Mengumpulkan log Google Chrome
Didukung di:
Google secops
Siem
Dokumen ini menjelaskan cara mengumpulkan log peristiwa keamanan Browser Chrome dan ChromeOS dengan menyiapkan konektor pelaporan Chrome Enterprise dan cara kolom log dipetakan ke kolom Unified Data Model (UDM) Chrome.
Untuk informasi selengkapnya, lihat Penambahan data ke Google SecOps.
Ringkasan
Deployment standar terdiri dari peristiwa keamanan Browser Chrome dan ChromeOS yang dikonfigurasi untuk mengirim log ke Google SecOps. Setiap deployment pelanggan mungkin berbeda dan mungkin lebih kompleks. Deployment terdiri dari komponen berikut:
Chrome: Peristiwa keamanan Browser Chrome dan ChromeOS yang ingin Anda kumpulkan.
Konektor pelaporan Chrome Enterprise: Konektor pelaporan Chrome Enterprise meneruskan log Chrome ke Google SecOps.
Google SecOps: Mempertahankan dan menganalisis log Chrome.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah ke format UDM terstruktur.
Informasi dalam dokumen ini berlaku untuk parser dengan label transfer CHROME_MANAGEMENT.
Sebelum memulai
Pastikan Anda memiliki akun Administrator Google Workspace.
Pastikan semua sistem dalam arsitektur deployment dikonfigurasi di zona waktu UTC.
Pastikan Anda memiliki kunci API Chronicle Ingestion. Jika Anda tidak memilikinya, hubungi Dukungan Google SecOps atau kontak pelanggan Google SecOps Anda untuk meminta kunci API Chronicle Ingestion.
Untuk mengetahui informasi selengkapnya, lihat Peristiwa log Chrome.
Menyiapkan Pengelolaan Cloud Browser Chrome
Berikut adalah langkah-langkah tingkat tinggi untuk menyiapkan Pengelolaan Cloud browser Chrome:
Lakukan langkah-langkah berikut untuk menyiapkan Pengelolaan Cloud browser Chrome.
Di konsol Admin, klik Menu > Perangkat > Chrome > Browser terkelola.
Opsional: Pilih organisasi tingkat teratas atau pilih unit organisasi tempat Anda ingin membuat token yang mendaftarkan browser secara langsung ke unit organisasi tersebut. Untuk informasi selengkapnya, lihat Menambahkan unit organisasi.
Klik Daftar. Jika ini merupakan pertama kalinya Anda mendaftarkan browser, Anda akan diminta untuk menyetujui Persyaratan Layanan Pengelolaan Cloud Browser Chrome (CBCM).
Klik Salin token pendaftaran ke papan klip.
Untuk mendaftarkan browser Chrome yang dikelola cloud, klik Selesai.
Di konsol Admin, buka Menu > Perangkat > Chrome > Setelan > Pengguna & browser. Pilih unit organisasi tingkat teratas, sehingga semua organisasi turunan akan mewarisi kebijakan tersebut. Scroll ke bawah ke Pelaporan browser.
Setel Pelaporan browser terkelola ke Aktifkan pelaporan cloud browser terkelola.
Untuk mengaktifkan pelaporan browser Chrome, klik Save.
Di konsol Admin, buka Menu > Perangkat > Chrome > Konektor.
Opsional: Jika Anda mengonfigurasi setelan konektor Chrome Enterprise untuk pertama kalinya, ikuti petunjuk untuk mengaktifkan Chrome Enterprise Connectors.
Di bagian atas, klik + Konfigurasi penyedia baru.
Di panel yang muncul di sebelah kanan, temukan penyiapan Google SecOps, lalu klik Siapkan.
Masukkan Configuration ID, API key, dan Host Name:
ID Konfigurasi: ID yang ditampilkan di halaman Setelan browser & pengguna dan halaman Konektor.
Kunci API: Kunci API yang ditetapkan saat memanggil Chronicle ingestion API untuk mengidentifikasi pelanggan.
Nama Host: Endpoint API penyerapan. Untuk pelanggan di Amerika Serikat, endpoint ini akan selalu berupa malachiteingestion-pa.googleapis.com; untuk wilayah lain, lihat dokumentasi endpoint regional.
Klik TAMBAHKAN KONFIGURASI untuk menambahkan konfigurasi penyedia baru.
Jenis log dan model data yang didukung
Berikut adalah jenis dan peristiwa log yang didukung untuk Pengelolaan Chrome. Semua jenis dan peristiwa log yang didukung dalam format JSON.
| Jenis log | Jenis peristiwa |
|---|---|
| Aktivitas Berbahaya |
|
| Aktivitas Audit |
|
| Perlindungan Data |
|
| Chrome OS |
|
Format log Google Chrome yang didukung
Parser Google Chrome mendukung log dalam format JSON.
Contoh log Google Chrome yang didukung
JSON:
{ "event": "badNavigationEvent", "time": "1622093983.104", "reason": "SOCIAL_ENGINEERING", "result": "EVENT_RESULT_WARNED", "device_name": "", "device_user": "", "profile_user": "sample@domain.io", "url": "https://test.domain.com/s/phishing.html", "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f", "os_platform": "", "os_version": "", "browser_version": "109.0.5414.120", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36", "client_type": "CHROME_BROWSER_PROFILE" }
Referensi pemetaan kolom
Bagian ini menjelaskan cara parser Google SecOps memetakan kolom log Chrome ke kolom Model Data Terpadu (UDM) Google SecOps untuk set data.
Referensi pemetaan kolom: ID Peristiwa ke Jenis Peristiwa
Tabel berikut mencantumkan jenis log CHROME_MANAGEMENT dan jenis peristiwa UDM yang sesuai.
| Event Identifier | Event Type | Security Category |
|---|---|---|
badNavigationEvent - SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
badNavigationEvent - SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
badNavigationEvent - MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
badNavigationEvent - UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_PUA |
badNavigationEvent - THREAT_TYPE_UNSPECIFIED |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
browserCrashEvent |
STATUS_UPDATE |
|
browserExtensionInstallEvent |
USER_RESOURCE_UPDATE_CONTENT |
|
Extension install - BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
|
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
|
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED |
USER_CREATION |
|
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
Login events |
USER_LOGIN |
|
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
loginEvent |
USER_LOGIN |
|
ChromeOS login success |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
|
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
|
ChromeOS CRD client disconnected |
USER_LOGOUT |
|
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED |
STATUS_STARTUP |
|
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS device boot state change - CHROME_OS_DEV_MODE |
SETTING_MODIFICATION |
|
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
|
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
|
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
|
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
|
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
Client Side Detection |
USER_UNCATEGORIZED |
|
Content transfer |
SCAN_FILE |
|
CONTENT_TRANSFER |
SCAN_FILE |
|
contentTransferEvent |
SCAN_FILE |
|
Content unscanned |
SCAN_UNCATEGORIZED |
|
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
|
dataAccessControlEvent |
USER_RESOURCE_ACCESS |
|
dangerousDownloadEvent - Dangerous |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_HOST |
SCAN_HOST |
|
dangerousDownloadEvent - UNCOMMON |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - POTENTIALLY_UNWANTED |
SCAN_UNCATEGORIZED |
SOFTWARE_PUA |
dangerousDownloadEvent - UNKNOWN |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - DANGEROUS_URL |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_FILE_TYPE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Desktop DLP Warnings |
USER_UNCATEGORIZED |
|
DLP_EVENT |
USER_UNCATEGORIZED |
|
interstitialEvent - Malware |
NETWORK_HTTP |
NETWORK_SUSPICIOUS |
IOS/OSX Warnings |
SCAN_UNCATEGORIZED |
|
Malware transfer - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - UNSPECIFIED |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Password breach |
USER_RESOURCE_ACCESS |
|
PASSWORD_BREACH |
USER_RESOURCE_ACCESS |
|
passwordBreachEvent - PASSWORD_ENTRY |
USER_RESOURCE_ACCESS |
|
Password changed |
USER_CHANGE_PASSWORD |
|
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
|
passwordChangedEvent |
USER_CHANGE_PASSWORD |
|
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Password reuse - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - Unauthorized site |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Permissions Blacklisting |
RESOURCE_PERMISSIONS_CHANGE |
|
Sensitive data transfer |
SCAN_FILE |
DATA_EXFILTRATION |
SENSITIVE_DATA_TRANSFER |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataEvent - [test_user_5] warn |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataTransferEvent |
SCAN_FILE |
DATA_EXFILTRATION |
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_SUSPICIOUS |
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED |
USER_RESOURCE_ACCESS |
|
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
unscannedFileEvent - FILE_PASSWORD_PROTECTED |
SCAN_FILE |
|
unscannedFileEvent - FILE_TOO_LARGE |
SCAN_FILE |
|
urlFilteringInterstitialEvent |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION |
extensionTelemetryEvent |
If the telemetry_event_signals.signal_name log field value is equal to the COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO, then the event_type set to USER_RESOURCE_ACCESS.Else, if the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then if the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the event_type is set to NETWORK_HTTP.Else, the event_type UDM field is set to NETWORK_UNCATEGORIZED. |
If the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then the security category is set to NETWORK_SUSPICIOUS.Else, if the telemetry_event_signals.signal_name log field value contain one of the following values, then the security category UDM field is set to SOFTWARE_SUSPICIOUS.
|
Referensi pemetaan kolom: CHROME_MANAGEMENT
Tabel berikut mencantumkan kolom log dari jenis log CHROME_MANAGEMENT dan kolom UDM yang sesuai.
| Log field | UDM mapping | Logic |
|---|---|---|
id.customerId |
about.resource.product_object_id |
|
event_detail |
metadata.description |
|
time |
metadata.event_timestamp |
|
events.parameters.name [TIMESTAMP] |
metadata.event_timestamp |
|
event |
metadata.product_event_type |
|
events.name |
metadata.product_event_type |
|
id.uniqueQualifier |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Chrome Management. |
id.applicationName |
|
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. |
user_agent |
network.http.user_agent |
|
userAgent |
network.http.user_agent |
|
events.parameters.name [USER_AGENT] |
network.http.user_agent |
|
events.parameters.name [SESSION_ID] |
network.session_id |
|
client_type |
principal.application |
|
clientType |
principal.application |
|
events.parameters.name [CLIENT_TYPE] |
principal.application |
|
device_id |
principal.asset.product_object_id |
|
deviceId |
principal.asset.product_object_id |
|
events.parameters.name [DEVICE_ID] |
principal.asset.product_object_id |
|
device_name |
principal.hostname |
|
deviceName |
principal.hostname |
|
events.parameters.name [DEVICE_NAME] |
principal.hostname |
|
os_plarform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_plarform log field value is not empty and osVersion log field value is not empty, then the os_plarform osVersion log field is mapped to the principal.platform_version UDM field. |
os_plarform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_platform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
os_platform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
osPlatform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field. |
osPlatform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform |
The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
events.parameters.name [DEVICE_PLATFORM] |
principal.asset.platform_software.platform |
The os_platform is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_version |
principal.platform_version |
|
osVersion |
principal.platform_version |
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform_version |
The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern. |
device_id |
principal.resource.id |
|
deviceId |
principal.resource.id |
|
events.parameters.name [DEVICE_ID] |
principal.resource.id |
|
directory_device_id |
principal.resource.product_object_id |
|
events.parameters.name [DIRECTORY_DEVICE_ID] |
principal.resource.product_object_id |
|
|
principal.resource.resource_subtype |
If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB.Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB. |
|
principal.resource.resource_type |
If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE. |
actor.email |
principal.user.email_addresses |
|
actor.profileId |
principal.user.userid |
|
result |
security_result.action_details |
|
events.parameters.name [EVENT_RESULT] |
security_result.action_details |
|
event_result |
security_result.action_details |
|
|
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
reason |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.summary |
|
events.parameters.name [LOGIN_FAILURE_REASON] |
security_result.description |
|
events.parameters.name [REMOVE_USER_REASON] |
security_result.description |
If the events.name log field value is equal to CHROME_OS_REMOVE_USER, then the events.parameters.namethe log field is mapped to the security_result.description UDM field. |
triggered_rules |
security_result.rule_name |
|
events.type |
security_result.category_details |
|
events.parameters.name [PRODUCT_NAME] |
target.application |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:
|
content_name |
target.file.full_path |
|
contentName |
target.file.full_path |
|
events.parameters.name [CONTENT_NAME] |
target.file.full_path |
|
content_type |
target.file.mime_type |
|
contentType |
target.file.mime_type |
|
events.parameters.name [CONTENT_TYPE] |
target.file.mime_type |
|
content_hash |
target.file.sha256 |
|
events.parameters.name [CONTENT_HASH] |
target.file.sha256 |
|
content_size |
target.file.size |
|
contentSize |
target.file.size |
|
events.parameters.name [CONTENT_SIZE] |
target.file.size |
|
|
target.file.file_type |
The fileType is extracted from the content_name log field usign Grok pattern, Then target.file.file_type UDM field is set to one of the following values:
|
extension_id |
target.resource.product_object_id |
|
events.parameters.name [APP_ID] |
target.resource.product_object_id |
|
extension_name |
target.resource.name |
If the event log field value is equal to badNavigationEvent or the events.name log field value is equal to badNavigationEvent, then the extension_name log field is mapped to the target.resource.name UDM field. |
telemetry_event_signals.signal_name |
target.resource.name |
If the event log field value is equal to extensionTelemetryEvent, then the telemetry_event_signals.signal_name log field is mapped to the target.resource.name UDM field. |
events.parameters.name [APP_NAME] |
target.resource.name |
|
url |
target.url |
|
events.parameters.name [URL] |
target.url |
|
telemetry_event_signals.url |
target.url |
If the telemetry_event_signals.url log field value matches the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.url UDM field. |
device_user |
target.user.userid |
|
deviceUser |
principal.user.userid |
If the event log field value is equal to passwordChangedEvent, then the deviceUser log field is mapped to the principal.user.userid UDM field.Else, the deviceUser log field is mapped to the principal.user.user_display_name UDM field. |
events.parameters.name [DEVICE_USER] |
If the event log field value is equal to passwordChangedEvent, then the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.userid UDM field.Else, the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.user_display_name UDM field. |
|
scan_id |
about.labels [scan_id] |
|
events.parameters.name [CONNECTION_TYPE] |
about.labels [connection_type] |
|
etag |
about.labels [etag] |
|
kind |
about.labels [kind] |
|
actor.key |
principal.user.attribute.labels [actor_key] |
|
actor.callerType |
principal.user.attribute.labels [actor_callerType] |
|
events.parameters.name [EVIDENCE_LOCKER_FILEPATH] |
security_result.about.labels [evidence_locker_filepath] |
|
federated_origin |
security_result.about.labels [federated_origin] |
|
is_federated |
security_result.about.labels [is_federated] |
|
destination |
security_result.about.labels [trigger_destination] |
|
events.parameters.name [TRIGGER_DESTINATION] |
security_result.about.labels [trigger_destination] |
|
source |
security_result.about.labels [trigger_source] |
|
events.parameters.name [TRIGGER_SOURCE] |
security_result.about.labels [trigger_source] |
|
trigger_type |
security_result.about.labels [trigger_type] |
|
trigger_type |
additional.fields [trigger_type] |
|
triggerType |
security_result.about.labels [trigger_type] |
|
triggerType |
additional.fields [trigger_type] |
|
events.parameters.name [TRIGGER_TYPE] |
security_result.about.labels [trigger_type] |
|
trigger_user |
security_result.about.labels [trigger_user] |
|
events.parameters.name [TRIGGER_USER] |
security_result.about.labels [trigger_user] |
|
events.parameters.name [MALWARE_CATEGORY] |
security_result.threat_name |
|
events.parameters.name [MALWARE_FAMILY] |
security_result.detection_fields [malware_family] |
|
events.parameters.name [VENDOR_ID] |
src.labels [vendor_id] |
|
events.parameters.name [VENDOR_NAME] |
src.labels [vendor_name] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
src.labels [virtual_device_id] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
additional.fields [virtual_device_id] |
|
events.parameters.name [NEW_BOOT_MODE] |
target.asset.attribute.labels [new_boot_mode] |
|
events.parameters.name [PREVIOUS_BOOT_MODE] |
target.asset.attribute.labels [previous_boot_mode] |
|
id.time |
target.asset.attribute.labels [timestamp] |
|
events.parameters.name [PRODUCT_ID] |
target.labels [product_id] |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:
Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field. |
|
extensions.auth.mechanism |
If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD:
|
events.parameters.name [UNLOCK_TYPE] |
target.labels [unlock_type] |
|
extension_description |
target.resource.attribute.labels [extension_description] |
|
extension_action |
target.resource.attribute.labels [extension_action] |
|
extension_version |
target.resource.attribute.labels [extension_version] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource.attribute.labels[extension_source] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource.attribute.labels[extension_source] UDM field. |
browser_version |
target.resource.attributes.labels [browser_version] |
|
browserVersion |
target.resource.attributes.labels [browser_version] |
|
events.parameters.name [BROWSER_VERSION] |
target.resource.attributes.labels [browser_version] |
|
profile_user |
target.user.email_addresses |
If the event log field value contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.email_addresses UDM field.
|
profile_user |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the profile_user, then the profile_user log field is mapped to the principal.user.email_addresses UDM field.
|
profile_user |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
profile_user |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the profile_user, then the profile_user log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.email_addresses |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
|
target.resource.resource_type |
If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE, then the target.resource.resource_type UDM field is set to SETTING. |
url_category |
target.labels [url_category] |
|
browser_channel |
target.resource.attribute.labels [browser_channel] |
|
report_id |
target.labels [report_id] |
|
clickedThrough |
target.labels [clickedThrough] |
|
threat_type |
security_result.detection_fields [threatType] |
|
triggered_rule_info.action |
security_result.action |
If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:
Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field. |
triggered_rule_info.rule_id |
security_result.rule_id |
|
triggered_rule_info.rule_name |
security_result.rule_name |
|
triggered_rule_info.url_category |
security_result.category_details |
|
transfer_method |
additional.fields [transfer_method] |
|
extension_name |
target.resource_ancestors.name |
If the event log field value is equal to extensionTelemetryEvent, then the extension_name log field is mapped to the target.resource_ancestors.name UDM field. |
extension_id |
target.resource_ancestors.product_object_id |
If the event log field value is equal to extensionTelemetryEvent, then the extension_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
extension_version |
target.resource_ancestors.attribute.labels[extension_version] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource_ancestors.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource_ancestors.attribute.labels[extension_source] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource_ancestors.attribute.labels[extension_source] UDM field. |
profile_identifier |
additional.fields[profile_identifier] |
|
extension_files_info.file_name |
target.resource_ancestors.file.names |
|
extension_files_info.file_hash.hash |
target.resource_ancestors.attribute.labels[file_hash] |
|
telemetry_event_signals.count |
target.resource.attribute.labels[count] |
|
telemetry_event_signals.tabs_api_method |
target.resource.attribute.labels[tabs_api_method] |
|
|
target.hostname |
If the telemetry_event_signals.url log field value does not match the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.hostname UDM field. |
telemetry_event_signals.destination |
target.resource.attribute.labels[destination] |
|
telemetry_event_signals.source |
target.resource.attribute.labels[source] |
|
telemetry_event_signals.domain |
target.domain.name |
|
telemetry_event_signals.cookie_name |
target.resource.attribute.labels[cookie_name] |
|
telemetry_event_signals.cookie_path |
target.resource.attribute.labels[cookie_path] |
|
telemetry_event_signals.cookie_is_secure |
target.resource.attribute.labels[cookie_is_secure] |
|
telemetry_event_signals.cookie_store_id |
target.resource.attribute.labels[cookie_store_id] |
|
telemetry_event_signals.cookie_is_session |
target.resource.attribute.labels[cookie_is_session] |
|
telemetry_event_signals.connection_protocol |
network.application_protocol |
If the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the network.application_protocol UDM field is set to HTTP Else, If the telemetry_event_signals.connection_protocol log field value is equal to UNSPECIFIED, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOLElse, the telemetry_event_signals.connection_protocol log field is mapped to the target.resource.attribute.labels UDM field. |
telemetry_event_signals.contacted_by |
target.resource.attribute.labels[contacted_by] |
Langkah berikutnya
Untuk blog Komunitas tentang log Chrome, lihat:
Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.