Recopilar registros de Google Chrome
En este documento, se describe cómo puedes recopilar registros de Chrome configurando un feed de Google Security Operations y cómo los campos de registro se asignan a los campos del Modelo de datos unificados (UDM) de Chrome.
Para obtener más información, consulta Transferencia de datos a Google SecOps.
Descripción general
Una implementación típica consiste en ChromeOS y el navegador Chrome configurados para enviar registros a Google SecOps. Cada implementación de cliente puede ser diferente y más compleja. La implementación consta de los siguientes componentes:
Chrome: Es el registro del dispositivo ChromeOS que deseas recopilar.
Google Workspace: Es la plataforma de Google Workspace en la que se recopilan registros.
Feed de Google SecOps: Es el feed de Google SecOps que recupera registros de Google Workspace y los escribe en Google SecOps.
Google SecOps: Retiene y analiza los registros de Chrome.
Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar en formato UDM estructurado.
La información de este documento se aplica al analizador con la etiqueta de transferencia CHROME_MANAGEMENT.
Antes de comenzar
Asegúrate de usar la edición de Google Workspace Business Standard.
Asegúrate de tener una cuenta de administrador de Google Workspace.
Asegúrate de que todos los sistemas en la arquitectura de implementación estén configurados en la zona horaria UTC.
Si creas usuarios que usan la identidad de la cuenta de servicio, otorga los siguientes privilegios a los usuarios usando la Consola del administrador:
- Privilegios > Informes
- Privilegios > Servicios > Centro de alertas > Acceso completo > Acceso de lectura
- Privilegios > Servicios > Administración de dispositivos móviles > Administrar dispositivos y configuración
- Privilegios > Servicios > Administración de Chrome > Configuración
- API de administrador > Privilegios > Usuarios > Lectura
- API de Admin > Privilegios > Grupos > Leído
Configura la Administración en la nube para el navegador Chrome
A continuación, se indican los pasos de alto nivel para configurar la Administración en la nube para el navegador Chrome:
Sigue los pasos que se indican a continuación para configurar la Administración en la nube para el navegador Chrome.
En la Consola del administrador, haz clic en Menú > Dispositivos > Chrome > Navegadores administrados.
Opcional: Selecciona la organización de nivel superior o elige la organización unidad en la que se quiera generar un token que inscriba los navegadores directamente en esa en una unidad organizativa específica. Para obtener más información, consulta Cómo agregar una unidad organizativa.
Haz clic en Inscribirse. Si esta es tu primera inscripción de navegador, Se le solicitará que acepte las Condiciones del Servicio de la Administración en la nube para el navegador Chrome (CBCM).
Haz clic en Copiar el token de inscripción en el portapapeles.
Para inscribir los navegadores Chrome administrados en la nube, haz clic en Listo.
En la Consola del administrador, ve a Menú > Dispositivos > Chrome > Configuración > Usuarios y navegadores. Selecciona tu unidad organizativa de nivel superior para que todas las organizaciones secundarias hereden la política. Desplázate hacia abajo hasta Informes de navegadores.
Configura Informes de navegadores administrados como Habilitar los informes en la nube del navegadores administrados.
Para activar los informes del navegador Chrome, haz clic en Guardar.
En la Consola del administrador, ve a Menú > Dispositivos > Chrome > Conectores.
Opcional: Si configuras Chrome Enterprise Connectors por primera vez, sigue las indicaciones para activar Chrome Enterprise Connectors.
En la parte superior, haz clic en + Configuración de proveedor nuevo.
En el panel que aparece a la derecha, busca la configuración de Google SecOps y haz clic en Configurar.
Ingresa el ID de configuración y la Clave de API.
ID de configuración: el ID que se muestra en la columna ID de usuario y de navegadores y en la página Conectores.
Clave de API: Es la clave de API que se debe especificar cuando se llama a la API de inyección de Google SecOps para identificar al cliente.
Para agregar una nueva configuración de proveedor, haz clic en Agregar configuración.
Tipos de registros y modelos de datos admitidos
A continuación, se incluyen los tipos y eventos de registros que se admiten en la Administración de Chrome. Todos los tipos y eventos de registro admitidos están en formato JSON.
| Tipo de registro | Tipo de evento |
|---|---|
| Actividad maliciosa |
|
| Actividad de auditoría |
|
| Protección de datos |
|
| Chrome OS |
|
Referencia de la asignación de campos
En esta sección, se explica cómo el analizador de Google SecOps asigna los campos de registro de Chrome a los campos del Modelo de datos unificado (UDM) de Google SecOps para los conjuntos de datos.
Referencia de asignación de campos: identificador de eventos a tipo de evento
En la siguiente tabla, se indican los tipos de registro CHROME_MANAGEMENT y sus tipos de eventos de UDM correspondientes.
| Event Identifier | Event Type | Security Category |
|---|---|---|
badNavigationEvent - SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
badNavigationEvent - SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
badNavigationEvent - MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
badNavigationEvent - UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_PUA |
badNavigationEvent - THREAT_TYPE_UNSPECIFIED |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
browserCrashEvent |
STATUS_UPDATE |
|
browserExtensionInstallEvent |
USER_RESOURCE_UPDATE_CONTENT |
|
Extension install - BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
|
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
|
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED |
USER_CREATION |
|
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
Login events |
USER_LOGIN |
|
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
loginEvent |
USER_LOGIN |
|
ChromeOS login success |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
|
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
|
ChromeOS CRD client disconnected |
USER_LOGOUT |
|
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED |
STATUS_STARTUP |
|
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS device boot state change - CHROME_OS_DEV_MODE |
SETTING_MODIFICATION |
|
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
|
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
|
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
|
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
|
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
Client Side Detection |
USER_UNCATEGORIZED |
|
Content transfer |
SCAN_FILE |
|
CONTENT_TRANSFER |
SCAN_FILE |
|
contentTransferEvent |
SCAN_FILE |
|
Content unscanned |
SCAN_UNCATEGORIZED |
|
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
|
dataAccessControlEvent |
USER_RESOURCE_ACCESS |
|
dangerousDownloadEvent - Dangerous |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_HOST |
SCAN_HOST |
|
dangerousDownloadEvent - UNCOMMON |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - POTENTIALLY_UNWANTED |
SCAN_UNCATEGORIZED |
SOFTWARE_PUA |
dangerousDownloadEvent - UNKNOWN |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - DANGEROUS_URL |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_FILE_TYPE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Desktop DLP Warnings |
USER_UNCATEGORIZED |
|
DLP_EVENT |
USER_UNCATEGORIZED |
|
interstitialEvent - Malware |
NETWORK_HTTP |
NETWORK_SUSPICIOUS |
IOS/OSX Warnings |
SCAN_UNCATEGORIZED |
|
Malware transfer - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - UNSPECIFIED |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Password breach |
USER_RESOURCE_ACCESS |
|
PASSWORD_BREACH |
USER_RESOURCE_ACCESS |
|
passwordBreachEvent - PASSWORD_ENTRY |
USER_RESOURCE_ACCESS |
|
Password changed |
USER_CHANGE_PASSWORD |
|
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
|
passwordChangedEvent |
USER_CHANGE_PASSWORD |
|
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Password reuse - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - Unauthorized site |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Permissions Blacklisting |
RESOURCE_PERMISSIONS_CHANGE |
|
Sensitive data transfer |
SCAN_FILE |
DATA_EXFILTRATION |
SENSITIVE_DATA_TRANSFER |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataEvent - [test_user_5] warn |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataTransferEvent |
SCAN_FILE |
DATA_EXFILTRATION |
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_SUSPICIOUS |
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED |
USER_RESOURCE_ACCESS |
|
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
unscannedFileEvent - FILE_PASSWORD_PROTECTED |
SCAN_FILE |
|
unscannedFileEvent - FILE_TOO_LARGE |
SCAN_FILE |
|
urlFilteringInterstitialEvent |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION |
Referencia de asignación de campos: CHROME_MANAGEMENT
En la siguiente tabla, se enumeran los campos de registro del tipo de registro CHROME_MANAGEMENT y sus campos UDM correspondientes.
| Log field | UDM mapping | Logic |
|---|---|---|
id.customerId |
about.resource.product_object_id |
|
event_detail |
metadata.description |
|
time |
metadata.event_timestamp |
|
events.parameters.name [TIMESTAMP] |
metadata.event_timestamp |
|
event |
metadata.product_event_type |
|
events.name |
metadata.product_event_type |
|
id.uniqueQualifier |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Chrome Management. |
id.applicationName |
|
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. |
user_agent |
network.http.user_agent |
|
userAgent |
network.http.user_agent |
|
events.parameters.name [USER_AGENT] |
network.http.user_agent |
|
events.parameters.name [SESSION_ID] |
network.session_id |
|
client_type |
principal.application |
|
clientType |
principal.application |
|
events.parameters.name [CLIENT_TYPE] |
principal.application |
|
device_id |
principal.asset.product_object_id |
|
deviceId |
principal.asset.product_object_id |
|
events.parameters.name [DEVICE_ID] |
principal.asset.product_object_id |
|
device_name |
principal.hostname |
|
deviceName |
principal.hostname |
|
events.parameters.name [DEVICE_NAME] |
principal.hostname |
|
os_plarform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_plarform log field value is not empty and osVersion log field value is not empty, then the os_plarform osVersion log field is mapped to the principal.platform_version UDM field. |
os_platform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
osPlatform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field. |
events.parameters.name [DEVICE_PLATFORM] |
principal.platform |
The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
os_version |
principal.platform_version |
|
osVersion |
principal.platform_version |
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform_version |
The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern. |
device_id |
principal.resource.id |
|
deviceId |
principal.resource.id |
|
events.parameters.name [DEVICE_ID] |
principal.resource.id |
|
directory_device_id |
principal.resource.product_object_id |
|
events.parameters.name [DIRECTORY_DEVICE_ID] |
principal.resource.product_object_id |
|
|
principal.resource.resource_subtype |
If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB.Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB. |
|
principal.resource.resource_type |
If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE. |
actor.email |
principal.user.email_addresses |
|
actor.profileId |
principal.user.userid |
|
result |
security_result.action_details |
|
events.parameters.name [EVENT_RESULT] |
security_result.action_details |
|
event_result |
security_result.action_details |
|
|
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
reason |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.category_details |
|
events.parameters.name [LOGIN_FAILURE_REASON] |
security_result.description |
|
events.parameters.name [REMOVE_USER_REASON] |
security_result.description |
If the events.name log field value is equal to CHROME_OS_REMOVE_USER, then the events.parameters.namethe log field is mapped to the security_result.description UDM field. |
triggered_rules |
security_result.rule_name |
|
events.type |
security_result.summary |
|
events.parameters.name [PRODUCT_NAME] |
target.application |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:
|
content_name |
target.file.full_path |
|
contentName |
target.file.full_path |
|
events.parameters.name [CONTENT_NAME] |
target.file.full_path |
|
content_type |
target.file.mime_type |
|
contentType |
target.file.mime_type |
|
events.parameters.name [CONTENT_TYPE] |
target.file.mime_type |
|
content_hash |
target.file.sha256 |
|
events.parameters.name [CONTENT_HASH] |
target.file.sha256 |
|
content_size |
target.file.size |
|
contentSize |
target.file.size |
|
events.parameters.name [CONTENT_SIZE] |
target.file.size |
|
|
target.file.file_type |
The fileType is extracted from the content_name log field usign Grok pattern, Then target.file.file_type UDM field is set to one of the following values:
|
extension_id |
target.resource.product_object_id |
|
events.parameters.name [APP_ID] |
target.resource.product_object_id |
|
extension_name |
target.resource.name |
If the event log field value is equal to badNavigationEvent or the |
events.parameters.name [APP_NAME] |
target.resource.name |
|
url |
target.url |
|
events.parameters.name [URL] |
target.url |
|
device_user |
target.user.userid |
|
deviceUser |
target.user.userid |
|
events.parameters.name [DEVICE_USER] |
target.user.userid |
|
scan_id |
about.labels [scan_id] |
|
events.parameters.name [CONNECTION_TYPE] |
about.labels [connection_type] |
|
etag |
about.labels [etag] |
|
kind |
about.labels [kind] |
|
actor.key |
principal.user.attribute.labels [actor_key] |
|
actor.callerType |
principal.user.attribute.labels [actor_callerType] |
|
events.parameters.name [EVIDENCE_LOCKER_FILEPATH] |
security_result.about.labels [evidence_locker_filepath] |
|
federated_origin |
security_result.about.labels [federated_origin] |
|
is_federated |
security_result.about.labels [is_federated] |
|
destination |
security_result.about.labels [trigger_destination] |
|
events.parameters.name [TRIGGER_DESTINATION] |
security_result.about.labels [trigger_destination] |
|
source |
security_result.about.labels [trigger_source] |
|
events.parameters.name [TRIGGER_SOURCE] |
security_result.about.labels [trigger_source] |
|
trigger_type |
security_result.about.labels [trigger_type] |
|
triggerType |
security_result.about.labels [trigger_type] |
|
events.parameters.name [TRIGGER_TYPE] |
security_result.about.labels [trigger_type] |
|
trigger_user |
security_result.about.labels [trigger_user] |
|
events.parameters.name [TRIGGER_USER] |
security_result.about.labels [trigger_user] |
|
events.parameters.name [MALWARE_CATEGORY] |
security_result.threat_name |
|
events.parameters.name [MALWARE_FAMILY] |
security_result.detection_fields [malware_family] |
|
events.parameters.name [VENDOR_ID] |
src.labels [vendor_id] |
|
events.parameters.name [VENDOR_NAME] |
src.labels [vendor_name] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
src.labels [virtual_device_id] |
|
events.parameters.name [NEW_BOOT_MODE] |
target.asset.attribute.labels [new_boot_mode] |
|
events.parameters.name [PREVIOUS_BOOT_MODE] |
target.asset.attribute.labels [previous_boot_mode] |
|
id.time |
target.asset.attribute.labels [timestamp] |
|
events.parameters.name [PRODUCT_ID] |
target.labels [product_id] |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:
Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field. |
|
extensions.auth.mechanism |
If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD:
|
events.parameters.name [UNLOCK_TYPE] |
target.labels [unlock_type] |
|
extension_description |
target.resource.attribute.labels [extension_description] |
|
extension_action |
target.resource.attribute.labels [extension_action] |
|
extension_version |
target.resource.attribute.labels [extension_version] |
|
extension_source |
target.resource.attribute.labels [extension_source] |
|
browser_version |
target.resource.attributes.labels [browser_version] |
|
browserVersion |
target.resource.attributes.labels [browser_version] |
|
events.parameters.name [BROWSER_VERSION] |
target.resource.attributes.labels [browser_version] |
|
profile_user |
principal.user.email_addresses |
If the profile_user log field value is matched with regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the principal.user.email_addresses UDM field.Else, the profile_user log field is mapped to the principal.user.user_display_name UDM field. |
events.parameters.name [PROFILE_USER_NAME] |
target.user.user_display_name |
|
|
target.resource.resource_type |
If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE, then the target.resource.resource_type UDM field is set to SETTING. |
url_category |
target.labels [url_category] |
|
browser_channel |
target.resource.attribute.labels [browser_channel] |
|
report_id |
target.labels [report_id] |
|
clickedThrough |
target.labels [clickedThrough] |
|
threat_type |
security_result.detection_fields [threatType] |
|
triggered_rule_info.action |
security_result.action |
If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:
Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field. |
triggered_rule_info.rule_id |
security_result.rule_id |
|
triggered_rule_info.rule_name |
security_result.rule_name |
|
triggered_rule_info.url_category |
security_result.category_details |
|
transfer_method |
additional.fields [transfer_method] |