition] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[ASP_ID] target.labels[asp_id] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] target.labels[chrome_os_session_type] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] target.labels[device_new_org_unit] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] target.labels[device_previous_org_unit] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] target.labels[domain_alias] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] target.labels[email_export_include_deleted] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] target.labels[email_export_package_content] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] target.labels[email_log_search_end_date] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] target.labels[email_log_search_start_date] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] target.labels[email_monitor_level_chat] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] target.labels[email_monitor_level_draft_email] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] target.labels[email_monitor_level_in_email] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] target.labels[email_monitor_level_out_email] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] target.labels[email_reset_reason] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] target.labels[new_value] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] target.labels[oauth2_app_type] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] target.labels[old_value] (deprecated)
    protoPayload.requestMetadata.destinationAttributes.principal target.labels[peer_principal] (deprecated)
    protoPayload.requestMetadata.destinationAttributes.regionCode target.labels[peer_region_code] (deprecated)
    protoPayload.request.loadBalancingScheme target.labels[req_load_balancing_scheme] (deprecated)
    protoPayload.request.requestId target.labels[request_id] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] target.labels[request_id] (deprecated)
    protoPayload.resourceOriginalState.description target.labels[res_originalState_description] (deprecated)
    protoPayload.response.bindings[].members[] target.labels[response_bindings_members] (deprecated)
    protoPayload.response.description target.labels[response_description] (deprecated)
    protoPayload.response.display_name target.labels[response_display_name] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] target.labels[secondary_domain_name] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] target.labels[setting_name] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] target.labels[user_custom_field] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] target.labels[user_defined_setting_name] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] target.labels[web_origin] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] target.labels[whitelisted_groups] (deprecated)
    protoPayload.metadata.event.eventName.parameter.name[APP_LICENSES_ORDER_NUMBER] target.asset.labels[app_licenses_order_number]
    protoPayload.metadata.event.eventName.parameter.name[CHROME_NUM_LICENSES_PURCHASED] target.asset.labels[chrome_num_licenses_purchased]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_COMMAND_DETAILS] target.asset.labels[device_command_details]
    protoPayload.metadata.event.eventName.parameter.name[DIRECTORY_API_ID] target.asset.labels[directory_api_id]
    protoPayload.metadata.event.eventName.parameter.name[GROUP_PRIORITIES] target.group.attribute.labels[group_priorities]
    protoPayload.request.cluster.subnetwork target.resource_ancestor.attribute.labels[req_cls_subnetwork]
    protoPayload.request.cluster.nodePools[].autoscaling.enabled target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_enabled]
    protoPayload.request.cluster.nodePools[].autoscaling.maxNodeCount target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_max_node_cnt]
    protoPayload.request.cluster.nodePools[].autoscaling.minNodeCount target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_min_node_cnt]
    protoPayload.request.cluster.nodePools[].management.autoupgrade target.resource_ancestor.attribute.labels[req_clsNodePools_autoupgrade]
    protoPayload.request.cluster.nodePools[].config.diskSizeGb target.resource_ancestor.attribute.labels[req_clsNodePools_config_disksize]
    protoPayload.request.cluster.nodePools[].config.imageType target.resource_ancestor.attribute.labels[req_clsNodePools_config_imagetype]
    protoPayload.request.cluster.nodePools[].config.machineType target.resource_ancestor.attribute.labels[req_clsNodePools_config_machinetype]
    protoPayload.request.cluster.nodePools[].config.oauthScopes[] target.resource_ancestor.attribute.labels[req_clsNodePools_config_oauth_scopes]
    protoPayload.request.cluster.nodePools[].name target.resource_ancestor.attribute.labels[req_clsNodePools_name]
    protoPayload.request.cluster.nodePools[].initialNodeCount target.resource_ancestor.attribute.labels[req_clsterNodePools_autoscaling_initial_node_cnt]
    resource.data.oauth2ClientId target.resource.attribute.labels [oauth_client_id]
    protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute target.resource.attribute.labels [ enable_confidential_compute]
    protoPayload.request.function.timeout target.resource.attribute.labels [ function_time_out]
    protoPayload.requestMetadata.requestAttributes.auth.accessLevels target.resource.attribute.labels [accessLevel]
    protoPayload.request.date target.resource.attribute.labels [audit_event_occurred]
    protoPayload.request.auditId target.resource.attribute.labels [audit_id]
    protoPayload.request.autoscalingPolicy.mode target.resource.attribute.labels [autoscaling_policy_mode]
    protoPayload.request.autoscalingPolicy.coolDownPeriodSec target.resource.attribute.labels [cool_down_period]
    protoPayload.request.denieds.0.IPProtocol target.resource.attribute.labels [Denied Protocol]
    protoPayload.request.destinationRanges target.resource.attribute.labels [destination_ranges]
    protoPayload.request.function.entryPoint target.resource.attribute.labels [function_entry_point]
    protoPayload.request.function.httpsTrigger.securityLevel target.resource.attribute.labels [function_httptrigger_security_level]
    protoPayload.request.function.runtime target.resource.attribute.labels [function_runtime]
    protoPayload.request.function.serviceAccountEmail target.resource.attribute.labels [function_service_account_email]
    protoPayload.request.function.sourceUploadUrl target.resource.attribute.labels [function_source_upload_url]
    protoPayload.metadata.iapEnabled target.resource.attribute.labels [iapEnabled]
    protoPayload.request.listManagedInstancesResults target.resource.attribute.labels [managed_instances_result]
    protoPayload.request.autoscalingPolicy.maxNumReplicas target.resource.attribute.labels [max_replicas]
    protoPayload.request.autoscalingPolicy.minNumReplicas target.resource.attribute.labels [min_replicas]
    protoPayload.request.msgType target.resource.attribute.labels [msg_type]
    protoPayload.metadata.oauth_client_id target.resource.attribute.labels [oauth_client_id]
    protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod target.resource.attribute.labels [predictive_method]
    protoPayload.request.labels.0.value target.resource.attribute.labels [protoPayload.request.labels.0.key]
    protoPayload.request.queryId target.resource.attribute.labels [query_id]
    protoPayload.request.constraint target.resource.attribute.labels [request_constraint]
    protoPayload.request.dataAccessed target.resource.attribute.labels [request_data_accessed]
    protoPayload.request.function.labels.deployment-tool target.resource.attribute.labels [request_deployment_tool]
    protoPayload.request.properties.description target.resource.attribute.labels [request_description]
    protoPayload.request.function.name target.resource.attribute.labels [request_function_name]
    protoPayload.request.location target.resource.attribute.labels [request_location]
    protoPayload.request.policy.constraint target.resource.attribute.labels [request_policy_constraint]
    protoPayload.request.@type target.resource.attribute.labels [request_type]
    protoPayload.request.cmd target.resource.attribute.labels [sql_operation_type ]
    protoPayload.request.threadId target.resource.attribute.labels [thread_id]
    protoPayload.metadata.unsatisfied_access_levels target.resource.attribute.labels [unsatisfied_access_levels]
    protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget target.resource.attribute.labels [utilization_target]
    protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled target.resource.attribute.labels[backup_config_binarylog_enabled]
    protoPayload.request.body.settings.backupConfiguration.enabled target.resource.attribute.labels[backup_config_enabled]
    protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays target.resource.attribute.labels[backup_config_logRetention_days]
    protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled target.resource.attribute.labels[backup_config_point_in_time_recovery_enabled]
    protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups target.resource.attribute.labels[backup_config_retention_settings_retained_backups]
    protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit target.resource.attribute.labels[backup_config_retention_settings_unit]
    protoPayload.request.body.settings.backupConfiguration.startTime target.resource.attribute.labels[backup_config_start_time]
    protoPayload.request.canIpForward target.resource.attribute.labels[can_ip_forward]
    resource.labels.cluster_name target.resource.attribute.labels[cls_name]
    request.cluster.name target.resource.attribute.labels[cls_name]
    protoPayload.request.body.settings.dataDiskSizeGb target.resource.attribute.labels[data_disk_size_gb]
    protoPayload.request.body.settings.dataDiskType target.resource.attribute.labels[data_disk_type]
    protoPayload.metadata.tableDataRead.fields target.resource.attribute.labels[data_read_fields]
    protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris[] target.resource.attribute.labels[destination_uris]
    protoPayload.request.direction target.resource.attribute.labels[direction]
    resource.labels.email_id target.resource.attribute.labels[email_id]
    resource.email_id target.resource.attribute.labels[email_id]
    resource.labels.forwarding_rule_name target.resource.attribute.labels[forwarding_rule_name]
    protoPayload.request.body.settings.ipConfiguration.ipv4Enabled target.resource.attribute.labels[ip_config_ipv4_enabled]
    protoPayload.request.body.settings.ipconfiguration.privatNetwork target.resource.attribute.labels[ip_config_private_network]
    protoPayload.request.body.settings.ipconfiguration.requireSsl target.resource.attribute.labels[ip_config_require_ssl]
    protoPayload.metadata.jobChange.job.jobConfig.type target.resource.attribute.labels[job_type]
    protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id target.resource.attribute.labels[job_change_looker_studio_report_id]
    protoPayload.metadata.jobChange.job.jobConfig.labels.requestor target.resource.attribute.labels[job_change_requestor]
    protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id target.resource.attribute.labels[job_change_looker_studio_datasource_id]
    protoPayload.metadata.tableChange.table.tableName target.resource.attribute.labels[metadata_changedTable_name]
    protoPayload.metadata.tableCreation.table.expireTime target.resource.attribute.labels[metadata_creationTable_expire_time]
    protoPayload.request.body.settings.pricingPlan target.resource.attribute.labels[pricing_plan]
    resource.data.projectId target.resource.attribute.labels[projectId]
    resource.labels.instance_group_name target.resource.attribute.labels[rc_instance_groupName]
    resource.labels.method target.resource.attribute.labels[rc_method]
    protoPayload.resourceOriginalState.disabled target.resource.attribute.labels[rc_orgState_disabled]
    protoPayload.resourceOriginalState.enableLogging target.resource.attribute.labels[rc_orgState_enable_logging]
    protoPayload.resourceOriginalState.logconfig.enable target.resource.attribute.labels[rc_orgState_logconfig_enable]
    protoPayload.resourceOriginalState.selfLink target.resource.attribute.labels[rc_orgState_selflink]
    protoPayload.resourceOriginalState.sourceRanges target.resource.attribute.labels[rc_orgState_srcranges]
    protoPayload.resourceOriginalState.targetTags target.resource.attribute.labels[rc_orgState_target_tags]
    protoPayload.resourceOriginalState.@type target.resource.attribute.labels[rc_orgState_type]
    resource.labels.service target.resource.attribute.labels[rc_service]
    resource.labels.subnetwork_name target.resource.attribute.labels[rc_subnetwork_name]
    resource.labels.version target.resource.attribute.labels[rc_version]
    protoPayload.request.body.databaseVersion target.resource.attribute.labels[req_body_dbVersion]
    protoPayload.request.cluster.releaseChannel.channel target.resource.attribute.labels[req_cls_channel]
    protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled target.resource.attribute.labels[req_cls_policy_config_disabled]
    protoPayload.request.reservationAffinity.consumeReservationType target.resource.attribute.labels[req_consumeReservation_type]
    protoPayload.request.disabled target.resource.attribute.labels[req_disabled]
    protoPayload.request.disks[].boot target.resource.attribute.labels[req_disk_boot]
    protoPayload.request.disks[].initializeParams.diskSizeGb target.resource.attribute.labels[req_disk_initialize_disk_size]
    protoPayload.request.disks[].initializeParams.diskType target.resource.attribute.labels[req_disk_initialize_disk_type]
    protoPayload.request.disks[].initializeParams.sourceImage target.resource.attribute.labels[req_disk_initialize_source_image]
    protoPayload.request.workloadIdentityPoolProvider.attributeCondition target.resource.attribute.labels[req_identityPool_attribute_condition]
    protoPayload.request.workloadIdentityPoolProvider.aws.accountId target.resource.attribute.labels[req_identityPool_aws_accountId]
    protoPayload.request.workloadIdentityPoolProvider.attributeMapping.attribute.aws_role target.resource.attribute.labels[req_identityPool_aws_role]
    protoPayload.request.workloadIdentityPool.description target.resource.attribute.labels[req_identityPool_description]
    protoPayload.request.workloadIdentityPool.disabled target.resource.attribute.labels[req_identityPool_disabled]
    protoPayload.request.workloadIdentityPoolProvider.displayName target.resource.attribute.labels[req_identityPool_displayName]
    protoPayload.request.workloadIdentityPoolProvider.attributeMapping.google.subject target.resource.attribute.labels[req_identityPool_googleSubject]
    protoPayload.request.workloadIdentityPoolProvider.disabled target.resource.attribute.labels[req_identityPool_provider_disabled]
    protoPayload.request.workloadIdentityPoolProviderId target.resource.attribute.labels[req_identityPool_providerId]
    protoPayload.request.instances[].instance target.resource.attribute.labels[req_instance]
    protoPayload.request.logconfig.enable target.resource.attribute.labels[req_logconfig_enable]
    protoPayload.serviceData.tabelDataListRequest.maxResults target.resource.attribute.labels[req_max_results]
    protoPayload.serviceData.jobGetQueryResultsRequest.maxResults target.resource.attribute.labels[req_max_results]
    protoPayload.request.maxResults target.resource.attribute.labels[req_max_results]
    protoPayload.request.name target.resource.attribute.labels[req_name]
    protoPayload.request.networkInterfaces[].accessConfig.name target.resource.attribute.labels[req_network_access_config_name]
    protoPayload.request.networkInterfaces[].accessConfig.networkTier target.resource.attribute.labels[req_network_access_config_network_tier]
    protoPayload.request.networkInterfaces[].accessConfig.type target.resource.attribute.labels[req_network_access_config_type]
    protoPayload.request.network target.resource.attribute.labels[req_network]
    protoPayload.request.network target.resource.attribute.labels[req_network]
    protoPayload.request.priority target.resource.attribute.labels[Request Priority]
    protoPayload.request.project target.resource.attribute.labels[req_project]
    protoPayload.request.role.stage target.resource.attribute.labels[req_role_stage]
    protoPayload.request.scheduling.automaticRestart target.resource.attribute.labels[req_scheduling_automatic_restart]
    protoPayload.request.scheduling.onHostMaintenance target.resource.attribute.labels[req_scheduling_on_host_mainten]
    protoPayload.request.scheduling.preemptible target.resource.attribute.labels[req_scheduling_preemptible]
    protoPayload.request.service_account.description target.resource.attribute.labels[req_serviceAcc_description]
    protoPayload.request.serviceAccounts[].email target.resource.attribute.labels[req_serviceAcc_email]
    protoPayload.request.policy.booleanPolicy.enforced target.resource.attribute.labels[request_constraint]
    protoPayload.response.email target.resource.attribute.labels[res_email]
    protoPayload.response.etag target.resource.attribute.labels[res_etag]
    protoPayload.response.name target.resource.attribute.labels[res_name]
    protoPayload.response.operationType target.resource.attribute.labels[response_operation_type]
    protoPayload.response.zone target.resource.attribute.labels[res_zone]
    resource.data.name target.resource.attribute.labels[resource_data_name]
    protoPayload.response.booleanPolicy.enforced target.resource.attribute.labels[response_enforce_policy]
    protoPayload.response.status target.resource.attribute.labels[response_status]
    protoPayload.response.status.conditions.message target.resource.attribute.labels[response_status]
    protoPayload.serviceData.permissionDelta.addedPermissions[] target.resource.attribute.labels[ser_added_perm]
    protoPayload.serviceData.policyDelta.bindingDeltas[].action target.resource.attribute.labels[ser_binding_deltas_action]
    protoPayload.serviceData.policyDelta.bindingDeltas[].member target.resource.attribute.labels[ser_binding_deltas_member]
    Referred this from default parser. target.resource.attribute.labels[ser_binding_deltas_member]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.datasetId target.resource.attribute.labels[ser_destTable_datasetId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.projectId target.resource.attribute.labels[ser_destTable_projectId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.tableId target.resource.attribute.labels[ser_destTable_tableId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime target.resource.attribute.labels[ser_jobCreate_time]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.jobId target.resource.attribute.labels[ser_req_jobId]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.query target.resource.attribute.labels[ser_req_query]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.createDisposotion target.resource.attribute.labels[ser_reqCreate_disposotion]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.location target.resource.attribute.labels[ser_reqJob_location]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.projectId target.resource.attribute.labels[ser_reqJob_projectid]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.startTime target.resource.attribute.labels[ser_reqJob_start_time]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatus.state target.resource.attribute.labels[ser_reqJob_state]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.totalSlotMs target.resource.attribute.labels[ser_reqJob_total_slot_ms]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.statementType target.resource.attribute.labels[ser_reqStatement_type]
    protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.writeDisposition target.resource.attribute.labels[ser_reqWrite_disposition]
    protoPayload.serviceData.tableInsertRequest.resource.view.query target.resource.attribute.labels[ser_tableInsert_query]
    protoPayload.serviceData.@type target.resource.attribute.labels[ser_type]
    protoPayload.request.sourceRanges[] target.resource.attribute.labels[source_ranges]
    protoPayload.request.body.settings.storageAutoResize target.resource.attribute.labels[storage_auto_resize]
    resource.labels.target_proxy_name target.resource.attribute.labels[target_proxy_name]
    protoPayload.request.body.settings.tier target.resource.attribute.labels[tier]
    resource.labels.url_map_name target.resource.attribute.labels[url_map_name]
    protoPayload.request.cluster.network target.resource_ancestors.attribute.labels[req_cls_network]
    protoPayload.request.cluster.nodePools[].management.autoRepair target.resource_ancestors.attribute.labels[req_clsNodePools_autorepair]
    protoPayload.request.body.settings.availabilityType target.resource.attributes.labels[resource_avaibilitytype]
    protoPayload.metadata.tableCreation.table.schemaJSON target.resource.attributes.labels[table_schemaJson]
    protoPayload.metadata.event.eventName.parameter.name[BIRTHDATE] target.user.attribute.labels[birthdate]
    protoPayload.metadata.event.eventName.parameter.name[PRIVILEGE_NAME] target.user.attribute.labels[privilege_name]
    protoPayload.metadata.event.eventName.parameter.name[USER_NICKNAME] target.user.attribute.labels[user_nickname]
    resource.type target.resource_ancestors.resource_type If the resource.type log field value matches the regular expression gce_(firewall or forwarding_rule), then the target.resource_ancestors.resource_type UDM field is set to FIREWALL_RULE.

    If the resource.type log field value matches the regular expression gce_(subnetwork or network), then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.

    If the resource.type log field value matches the regular expression dataproc, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.

    If the resource.type log field value matches the regular expression k8s or gke_, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.

    If the resource.type log field value is equal to gce_backend_service, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.

    If the resource.type log field value matches the regular expression (gce_ or dns_query), then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.

    If the resource.type log field value matches the regular expression gcs_bucket, then the target.resource_ancestors.resource_type UDM field is set to STORAGE_BUCKET.

    If the resource.type log field value matches the regular expression bigquery, then the target.resource_ancestors.resource_type UDM field is set to DATABASE.

    If the resource.type log field value matches the regular expression cloudsql, then the target.resource_ancestors.resource_type UDM field is set to DATABASE.

    If the resource.type log field value matches the regular expression service_account, then the target.resource_ancestors.resource_type UDM field is set to SERVICE_ACCOUNT.

    If the resource.type log field value matches the regular expression project, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.

    If the resource.type log field value matches the regular expression organization, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.

    Else, the target.resource_ancestors.resource_type UDM field is set to UNSPECIFIED.

    If the resource.labels.project_id log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
    jsonPayload.end_time about.labels[jsonPayload_end_time] (deprecated)
    jsonPayload.packets_sent network.sent_packets
    jsonPayload.reporter about.labels[jsonPayload_reporter] (deprecated)
    jsonPayload.src_vpc.vpc_name principal.resource.name
    jsonPayload.src_vpc.project_id principal.resource.product_object_id
    jsonPayload.src_vpc.subnetwork_name principal.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]
    jsonPayload.start_time about.labels[jsonPayload_start_time] (deprecated)
    jsonPayload.src_instance.region principal.location.name
    jsonPayload.src_instance.project_id principal.labels[jsonPayload_src_instance_project_id] (deprecated)
    jsonPayload.src_instance.zone principal.cloud.availability_zone
    resource.labels.subnetwork_id target.resource.attribute.labels[resource_labels_subnetwork_id]
    jsonPayload.dest_vpc.project_id target.resource.product_object_id
    jsonPayload.dest_vpc.subnetwork_name target.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]
    jsonPayload.dest_vpc.vpc_name target.resource.name
    jsonPayload.dest_instance.region target.location.name
    jsonPayload.dest_instance.project_id target.labels[jsonPayload_dest_instance_project_id] (deprecated)
    jsonPayload.dest_instance.zone target.cloud.availability_zone
    jsonPayload.src_location.asn principal.labels[jsonPayload_src_location_asn] (deprecated)
    jsonPayload.src_location.city principal.location.city
    jsonPayload.src_location.continent principal.labels[jsonPayload_src_location_continent] (deprecated)
    jsonPayload.src_location.country principal.location.country_or_region
    jsonPayload.src_location.region principal.labesl[jsonPayload_src_location_region]
    jsonPayload.dest_location.asn target.labels[jsonPayload_dest_location_asn] (deprecated)
    jsonPayload.dest_location.city target.location.city
    jsonPayload.dest_location.continent target.labels[jsonPayload_dest_location_continent] (deprecated)
    jsonPayload.dest_location.region target.labesl[jsonPayload_dest_location_region]
    protoPayload.metadata.ingressViolations.servicePerimeter security_result.detection_fields[protoPayload_metadata_ingressViolations_serviceParameter]
    protoPayload.metadata.ingressViolations.source security_result.detection_fields[protoPayload_metadata_ingressViolations_source]
    protoPayload.metadata.ingressViolations.sourceType security_result.detection_fields[protoPayload_metadata_ingressViolations_sourceType]
    protoPayload.metadata.ingressViolations.targetResource security_result.detection_fields[protoPayload_metadata_ingressViolations_targetResource]
    protoPayload.request.subjects.name target.user.attribute.labels[subject_name]
    protoPayload.request.spec.containers.0.image target.process.command_line
    protoPayload.request.spec.containers.0.name target.resource.attribute.labels[name]
    protoPayload.request.spec.containers.0.terminationMessagePolicy traget.resource.attribute.labels[terminationMessagePolicy]
    protoPayload.request.spec.containers.0.terminationMessagePath traget.resource.attribute.labels[terminationMessagePath]
    protoPayload.request.spec.containers.0.imagePullPolicy traget.resource.attribute.labels[imagePullPolicy]
    protoPayload.request.spec.dnsPolicy target.resource.attribute.labels[imagePullPolicy]
    protoPayload.request.spec.enableServiceLinks traget.resource.attribute.labels[enableServiceLinks]
    protoPayload.request.spec.restartPolicy target.resource.attribute.labels[restartPolicy]
    protoPayload.request.spec.schedulerName target.resource.attribute.labels[schedulerName]
    protoPayload.request.spec.terminationGracePeriodSeconds traget.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds]
    protoPayload.request.metadata.namespace security_result.about.namespace
    protoPayload.request.apiVersion target.resource.attribute.labels [request apiVersion]
    protoPayload.request.kind target.resource.attribute.labels[request.kind]
    protoPayload.request.metadata.name target.resource.attribute.labels[request.metadata.name]
    labels.mutation.webhook.admission.k8s.io/round_0_index_0 security_result.about.resource.attribute.labels[labels_round_0_index_0]
    protoPayload.request.spec.containers.0.args about.file.capabilities_tags
    protoPayload.request.properties.disks.0.initializeParams.diskSizeGb principal.resource.attribute.labels[diskSizeGb]
    protoPayload.request.properties.disks.0.initializeParams.diskType principal.resource.attribute.labels[diskType]
    protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type principal.resource.attribute.labels[guestOsFeatures type]
    protoPayload.request.properties.disks.0.initializeParams.labels.0.key principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key]
    protoPayload.request.properties.disks.0.initializeParams.sourceImage principal.resource.attribute.labels[sourceImage]
    protoPayload.request.properties.disks.0.type principal.resource.attribute.labels[disks Type]
    key_id security_result.detection_field[key_id] key_id field value is extracted from the message log field using a Grok pattern.
    protoPayload.request.securityHealthAnalyticsSettings.modules.PUBLIC_BUCKET_ACL.moduleEnablementState target.resource.attribute.labels[PUBLIC_BUCKET_ACL_module_enablement_state]
    protoPayload.response.serviceEnablementState target.resource.attribute.labels[service_enablement_state]
    protoPayload.request.metadata.creationTimestamp target.resource.attribute.creation_time
    protoPayload.request.metadata.labels.trivy.automatic.created target.resource.attribute.labels[req_metadata_trivy_automatic_created]
    protoPayload.request.metadata.labels.trivy.collector.name target.resource.attribute.labels[req_metadata_trivy_collector_name]
    protoPayload.request.metadata.labels.trivy.resource.kind target.resource.attribute.labels[req_metadata_trivy_resource_kind]
    protoPayload.request.metadata.labels.trivy.resource.name target.resource.attribute.labels[req_metadata_trivy_resource_name]
    protoPayload.request.spec.backoffLimit target.resource.attribute.labels[req_spec_backoff_limit]
    protoPayload.request.spec.completionMode target.resource.attribute.labels[req_spec_completion_mode]
    protoPayload.request.spec.completions target.resource.attribute.labels[req_spec_completions]
    protoPayload.request.spec.parallelism target.resource.attribute.labels[req_spec_parallelism]
    protoPayload.request.spec.suspend target.resource.attribute.labels[req_spec_suspend]
    protoPayload.request.spec.template.metadata.creationTimestamp target.resource.attribute.labels[req_spec_template_metadata_creation_time]
    protoPayload.request.spec.template.metadata.labels.app target.resource.attribute.labels[req_spec_template_metadata_app]
    protoPayload.request.spec.template.spec.automountServiceAccountToken target.resource.attribute.labels[req_spec_template_spec_automount_service_account_token]
    protoPayload.request.spec.template.spec.containers.command target.resource_ancestors.attribute.labels[req_spec_template_spec_container_command]
    protoPayload.request.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image]
    protoPayload.request.spec.template.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image_pull_policy]
    protoPayload.request.spec.template.spec.containers.name target.resource_ancestors.name
    protoPayload.request.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_cpu]
    protoPayload.request.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_memory]
    protoPayload.request.spec.template.spec.containers.resources.requests.cpu target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_cpu]
    protoPayload.request.spec.template.spec.containers.resources.requests.memory target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_memory]
    protoPayload.request.spec.template.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_allow_privilege_escalation]
    protoPayload.request.spec.template.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_capabilities_drop]
    protoPayload.request.spec.template.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_privileged]
    protoPayload.request.spec.template.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_read_only_root_filesystem]
    protoPayload.request.spec.template.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_path]
    protoPayload.request.spec.template.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_policy]
    protoPayload.request.spec.template.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_mount_path]
    protoPayload.request.spec.template.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_name]
    protoPayload.request.spec.template.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_readonly]
    protoPayload.request.spec.template.spec.dnsPolicy target.resource.attribute.labels[req_spec_template_spec_dns_policy]
    protoPayload.request.spec.template.spec.hostPID target.resource.attribute.labels[req_spec_template_spec_host_pid]
    protoPayload.request.spec.template.spec.restartPolicy target.resource.attribute.labels[req_spec_template_spec_restart_policy]
    protoPayload.request.spec.template.spec.schedulerName target.resource.attribute.labels[req_spec_template_spec_scheduler_name]
    protoPayload.request.spec.template.spec.securityContext.runAsGroup target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_group]
    protoPayload.request.spec.template.spec.securityContext.runAsUser target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_user]
    protoPayload.request.spec.template.spec.securityContext.seccompProfile.type target.resource.attribute.labels[req_spec_template_spec_security_context_seccomp_profile_type]
    protoPayload.request.spec.template.spec.terminationGracePeriodSeconds target.resource.attribute.labels[req_spec_template_spec_termination_grace_period_seconds]
    protoPayload.request.spec.template.spec.volumes.hostPath.path target.resource.attribute.labels[req_spec_template_spec_volumes_host_path]
    protoPayload.request.spec.template.spec.volumes.hostPath.type target.resource.attribute.labels[req_spec_template_spec_volumes_host_path_type]
    protoPayload.request.spec.template.spec.volumes.name target.resource.attribute.labels[req_spec_template_spec_volumes_name]
    protoPayload.request.spec.automountServiceAccountToken target.resource.attribute.labels[req_spec_automount_service_account_token]
    protoPayload.request.spec.containers.command target.resource.attribute.labels[req_spec_container_command]
    protoPayload.request.spec.containers.securityContext.privileged target.resource.attribute.labels[req_spec_container_security_context_privileged]
    protoPayload.request.spec.containers.securityContext.allowPrivilegeEscalation target.resource.attribute.labels[req_spec_container_security_context_allow_privilege_escalation]
    protoPayload.request.spec.containers.securityContext.readOnlyRootFilesystem target.resource.attribute.labels[req_spec_container_security_context_read_only_root_filesystem]
    protoPayload.request.spec.containers.securityContext.capabilities.drop target.resource.attribute.labels[req_spec_container_security_context_capabilities_drop]
    protoPayload.request.spec.containers.volumeMounts.mountPath target.resource.attribute.labels[req_spec_container_volume_mount_path]
    protoPayload.request.spec.containers.volumeMounts.name target.resource.attribute.labels[req_spec_container_volume_mount_name]
    protoPayload.request.spec.containers.volumeMounts.readOnly target.resource.attribute.labels[req_spec_container_volume_mount_read_only]
    protoPayload.request.metadata.annotations.deprecated.daemonset.template.generation target.resource.attribute.labels[req_metadata_annotations_deprecated_daemonset_template_generation]
    protoPayload.request.metadata.labels.app target.resource.attribute.labels[req_metadata_app]
    protoPayload.request.metadata.labels.type target.resource.attribute.labels[req_metadata_labels_type]
    protoPayload.request.spec.serviceAccount target.resource.attribute.labels[req_spec_service_account]
    protoPayload.request.spec.serviceAccountName target.resource.attribute.labels[req_spec_serivce_account_name]
    protoPayload.request.spec.hostIPC target.resource.attribute.labels[req_spec_host_ipc]
    protoPayload.request.spec.hostNetwork target.resource.attribute.labels[req_spec_host_network]
    protoPayload.request.spec.hostPID target.resource.attribute.labels[req_spec_host_pid]
    protoPayload.request.spec.nodeName target.resource.attribute.labels[req_spec_node_name]
    protoPayload.request.spec.securityContext.privileged target.resource.attribute.labels[req_spec_security_context_privileged]
    protoPayload.request.spec.securityContext.allowPrivilegeEscalation target.resource.attribute.labels[req_spec_security_context_allow_privilege_escalation]
    protoPayload.request.spec.securityContext.readOnlyRootFilesystem target.resource.attribute.labels[req_spec_security_context_read_only_root_filesystem]
    protoPayload.request.spec.securityContext.capabilities.drop target.resource.attribute.labels[req_spec_security_context_capabilities_drop]
    protoPayload.request.spec.volumes.hostPath.path target.resource.attribute.labels[req_spec_volume_host_path]
    protoPayload.request.spec.volumes.hostPath.type target.resource.attribute.labels[req_spec_volume_host_path_type]
    protoPayload.request.spec.volumes.name target.resource.attribute.labels[req_spec_volume_name]
    protoPayload.request.spec.revisionHistoryLimit target.resource.attribute.labels[req_spec_revision_history_limit]
    protoPayload.request.spec.selector.matchLabels.app target.resource.attribute.labels[req_spec_selector_match_label_app]
    protoPayload.request.spec.selector.matchLabels.type target.resource.attribute.labels[req_spec_selector_match_label_type]
    protoPayload.request.spec.template.metadata.labels.type target.resource.attribute.labels[req_spec_template_metadata_labels_type]
    protoPayload.request.spec.template.spec.containers.args target.resource.attribute.labels[req_spec_template_spec_container_arg]
    protoPayload.request.spec.template.spec.hostIPC target.resource.attribute.labels[req_spec_template_spec_host_ipc]
    protoPayload.request.spec.template.spec.hostNetwork target.resource.attribute.labels[req_spec_template_spec_host_network]
    protoPayload.request.spec.updateStrategy.rollingUpdate.maxSurge target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_surge]
    protoPayload.request.spec.updateStrategy.rollingUpdate.maxUnavailable target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_unavailable]
    protoPayload.request.spec.updateStrategy.type target.resource.attribute.labels[req_spec_update_strategy_type]
    protoPayload.request.status.currentNumberScheduled target.resource.attribute.labels[req_status_current_number_scheduled]
    protoPayload.request.status.desiredNumberScheduled target.resource.attribute.labels[req_status_desired_number_scheduled]
    protoPayload.request.status.numberMisscheduled target.resource.attribute.labels[req_status_number_miss_scheduled]
    protoPayload.request.status.numberReady target.resource.attribute.labels[req_status_number_ready]
    protoPayload.response.@type target.resource.attribute.labels[res_type]
    protoPayload.response.apiVersion target.resource.attribute.labels[res_api_version]
    protoPayload.response.metadata.annotations.deprecated.daemonset.template.generation target.resource.attribute.labels[res_metadata_annotations_deprecated_daemonset_template_generation]
    protoPayload.response.metadata.generation target.resource.attribute.labels[res_metadata_generation]
    protoPayload.response.metadata.labels.type target.resource.attribute.labels[res_metadata_labels_type]
    protoPayload.response.metadata.labels.app target.resource.attribute.labels[res_metadata_label_app]
    protoPayload.response.metadata.creationTimestamp target.resource.attribute.labels[res_metadata_creation_time]
    protoPayload.response.metadata.name target.resource.attribute.labels[res_metadata_name]
    protoPayload.response.metadata.namespace target.resource.attribute.labels[res_metadata_namespace]
    protoPayload.response.metadata.resourceVersion target.resource.attribute.labels[res_metadata_resource_version]
    protoPayload.response.metadata.uid target.resource.attribute.labels[res_metadata_uid]
    protoPayload.response.spec.revisionHistoryLimit target.resource.attribute.labels[res_spec_revision_history_limit]
    protoPayload.response.spec.selector.matchLabels.app target.resource.attribute.labels[res_spec_selector_match_label_app]
    protoPayload.response.spec.selector.matchLabels.type target.resource.attribute.labels[res_spec_selector_match_label_type]
    protoPayload.response.spec.template.metadata.creationTimestamp target.resource.attribute.labels[res_spec_template_metadata_creation_time]
    protoPayload.response.spec.template.metadata.labels.app target.resource.attribute.labels[res_spec_template_metadata_app]
    protoPayload.response.spec.template.metadata.labels.type target.resource.attribute.labels[res_spec_template_metadata_type]
    protoPayload.response.spec.template.spec.containers.args target.resource_ancestors.attribute.labels[res_spec_template_spec_container_arg]
    protoPayload.response.spec.template.spec.containers.command target.resource_ancestors.attribute.labels[res_spec_template_spec_container_command]
    protoPayload.response.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image]
    protoPayload.response.spec.template.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image_pull_policy]
    protoPayload.response.spec.template.spec.containers.name target.resource_ancestors.name
    protoPayload.response.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_cpu]
    protoPayload.response.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_memory]
    protoPayload.response.spec.template.spec.containers.resources.requests.cpu target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_cpu]
    protoPayload.response.spec.template.spec.containers.resources.requests.memory target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_memory]
    protoPayload.response.spec.template.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_privileged]
    protoPayload.response.spec.template.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_allow_privilege_escalation]
    protoPayload.response.spec.template.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_read_only_root_filesystem]
    protoPayload.response.spec.template.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_capabilities_drop]
    protoPayload.response.spec.template.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_path]
    protoPayload.response.spec.template.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_policy]
    protoPayload.response.spec.template.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_mount_path]
    protoPayload.response.spec.template.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_name]
    protoPayload.response.spec.template.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_read_only]
    protoPayload.response.spec.template.spec.dnsPolicy target.resource.attribute.labels[res_spec_template_spec_dns_policy]
    protoPayload.response.spec.template.spec.hostIPC target.resource.attribute.labels[res_spec_template_spec_host_pid]
    protoPayload.response.spec.template.spec.hostNetwork target.resource.attribute.labels[res_spec_template_spec_host_network]
    protoPayload.response.spec.template.spec.hostPID target.resource.attribute.labels[res_spec_template_spec_host_ipc]
    protoPayload.response.spec.template.spec.nodeName target.resource.attribute.labels[res_spec_template_spec_node_name]
    protoPayload.response.spec.template.spec.restartPolicy target.resource.attribute.labels[res_spec_template_spec_restart_policy]
    protoPayload.response.spec.template.spec.schedulerName target.resource.attribute.labels[res_spec_template_spec_scheduler_name]
    protoPayload.response.spec.template.spec.securityContext.runAsGroup target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_group]
    protoPayload.response.spec.template.spec.securityContext.runAsUser target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_user]
    protoPayload.response.spec.template.spec.securityContext.seccompProfile.type target.resource.attribute.labels[res_spec_template_spec_security_context_seccomp_profile_type]
    protoPayload.response.spec.template.spec.terminationGracePeriodSeconds target.resource.attribute.labels[res_spec_template_spec_termination_grace_period_seconds]
    protoPayload.response.spec.template.spec.volumes.hostPath.path target.resource.attribute.labels[res_spec_template_spec_volumes_host_path]
    protoPayload.response.spec.template.spec.volumes.hostPath.type target.resource.attribute.labels[res_spec_template_spec_volumes_host_path_type]
    protoPayload.response.spec.template.spec.volumes.name target.resource.attribute.labels[res_spec_template_spec_volumes_name]
    protoPayload.response.spec.updateStrategy.rollingUpdate.maxSurge target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_surge]
    protoPayload.response.spec.updateStrategy.rollingUpdate.maxUnavailable target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_unavailable]
    protoPayload.response.spec.updateStrategy.type target.resource.attribute.labels[res_spec_update_strategy_type]
    protoPayload.response.spec.containers.args target.resource_ancestors.attribute.labels[res_spec_container_arg]
    protoPayload.response.spec.containers.command target.resource_ancestors.attribute.labels[res_spec_container_command]
    protoPayload.response.spec.containers.image target.resource_ancestors.attribute.labels[res_spec_container_image]
    protoPayload.response.spec.containers.imagePullPolicy target.resource_ancestors.attribute.labels[res_spec_container_image_pull_policy]
    protoPayload.response.spec.containers.name target.resource_ancestors.name
    protoPayload.response.spec.containers.securityContext.privileged target.resource_ancestors.attribute.labels[res_spec_container_security_context_privileged]
    protoPayload.response.spec.containers.securityContext.allowPrivilegeEscalation target.resource_ancestors.attribute.labels[res_spec_container_security_context_allow_privilege_escalation]
    protoPayload.response.spec.containers.securityContext.readOnlyRootFilesystem target.resource_ancestors.attribute.labels[res_spec_container_security_context_read_only_root_filesystem]
    protoPayload.response.spec.containers.securityContext.capabilities.drop target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_drop]
    protoPayload.response.spec.containers.terminationMessagePath target.resource_ancestors.attribute.labels[res_spec_container_termination_message_path]
    protoPayload.response.spec.containers.terminationMessagePolicy target.resource_ancestors.attribute.labels[res_spec_container_termination_message_policy]
    protoPayload.response.spec.containers.volumeMounts.mountPath target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_path]
    protoPayload.response.spec.containers.volumeMounts.name target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_name]
    protoPayload.response.spec.containers.volumeMounts.readOnly target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_read_only]
    protoPayload.response.spec.dnsPolicy target.resource.attribute.labels[res_spec_dns_policy]
    protoPayload.response.spec.enableServiceLinks target.resource.attribute.labels[res_spec_enable_service_links]
    protoPayload.response.spec.hostIPC target.resource.attribute.labels[res_spec_host_ipc]
    protoPayload.response.spec.hostNetwork target.resource.attribute.labels[res_spec_host_network]
    protoPayload.response.spec.hostPID target.resource.attribute.labels[res_spec_host_pid]
    protoPayload.response.spec.nodeName target.resource.attribute.labels[res_spec_node_name]
    protoPayload.response.spec.preemptionPolicy target.resource.attribute.labels[res_spec_preemption_policy]
    protoPayload.response.spec.priority target.resource.attribute.labels[res_spec_priority]
    protoPayload.response.spec.restartPolicy target.resource.attribute.labels[res_spec_restart_policy]
    protoPayload.response.spec.schedulerName target.resource.attribute.labels[res_spec_scheduler_name]
    protoPayload.response.spec.serviceAccount target.resource.attribute.labels[res_spec_service_account]
    protoPayload.response.spec.serviceAccountName target.resource.attribute.labels[res_spec_serivce_account_name]
    protoPayload.response.spec.terminationGracePeriodSeconds target.resource.attribute.labels[res_spec_termination_grace_period_seconds]
    protoPayload.response.spec.tolerations.effect target.resource.attribute.labels[res_spec_toleration_effect]
    protoPayload.response.spec.tolerations.key target.resource.attribute.labels[res_spec_toleration_key]
    protoPayload.response.spec.tolerations.operator target.resource.attribute.labels[res_spec_toleration_operator]
    protoPayload.response.spec.tolerations.tolerationSeconds target.resource.attribute.labels[res_spec_toleration_second]
    protoPayload.response.spec.volumes.hostPath.path target.resource.attribute.labels[res_spec_volume_host_path]
    protoPayload.response.spec.volumes.hostPath.type target.resource.attribute.labels[res_spec_volume_host_path_type]
    protoPayload.response.spec.volumes.name target.resource.attribute.labels[res_spec_volume_name]
    protoPayload.response.spec.volumes.projected.defaultMode target.resource.attribute.labels[res_spec_volume_projected_default_mode]
    protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.expirationSeconds target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_ecpiration_sec]
    protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.path target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_path]
    protoPayload.response.spec.volumes.projected.sources.configMap.items.key target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_key]
    protoPayload.response.spec.volumes.projected.sources.configMap.items.path target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_path]
    protoPayload.response.spec.volumes.projected.sources.configMap.name target.resource.attribute.labels[res_spec_volume_projected_src_config_map_name]
    protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.apiVersion target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_api_version]
    protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.fieldPath target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_field_path]
    protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.path target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_path]
    protoPayload.response.status.phase target.resource.attribute.labels[res_status_phase]
    protoPayload.response.status.qosClass target.resource.attribute.labels[res_status_qos_class]
    protoPayload.response.status.currentNumberScheduled target.resource.attribute.labels[res_status_current_number_scheduled]
    protoPayload.response.status.desiredNumberScheduled target.resource.attribute.labels[res_status_desired_number_scheduled]
    protoPayload.response.status.numberMisscheduled target.resource.attribute.labels[res_status_number_miss_scheduled]
    protoPayload.response.status.numberReady target.resource.attribute.labels[res_status_number_ready]
    protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor target.resource.attribute.labels[ser_jobconf_requestor]
    protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id target.resource.attribute.labels[ser_jobconf_looker_studio_datasource_id]
    protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id target.resource.attribute.labels[ser_jobconf_looker_studio_report_id]
    labels.authorization.k8s.io/decision security_result.action If the labels.authorization.k8s.io/decision log field value is equal to allow, then the security_result.action UDM field is set to ALLOW.

    Else, if the labels.authorization.k8s.io/decision log field value is equal to block, then the security_result.action UDM field is set to BLOCK.
    labels.pod-security.kubernetes.io/enforce-policy security_result.detection_fields[pod_security_kubernetes_io_enforce_policy]
    labels.authorization.k8s.io/reason security_result.action_details
    protoPayload.request.roleRef.apiGroup target.user.attribute.labels[req_role_ref_api_group]
    protoPayload.request.roleRef.kind target.user.attribute.labels[req_role_ref_kind]
    protoPayload.request.roleRef.name target.user.attribute.roles.name
    protoPayload.request.subjects.apiGroup target.user.attribute.labels[req_subject_api_group]
    protoPayload.request.subjects.kind target.user.attribute.labels[req_subject_kind]
    protoPayload.request.rules.apiGroups security_result.rule_labels[req_rule_api_group]
    protoPayload.request.rules.resources security_result.rule_labels[req_rule_resource]
    protoPayload.request.rules.verbs security_result.rule_labels[req_rule_verb]
    protoPayload.request.rules.resourceNames security_result.rule_labels[req_rule_resource_name]
    protoPayload.response.metadata.managedFields.apiVersion target.resource.attribute.labels[res_managed_field_api_version]
    protoPayload.response.metadata.managedFields.fieldsType target.resource.attribute.labels[res_managed_field_type]
    protoPayload.response.metadata.managedFields.manager target.resource.attribute.labels[res_managed_field_manager]
    protoPayload.response.metadata.managedFields.operation target.resource.attribute.labels[res_managed_field_operation]
    protoPayload.response.metadata.managedFields.time target.resource.attribute.labels[res_managed_field_time]
    protoPayload.request.spec.containers.securityContext.capabilities.add target.resource_ancestors.attribute.labels[req_spec_container_security_context_capabilities_add]
    protoPayload.request.spec.containers.securityContext.seccompProfile.type target.resource_ancestors.attribute.labels[req_spec_container_security_context_seccomp_profile_type]
    protoPayload.request.spec.shareProcessNamespace target.resource.attribute.labels[req_spec_share_process_namespace]
    protoPayload.response.spec.containers.securityContext.capabilities.add target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_add]
    protoPayload.response.spec.containers.securityContext.seccompProfile.type target.resource_ancestors.attribute.labels[res_spec_container_security_context_seccomp_profile_type]
    protoPayload.response.spec.shareProcessNamespace target.resource.attribute.labels[res_spec_share_process_namespace]
    protoPayload.metadata.membershipDelta.member target.resource.attribute.labels[membership_delta_member]
    protoPayload.metadata.membershipDelta.roleDeltas.action target.resource.attribute.labels[membership_role_deltas_action]
    protoPayload.metadata.membershipDelta.roleDeltas.role target.resource.attribute.labels[membership_role_deltas_role]
    protoPayload.request.spec.resourceAttributes.namespace target.resource.attribute.labels[req_spec_resource_attribute_namespace]
    protoPayload.request.spec.resourceAttributes.resource target.resource.attribute.labels[req_spec_resource_attribute_resource]
    protoPayload.request.spec.resourceAttributes.verb target.resource.attribute.labels[req_spec_resource_attribute_verb]
    protoPayload.request.status.allowed target.resource.attribute.labels[req_status_allowed]
    protoPayload.response.spec.resourceAttributes.namespace target.resource.attribute.labels[res_spec_resource_attribute_namespace]
    protoPayload.response.spec.resourceAttributes.resource target.resource.attribute.labels[res_spec_resource_attribute_resource]
    protoPayload.response.spec.resourceAttributes.verb target.resource.attribute.labels[res_spec_resource_attribute_verb]
    protoPayload.response.status.allowed target.resource.attribute.labels[res_status_allowed]
    protoPayload.request.objects.db additional.fields[database_name]
    jsonPayload.accesses.methodName additional.fields[methodName]
    protoPayload.request.objects.name additional.fields[objects_name]
    protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] additional.fields[api_client_name]
    protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] additional.fields[api_scopes]
    protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] additional.fields[begin_date_time]
    protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] additional.fields[bulk_upload_fail_users_number]
    protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] additional.fields[bulk_upload_total_users_number]
    protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] additional.fields[caa_assignments_new]
    protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] additional.fields[caa_assignments_old]
    protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] additional.fields[caa_enforcement_endpoints_new]
    protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] additional.fields[caa_enforcement_endpoints_old]
    protoPayload.requestMetadata.requestAttributes.size additional.fields[caller_network_request_size]
    protoPayload.requestMetadata.requestAttributes.time additional.fields[caller_network_request_time]
    protoPayload.requestMetadata.callerNetwork additional.fields[caller_network]
    protoPayload.requestMetadata.requestAttributes.size additional.fields[caller_network_request_size]
    protoPayload.requestMetadata.requestAttributes.time additional.fields[request_attributes_time]
    protoPayload.requestMetadata.callerNetwork additional.fields[caller_network]
    protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] additional.fields[chrome_licenses_enabled]
    protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] additional.fields[end_date_time]
    protoPayload.metadata.event.eventName.parameter.name[END_DATE] additional.fields[end_date]
    protoType.metadata.event.eventName additional.fields[event_name]
    protoPayload.metadata.event.parameter.label additional.fields[event_param_label]
    protoPayload.metadata.event.parameter.type additional.fields[event_param_type]
    protoType.metadata.event.eventType additional.fields[event_type]
    protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] additional.fields[field_name]
    protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] additional.fields[full_org_unit_path]
    protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] additional.fields[grp_member_bulk_upload_failed]
    protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] additional.fields[grp_member_bulk_upload_total]
    httpRequest.cacheFillBytes additional.fields[httpreq_cache_fill_bytes]
    httpRequest.cacheHit additional.fields[httpreq_cache_hit]
    httpRequest.cacheLookup additional.fields[httpreq_cache_lookup]
    httpRequest.cacheValidatedWithOriginServer additional.fields[httpreq_cache_validated_with_origin_server]
    httpRequest.latency additional.fields[httprequest_latency]
    protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] additional.fields[info_type]
    protoPayload.metadata.activityId.timeUsec additional.fields[metadata_activityId_time_usec]
    protoPayload.metadata.activityId.uniqQualifier additional.fields[metadata_activityId_uniq_qualifier]
    protoPayload.metadata.@type additional.fields[metadata_type]
    protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] additional.fields[new_permission_grant_state]
    protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] additional.fields[num_of_company_owned_device]
    protoPayload.numResponseItems additional.fields[num_response_items]
    protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] additional.fields[old_permission_grant_state]
    operation.first additional.fields[operation_first]
    operation.id additional.fields[operation_id]
    operation.last additional.fields[operation_last]
    operation.producer additional.fields[operation_producer]
    protoPayload.resourceOriginalState.selfLinkWithId additional.fields[rc_old_selflinkWithId]
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] additional.fields[reauth_setting_new]
    protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] additional.fields[reauth_setting_old]
    protoPayload.request.alloweds.ports additional.fields[req_alloweds_ports]
    protoPayload.request.body.name additional.fields[req_body_name]
    protoPayload.request.body.settings.activityPolicy additional.fields[req_body_settings_activity_policy]
    protoPayload.request.deletionProtection additional.fields[req_deletion_protection]
    protoPayload.request.disabled additional.fields[req_disabled]
    protoPayload.request.displayDevice.enableDisplay additional.fields[req_display_device_enable_display]
    protoPayload.request.enableFlowLogs additional.fields[req_enable_flow_logs]
    protoPayload.request.fingerprint additional.fields[req_fingerprint]
    protoPayload.request.shieldedInstanceConfig.enableSecureBoot additional.fields[req_instance_config_enable_secure_boot]
    protoPayload.request.shieldedInstanceConfig.enableVtpm additional.fields[req_instance_config_enable_vtpm]
    protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring additional.fields[req_instance_enable_integrity_monitoring]
    protoPayload.request.key_types additional.fields[req_key_types]
    protoPayload.request.logconfig.enable additional.fields[req_logconfig_enable]
    protoPayload.request.networkTier additional.fields[req_network_tier]
    protoPayload.request.network additional.fields[req_network]
    protoPayload.request.page_size additional.fields[req_page_size]
    request.pagesize additional.fields[req_page_size]
    protoPayload.request.policy.etag additional.fields[req_policy_etag]
    protoPayload.request.portRange additional.fields[req_port_range]
    protoPayload.request.privateIpGoogleAccess additional.fields[req_private_ip_google_access]
    protoPayload.request.private_key_type additional.fields[req_private_key_type]
    protoPayload.request.remove_deleted_service_accounts additional.fields[req_remove_deleted_serviceAcc]
    protoPayload.request.showDeleted additional.fields[req_show_deleted]
    protoPayload.request.skip_visibility_check additional.fields[req_skip_visibility_check]
    protoPayload.request.stackType additional.fields[req_stack_type]
    protoPayload.request.type additional.fields[req_type]
    protoPayload.request.updateMask additional.fields[req_update_mask]
    protoPayload.request.version additional.fields[req_version]
    protoPayload.response.clientOperationId additional.fields[res_client_operation_id]
    protoPayload.response.endTime additional.fields[res_end_time]
    protoPayload.response.id additional.fields[res_id]
    protoPayload.response.key_algorithm additional.fields[res_key_algorithm]
    protoPayload.response.key_origin additional.fields[res_key_origin]
    protoPayload.response.key_type additional.fields[res_key_type]
    protoPayload.response.kind additional.fields[res_kind]
    protoPayload.response.private_key_type additional.fields[res_private_key_type]
    protoPayload.response.progress additional.fields[res_progress]
    protoPayload.response.startTime additional.fields[res_start_time]
    protoPayload.response.status security_result.action The security_result.action is set to FAIL when the following conditions are met:
    • The value in the protoPayload.response.status log field value is equal to Failure.
    • The value in the security_result.action UDM field is equal to ALLOW.
    protoPayload.response.status additional.fields[res_status]
    protoPayload.response.type additional.fields[res_type]
    protoPayload.response.unique_id additional.fields[res_unique_id]
    protoPayload.response.valid_after_time.seconds additional.fields[res_valid_after_time]
    protoPayload.response.valid_before_time.seconds additional.fields[res_valid_before_time]
    protoPayload.response.version additional.fields[res_version]
    protoPayload.response.zone additional.fields[res_zone]
    protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] additional.fields[search_query_for_dump]
    spanId additional.fields[span_id]
    protoPayload.metadata.event.eventName.parameter.name[START_DATE] additional.fields[start_date]
    traceSampled additional.fields[trace_sampled]
    Trace additional.fields[trace]
    protoPayload.@type additional.fields[type]
    protoPayload.redactions.reason additional.fields[protoPayload.redactions.field]
    protoPayload.redactions.type additional.fields[protoPayload.redactions.field]
    authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata additional.fields[service_metadata]
    jsonPayload.sourceNetwork additional.fields[source_network]
    authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims additional.fields[third_party_claims]
    protoPayload.requestMetadata.requestAttributes.time additional.fields[caller_network_request_time]
    protoPayload.request.ipCidrRange additional.fields[req_ip_cidr_range]
    protoPayload.request.description additional.labels[req_description]
    protoPayload.request.sourceRanges additional.fields[req_source_ranges]
    protoPayload.requestMetadata.requestAttributes.reason additional.fields[request_attributes_reason]
    protoPayload.authenticationInfo.thirdPartyPrincipal additional.fields[third_party_principal]
    sourceLocation.function additional.fields[src_location_function]
    sourceLocation.line additional.fields[src_location_line]
    resource.labels.backend_service_name additional.fields[backend_service_name]
    protoPayload.requestMetadata.requestAttributes.auth.claims additional.fields[request_auth_claims]
    protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] additional.fields[application_edition]
    protoPayload.metadata.event.eventName.parameter.name[ASP_ID] additional.fields[asp_id]
    protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] additional.fields[chrome_os_session_type]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] additional.fields[device_new_org_unit]
    protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] additional.fields[device_previous_org_unit]
    protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] additional.fields[domain_alias]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] additional.fields[email_export_include_deleted]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] additional.fields[email_export_package_content]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] additional.fields[email_log_search_end_date]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] additional.fields[email_log_search_start_date]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] additional.fields[email_monitor_level_chat]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] additional.fields[email_monitor_level_draft_email]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] additional.fields[email_monitor_level_in_email]
    protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] additional.fields[email_monitor_level_out_email]
    protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] additional.fields[email_reset_reason]
    protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] additional.fields[new_value]
    protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] additional.fields[oauth2_app_type]
    protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] additional.fields[old_value]
    protoPayload.requestMetadata.destinationAttributes.principal additional.fields[peer_principal]
    protoPayload.requestMetadata.destinationAttributes.regionCode additional.fields[peer_region_code]
    protoPayload.request.loadBalancingScheme additional.fields[req_load_balancing_scheme]
    protoPayload.request.requestId additional.fields[request_id]
    protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] additional.fields[request_id]
    protoPayload.resourceOriginalState.description additional.fields[res_originalState_description]
    protoPayload.response.bindings.members additional.fields[response_bindings_members]
    protoPayload.response.description additional.fields[response_description]
    protoPayload.response.display_name additional.fields[response_display_name]
    protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] additional.fields[secondary_domain_name]
    protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] additional.fields[setting_name]
    protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] additional.fields[user_custom_field]
    protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] additional.fields[user_defined_setting_name]
    protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] additional.fields[web_origin]
    protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] additional.fields[whitelisted_groups]
    jsonPayload.end_time additional.fields[jsonPayload_end_time]
    jsonPayload.reporter additional.fields[jsonPayload_reporter]
    jsonPayload.start_time additional.fields[jsonPayload_start_time]
    jsonPayload.src_instance.project_id additional.fields[jsonPayload_src_instance_project_id]
    jsonPayload.dest_instance.project_id additional.fields[jsonPayload_dest_instance_project_id]
    jsonPayload.src_location.asn additional.fields[jsonPayload_src_location_asn]
    jsonPayload.src_location.continent additional.fields[jsonPayload_src_location_continent]
    jsonPayload.dest_location.asn additional.fields[jsonPayload_dest_location_asn]
    jsonPayload.dest_location.continent additional.fields[jsonPayload_dest_location_continent]
    protoPayload.request.spec.expirationSeconds target.resource.attribute.labels[req_spec_expiration_seconds]
    protoPayload.request.spec.request target.resource.attribute.labels[req_spec_request]
    protoPayload.request.spec.signerName target.resource.attribute.labels[req_spec_signer_name]
    protoPayload.request.spec.usages target.resource.attribute.labels[req_spec_usage]
    protoPayload.response.spec.expirationSeconds target.resource.attribute.labels[res_spec_expiration_seconds]
    protoPayload.response.spec.extra.iam.gke.io/user-assertion target.resource.attribute.labels[res_spec_extra_iam_gke_io/user_assertion]
    protoPayload.response.spec.extra.user-assertion.cloud.google.com target.resource.attribute.labels[res_spec_extra_user_assertion_cloud_google_com]
    protoPayload.response.spec.groups target.resource.attribute.labels[res_spec_group]
    protoPayload.response.spec.request target.resource.attribute.labels[res_spec_request]
    protoPayload.response.spec.signerName target.resource.attribute.labels[res_spec_signer_name]
    protoPayload.response.spec.usages target.resource.attribute.labels[res_spec_usage]
    protoPayload.response.spec.username target.resource.attribute.labels[res_spec_username]
    protoPayload.request.cryptoKeyVersion.state target.resource.attribute.labels[req_cryptokey_version_state]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.action target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_action]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.service target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_service]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.exemptedMember target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_exempted_member]
    protoPayload.serviceData.policyDelta.auditConfigDeltas.logType target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_log_type]
    protoPayload.request.policy.bindings.role target.resource.attribute.labels[req_policy_bindings_role]
    protoPayload.request.policy.bindings.members target.resource.attribute.labels[req_bindings_members]
    protoPayload.metadata.tableChange.bindingDeltas.action target.resource.attribute.labels[table_change_binding_deltas_action]
    protoPayload.metadata.tableChange.bindingDeltas.member target.resource.attribute.labels[table_change_binding_deltas_member]
    protoPayload.metadata.tableChange.bindingDeltas.role target.resource.attribute.labels[table_change_binding_deltas_role]
    protoPayload.metadata.datasetChange.bindingDeltas.action target.resource.attribute.labels[dataset_change_binding_deltas_action]
    protoPayload.metadata.datasetChange.bindingDeltas.member target.resource.attribute.labels[dataset_change_binding_deltas_member]
    protoPayload.metadata.datasetChange.bindingDeltas.role target.resource.attribute.labels[dataset_change_binding_deltas_role]
    protoPayload.metadata.tableChange.table.policy.etag target.resource.attribute.labels[table_change_table_policy_etag]
    protoPayload.metadata.tableChange.table.policy.bindings.role target.resource.attribute.labels[table_change_table_policy_bindings_{index}_role]
    protoPayload.metadata.tableChange.table.policy.bindings.members target.resource.attribute.labels[table_change_table_policy_bindings_{index}_members_{index1}]
    protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.role target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_role]
    protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_members_{index1}]
    protoPayload.request.bindings.role target.resource.attribute.labels[request_bindings_{index}_role]
    protoPayload.request.bindings.members target.resource.attribute.labels[request_bindings_{index}_members_{index1}]
    protoPayload.metadata.groupDelta.newGroup.description target.group.attribute.labels[metadata_group_delta_new_group_description]
    protoPayload.metadata.groupDelta.newGroup.email target.group.email_addresses
    protoPayload.metadata.groupDelta.newGroup.name target.group.group_display_name
    protoPayload.metadata.groupDelta.action target.group.attribute.labels[metadata_group_delta_action]
    protoPayload.response.spec.template.metadata.labels.client.knative.dev/nonce target.resource.attribute.labels[res_spec_template_metadata_nonce]
    protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-name target.resource.attribute.labels[res_spec_template_metadata_client_name]
    protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-version target.resource.attribute.labels[res_spec_template_metadata_client_version]
    protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/execution-environment target.resource.attribute.labels[res_spec_template_metadata_exection_environment]
    protoPayload.response.spec.template.spec.taskCount target.resource.attribute.labels[res_spec_template_spec_taskcount]
    protoPayload.response.spec.template.spec.template.spec.containers.image target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_image]
    protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.memory target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_memory]
    protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.cpu target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_cpu]
    protoPayload.response.spec.template.spec.template.spec.maxRetries target.resource.attribute.labels[res_spec_template_spec_template_spec_max_retries]
    protoPayload.response.spec.template.spec.template.spec.timeoutSeconds target.resource.attribute.labels[res_spec_template_spec_template_spec_timeout_seconds]
    protoPayload.response.spec.template.spec.template.spec.serviceAccountName principal.user.email_addresses
    protoPayload.request.service.metadata.annotations.run.googleapis.com/client-name target.resource_ancestors.attribute.labels[req_service_metadata_client_name]
    protoPayload.request.service.metadata.annotations.serving.knative.dev/creator target.resource_ancestors.attribute.labels[req_service_metadata_creator]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/client-version target.resource_ancestors.attribute.labels[req_service_metadata_client_version]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/operation-id target.resource_ancestors.attribute.labels[req_service_metadata_client_operation_id]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/binary-authorization target.resource_ancestors.attribute.labels[req_service_metadata_binary_authorization]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress-status target.resource_ancestors.attribute.labels[req_service_metadata_client_ingress_status]
    protoPayload.request.service.metadata.annotations.serving.knative.dev/lastModifier target.resource_ancestors.attribute.labels[req_service_metadata_last_modifier]
    protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress target.resource_ancestors.attribute.labels[req_service_metadata_ingress]
    protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-name target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_name]
    protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-version target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_version]
    protoPayload.request.service.spec.template.metadata.annotations.autoscaling.knative.dev/maxScale target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_max_scale]
    protoPayload.request.New Data target.resource_ancestors.attribute.labels[req_new_data]
    protoPayload.response.Original Data target.resource_ancestors.attribute.labels[req_original_data]
    protoPayload.response.spec.template.spec.containers.securityContext.runAsUser target.resource_ancestors.attribute.labels[res_spec_template_spec_containers_securitycontext_run_as_user]
    protoPayload.request.timestampRange.startTime target.resource.attribute.labels[timestamp_range_start_time]
    protoPayload.request.timestampRange.endTime target.resource.attribute.labels[timestamp_range_end_time]
    protoPayload.request.regexSearch target.resource.attribute.labels[request_regex_search]
    protoPayload.request.productSources target.resource.attribute.labels[request_product_sources]
    protoPayload.request.query target.resource.attribute.labels[request_query]
    protoPayload.request.caseSensitive target.resource.attribute.labels[request_case_sensitive]
    protoPayload.request.baselineQuery target.resource.attribute.labels[baseline_query]
    protoPayload.request.baselineTimeRange.startTime target.resource.attribute.labels[baseline_time_range_start_time]
    protoPayload.request.baselineTimeRange.endTime target.resource.attribute.labels[baseline_time_range_end_time]
    protoPayload.response.serviceConfig.timeoutSeconds target.resource.attribute.labels[response_service_config_timeout_seconds]
    labels.execution_id additional.fields[execution_id]
    labels.instance_id additional.fields[instance_id]
    labels.runtime_version additional.fields[runtime_version]
    protoPayload.metadata.updatedGrant.requester principal.user.userid If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.requester log field is mapped to the principal.user.userid UDM field.
    protoPayload.metadata.updatedGrant.requestedDuration target.resource.attribute.labels[requestedDuration] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.requestedDuration log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.updatedGrant.justification.unstructuredJustification target.resource.attribute.labels[justification] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.justification.unstructuredJustification log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role target.resource.attribute.roles.name If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role log field is mapped to the target.resource.attribute.roles.name UDM field.
    protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType target.resource.attribute.labels[resourceType] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource target.resource.attribute.labels[resource] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.updatedGrant.state target.resource.attribute.labels[state] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.updatedGrant.state log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id target.resource.attribute.labels[job_insertion_looker_studio_report_id] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor target.resource.attribute.labels[job_insertion_requestor] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id target.resource.attribute.labels[job_insertion_looker_studio_datasource_id] If the protoPayload.serviceName log field value is equal to privilegedaccessmanager.googleapis.com, then the protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id log field is mapped to the target.resource.attribute.labels UDM field.
    protoPayload.response.displayName security_result.associations.name If the protoPayload.response.displayName log field value is not empty, then the protoPayload.response.displayName log field is mapped to the security_result.associations.name UDM field.
    protoPayload.request.referenceList.displayName security_result.associations.name If the protoPayload.response.displayName log field value is empty, then the protoPayload.request.referenceList.displayName log field is mapped to the security_result.associations.name UDM field.
    protoPayload.resourceName security_result.detection_fields[rule_id] If the protoPayload.resourceName log field value is not empty and the protoPayload.response.@type log field value is type.googleapis.com/google.cloud.chronicle.v1alpha.Rule, then new_rule_id is extracted from the protoPayload.resourceName log field using a Grok pattern, and mapped to the security_result.detection_fields[rule_id] UDM field.
    protoPayload.request.projection target.resource.attribute.labels[req_projection]
    protoPayload.response.items.metageneration target.resource.attribute.labels[res_items_metageneration]
    protoPayload.response.items.labels.created_date target.resource.attribute.labels[res_items_labels_created_date]
    protoPayload.response.items.labels.team_email target.resource.attribute.labels[res_items_labels_team_email]
    protoPayload.response.items.labels.team_name target.resource.attribute.labels[res_items_labels_team_name]
    protoPayload.response.items.labels.office_number target.resource.attribute.labels[res_items_labels_official_number]
    protoPayload.response.items.labels.department target.resource.attribute.labels[res_items_labels_department]
    protoPayload.response.items.labels.business_project_number target.resource.attribute.labels[res_items_labels_business_project_number]
    protoPayload.response.items.labels.owner_email target.resource.attribute.labels[res_items_labels_owner_email]
    protoPayload.response.items.labels.purchase_order_number target.resource.attribute.labels[res_items_labels_purchase_order_number]
    protoPayload.response.items.labels.office_name target.resource.attribute.labels[res_items_labels_office_name]
    protoPayload.response.items.labels.environment target.resource.attribute.labels[res_items_labels_environment]
    protoPayload.response.items.labels.created_by target.resource.attribute.labels[res_items_labels_created_by]
    protoPayload.response.items.labels.project_name target.resource.attribute.labels[res_items_labels_project_name]
    protoPayload.response.items.labels.finops_tag target.resource.attribute.labels[res_items_labels_finops_tag]
    protoPayload.response.items.labels.owner_role target.resource.attribute.labels[res_items_labels_owner_role]
    protoPayload.response.items.versioning.enabled target.resource.attribute.labels[res_items_versioning_enabled]
    protoPayload.response.items.iamConfiguration.publicAccessPrevention target.resource.attribute.labels[res_items_iam_conf_public_access_prevention]
    protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_locked_time]
    protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_enabled]
    protoPayload.response.items.id target.resource.attribute.labels[res_items_id]
    protoPayload.response.items.updated target.resource.attribute.labels[res_items_updated]
    protoPayload.response.items.storageClass target.resource.attribute.labels[res_items_storage_class]
    protoPayload.response.items.timeCreated target.resource.attribute.labels[res_items_time_created]
    protoPayload.response.items.location target.resource.attribute.labels[res_items_location]
    protoPayload.response.items.locationType target.resource.attribute.labels[res_items_location_type]
    protoPayload.response.items.projectNumber target.resource.attribute.labels[res_items_project_number]
    protoPayload.response.items.name target.resource.attribute.labels[res_items_name]
    protoPayload.response.items.softDeletePolicy.effectiveTime target.resource.attribute.labels[res_items_soft_delete_policy_effective_time]
    protoPayload.response.items.softDeletePolicy.retentionDurationSeconds target.resource.attribute.labels[res_items_soft_delete_policy_retention_duration_seconds]
    protoPayload.response.items.etag target.resource.attribute.labels[res_items_etag]
    protoPayload.response.code network.http.response_code
    protoPayload.response.reason additional.fields[res_reason]
    protoPayload.request.spec.template.spec.containers.securityContext.runAsUser target.resource.attribute.labels[req_spec_template_spec_containers_securitycontext_run_as_user]

    What's next

    Need more help? Get answers from Community members and Google SecOps professionals.