Raccogliere i log di Google Chrome
Supportato in:
Google secops
Siem
Questo documento descrive come raccogliere i log degli eventi di sicurezza del browser Chrome e di ChromeOS configurando un connettore di reporting di Chrome Enterprise e come i campi dei log vengono mappati ai campi del modello di dati unificato (UDM) di Chrome.
Per ulteriori informazioni, consulta Importazione dei dati in Google SecOps.
Panoramica
Un deployment tipico è costituito da eventi di sicurezza del browser Chrome e di ChromeOS configurati per inviare log a Google SecOps. Ogni implementazione del cliente potrebbe essere diversa e più complessa. Il deployment è costituito dai seguenti componenti:
Chrome: gli eventi di sicurezza del browser Chrome e di ChromeOS che vuoi raccogliere.
Connettore di reporting di Chrome Enterprise: il connettore di reporting di Chrome Enterprise inoltra i log di Chrome a Google SecOps.
Google SecOps: conserva e analizza i log di Chrome.
Un'etichetta di importazione identifica l'analizzatore sintattico che normalizza i dati dei log non elaborati in formato UDM strutturato.
Le informazioni contenute in questo documento si applicano al parser con l'etichetta di importazione CHROME_MANAGEMENT.
Prima di iniziare
Assicurati di avere un account amministratore di Google Workspace.
Assicurati che tutti i sistemi nell'architettura di deployment siano configurati nel fuso orario UTC.
Assicurati di disporre di una chiave API Chronicle Ingestion. Se non ne hai una, contatta l'assistenza Google SecOps o il tuo punto di contatto cliente Google SecOps per richiedere la chiave API di importazione di Chronicle.
Per ulteriori informazioni, consulta gli eventi dei log di Chrome.
Impostare Chrome Browser Cloud Management
Di seguito sono riportati i passaggi di alto livello per configurare Chrome Browser Cloud Management:
Per configurare Chrome Browser Cloud Management, svolgi i seguenti passaggi.
Nella Console di amministrazione, fai clic su Menu > Dispositivi > Chrome > Browser gestiti.
(Facoltativo) Seleziona l'organizzazione di primo livello o l'unità organizzativa in cui vuoi generare un token che registri i browser direttamente in quella specifica unità organizzativa. Per ulteriori informazioni, consulta Aggiungere un'unità organizzativa.
Fai clic su Registrati. Se questa è la tua prima registrazione del browser, ti verrà chiesto di accettare i Termini di servizio di Chrome Browser Cloud Management (CBCM).
Fai clic su Copia token di registrazione negli appunti.
Per registrare i browser Chrome gestiti su cloud, fai clic su Fine.
Nella Console di amministrazione, vai a Menu > Dispositivi > Chrome > Impostazioni > Utenti e browser. Seleziona la tua unità organizzativa di primo livello, in modo che tutte le organizzazioni secondarie ereditino il criterio. Scorri verso il basso fino a Report sul browser.
Imposta Reporting sul browser gestito su Attiva reporting su cloud tramite browser gestito.
Per attivare i report del browser Chrome, fai clic su Salva.
Nella Console di amministrazione, vai a Menu > Dispositivi > Chrome > Connettori.
(Facoltativo) Se è la prima volta che configuri le impostazioni dei connettori di Chrome Enterprise, segui le istruzioni per attivare Chrome Enterprise Connectors.
In alto, fai clic su + Configurazione nuovo provider.
Nel riquadro visualizzato a destra, trova la configurazione di Google SecOps e fai clic su Configura.
Inserisci l'ID configurazione, la chiave API e il nome host:
ID configurazione: l'ID visualizzato nella pagina Impostazioni browser e utente e nella pagina Connettori.
Chiave API: la chiave API da specificare quando si chiama l'API di importazione di Chronicle per identificare il cliente.
Nome host: l'endpoint dell'API di importazione. Per i clienti statunitensi, sarà sempre malachiteingestion-pa.googleapis.com; per le altre regioni, consulta la documentazione sugli endpoint regionali.
Fai clic su ADD CONFIGURATION (AGGIUNGI CONFIGURAZIONE) per aggiungere la nuova configurazione del fornitore.
Tipi di log e modelli di dati supportati
Di seguito sono riportati i tipi di log e gli eventi supportati per la gestione di Chrome. Tutti i tipi di log e gli eventi supportati sono in formato JSON.
| Tipo di log | Tipo di evento |
|---|---|
| Attività dannose |
|
| Attività di controllo |
|
| Protezione dei dati |
|
| Chrome OS |
|
Formati dei log di Google Chrome supportati
L'analizzatore di Google Chrome supporta i log in formato JSON.
Log di esempio di Google Chrome supportati
JSON:
{ "event": "badNavigationEvent", "time": "1622093983.104", "reason": "SOCIAL_ENGINEERING", "result": "EVENT_RESULT_WARNED", "device_name": "", "device_user": "", "profile_user": "sample@domain.io", "url": "https://test.domain.com/s/phishing.html", "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f", "os_platform": "", "os_version": "", "browser_version": "109.0.5414.120", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36", "client_type": "CHROME_BROWSER_PROFILE" }
Riferimento alla mappatura dei campi
Questa sezione spiega in che modo il parser di Google SecOps mappa i campi dei log di Chrome ai campi del modello UDM (Unified Data Model) di Google SecOps per i set di dati.
Riferimento alla mappatura dei campi: identificatore evento a tipo di evento
Nella tabella seguente sono elencati i tipi di log CHROME_MANAGEMENT e i relativi tipi di eventi UDM.
| Event Identifier | Event Type | Security Category |
|---|---|---|
badNavigationEvent - SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
badNavigationEvent - SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
badNavigationEvent - MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
badNavigationEvent - UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_PUA |
badNavigationEvent - THREAT_TYPE_UNSPECIFIED |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
browserCrashEvent |
STATUS_UPDATE |
|
browserExtensionInstallEvent |
USER_RESOURCE_UPDATE_CONTENT |
|
Extension install - BROWSER_EXTENSION_INSTALL |
USER_RESOURCE_UPDATE_CONTENT |
|
EXTENSION_REQUEST |
USER_UNCATEGORIZED |
|
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED |
USER_CREATION |
|
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED |
USER_CREATION |
|
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED |
USER_DELETION |
|
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED |
USER_DELETION |
|
Login events |
USER_LOGIN |
|
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
loginEvent |
USER_LOGIN |
|
ChromeOS login success |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN |
USER_LOGIN |
|
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT |
USER_LOGOUT |
|
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT |
USER_LOGOUT |
|
CHROME_OS_REPORTING_DATA_LOST |
STATUS_UPDATE |
|
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED |
USER_LOGIN |
|
ChromeOS CRD client disconnected |
USER_LOGOUT |
|
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED |
STATUS_STARTUP |
|
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED |
STATUS_STARTUP |
|
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS device boot state change - CHROME_OS_DEV_MODE |
SETTING_MODIFICATION |
|
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE |
SETTING_MODIFICATION |
|
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS |
USER_LOGOUT |
|
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS |
USER_LOGIN |
|
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN |
USER_LOGIN |
|
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED |
USER_RESOURCE_ACCESS |
|
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED |
USER_RESOURCE_DELETION |
|
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED |
USER_RESOURCE_UPDATE_CONTENT |
|
Client Side Detection |
USER_UNCATEGORIZED |
|
Content transfer |
SCAN_FILE |
|
CONTENT_TRANSFER |
SCAN_FILE |
|
contentTransferEvent |
SCAN_FILE |
|
Content unscanned |
SCAN_UNCATEGORIZED |
|
CONTENT_UNSCANNED |
SCAN_UNCATEGORIZED |
|
dataAccessControlEvent |
USER_RESOURCE_ACCESS |
|
dangerousDownloadEvent - Dangerous |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_HOST |
SCAN_HOST |
|
dangerousDownloadEvent - UNCOMMON |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - POTENTIALLY_UNWANTED |
SCAN_UNCATEGORIZED |
SOFTWARE_PUA |
dangerousDownloadEvent - UNKNOWN |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - DANGEROUS_URL |
SCAN_UNCATEGORIZED |
|
dangerousDownloadEvent - UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_PUA |
dangerousDownloadEvent - DANGEROUS_FILE_TYPE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Desktop DLP Warnings |
USER_UNCATEGORIZED |
|
DLP_EVENT |
USER_UNCATEGORIZED |
|
interstitialEvent - Malware |
NETWORK_HTTP |
NETWORK_SUSPICIOUS |
IOS/OSX Warnings |
SCAN_UNCATEGORIZED |
|
Malware transfer - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN |
SCAN_FILE |
SOFTWARE_MALICIOUS |
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - DANGEROUS |
SCAN_FILE |
SOFTWARE_MALICIOUS |
malwareTransferEvent - UNSPECIFIED |
SCAN_FILE |
SOFTWARE_MALICIOUS |
Password breach |
USER_RESOURCE_ACCESS |
|
PASSWORD_BREACH |
USER_RESOURCE_ACCESS |
|
passwordBreachEvent - PASSWORD_ENTRY |
USER_RESOURCE_ACCESS |
|
Password changed |
USER_CHANGE_PASSWORD |
|
PASSWORD_CHANGED |
USER_CHANGE_PASSWORD |
|
passwordChangedEvent |
USER_CHANGE_PASSWORD |
|
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Password reuse - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - Unauthorized site |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL |
USER_UNCATEGORIZED |
PHISHING |
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION, AUTH_VIOLATION |
Permissions Blacklisting |
RESOURCE_PERMISSIONS_CHANGE |
|
Sensitive data transfer |
SCAN_FILE |
DATA_EXFILTRATION |
SENSITIVE_DATA_TRANSFER |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataEvent - [test_user_5] warn |
SCAN_FILE |
DATA_EXFILTRATION |
sensitiveDataTransferEvent |
SCAN_FILE |
DATA_EXFILTRATION |
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_MALICIOUS |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE |
USER_RESOURCE_ACCESS |
SOFTWARE_SUSPICIOUS |
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED |
USER_RESOURCE_ACCESS |
|
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING |
USER_RESOURCE_ACCESS |
SOCIAL_ENGINEERING |
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR |
USER_RESOURCE_ACCESS |
NETWORK_SUSPICIOUS |
unscannedFileEvent - FILE_PASSWORD_PROTECTED |
SCAN_FILE |
|
unscannedFileEvent - FILE_TOO_LARGE |
SCAN_FILE |
|
urlFilteringInterstitialEvent |
USER_RESOURCE_ACCESS |
POLICY_VIOLATION |
extensionTelemetryEvent |
If the telemetry_event_signals.signal_name log field value is equal to the COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO, then the event_type set to USER_RESOURCE_ACCESS.Else, if the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then if the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the event_type is set to NETWORK_HTTP.Else, the event_type UDM field is set to NETWORK_UNCATEGORIZED. |
If the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO, then the security category is set to NETWORK_SUSPICIOUS.Else, if the telemetry_event_signals.signal_name log field value contain one of the following values, then the security category UDM field is set to SOFTWARE_SUSPICIOUS.
|
Riferimento alla mappatura dei campi: CHROME_MANAGEMENT
La tabella seguente elenca i campi del log del tipo di log CHROME_MANAGEMENT e i relativi campi UDM.
| Log field | UDM mapping | Logic |
|---|---|---|
id.customerId |
about.resource.product_object_id |
|
event_detail |
metadata.description |
|
time |
metadata.event_timestamp |
|
events.parameters.name [TIMESTAMP] |
metadata.event_timestamp |
|
event |
metadata.product_event_type |
|
events.name |
metadata.product_event_type |
|
id.uniqueQualifier |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Chrome Management. |
id.applicationName |
|
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to GOOGLE. |
user_agent |
network.http.user_agent |
|
userAgent |
network.http.user_agent |
|
events.parameters.name [USER_AGENT] |
network.http.user_agent |
|
events.parameters.name [SESSION_ID] |
network.session_id |
|
client_type |
principal.application |
|
clientType |
principal.application |
|
events.parameters.name [CLIENT_TYPE] |
principal.application |
|
device_id |
principal.asset.product_object_id |
|
deviceId |
principal.asset.product_object_id |
|
events.parameters.name [DEVICE_ID] |
principal.asset.product_object_id |
|
device_name |
principal.hostname |
|
deviceName |
principal.hostname |
|
events.parameters.name [DEVICE_NAME] |
principal.hostname |
|
os_plarform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_plarform log field value is not empty and osVersion log field value is not empty, then the os_plarform osVersion log field is mapped to the principal.platform_version UDM field. |
os_plarform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_platform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
os_platform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
osPlatform |
principal.platform |
The principal.platform UDM field is set to one of the following values:
Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field. |
osPlatform |
principal.asset.platform_software.platform |
The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform |
The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.platform UDM field is set to one of the following values:
Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field. |
events.parameters.name [DEVICE_PLATFORM] |
principal.asset.platform_software.platform |
The os_platform is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.The principal.asset.platform_software.platform UDM field is set to one of the following values:
|
os_version |
principal.platform_version |
|
osVersion |
principal.platform_version |
|
events.parameters.name [DEVICE_PLATFORM] |
principal.platform_version |
The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern. |
device_id |
principal.resource.id |
|
deviceId |
principal.resource.id |
|
events.parameters.name [DEVICE_ID] |
principal.resource.id |
|
directory_device_id |
principal.resource.product_object_id |
|
events.parameters.name [DIRECTORY_DEVICE_ID] |
principal.resource.product_object_id |
|
|
principal.resource.resource_subtype |
If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB.Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED, then the principal.resource.resource_subtype UDM field is set to USB. |
|
principal.resource.resource_type |
If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE. |
actor.email |
principal.user.email_addresses |
|
actor.profileId |
principal.user.userid |
|
result |
security_result.action_details |
|
events.parameters.name [EVENT_RESULT] |
security_result.action_details |
|
event_result |
security_result.action_details |
|
|
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
reason |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.category_details |
|
events.parameters.name [EVENT_REASON] |
security_result.summary |
|
events.parameters.name [LOGIN_FAILURE_REASON] |
security_result.description |
|
events.parameters.name [REMOVE_USER_REASON] |
security_result.description |
If the events.name log field value is equal to CHROME_OS_REMOVE_USER, then the events.parameters.namethe log field is mapped to the security_result.description UDM field. |
triggered_rules |
security_result.rule_name |
|
events.type |
security_result.category_details |
|
events.parameters.name [PRODUCT_NAME] |
target.application |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:
|
content_name |
target.file.full_path |
|
contentName |
target.file.full_path |
|
events.parameters.name [CONTENT_NAME] |
target.file.full_path |
|
content_type |
target.file.mime_type |
|
contentType |
target.file.mime_type |
|
events.parameters.name [CONTENT_TYPE] |
target.file.mime_type |
|
content_hash |
target.file.sha256 |
|
events.parameters.name [CONTENT_HASH] |
target.file.sha256 |
|
content_size |
target.file.size |
|
contentSize |
target.file.size |
|
events.parameters.name [CONTENT_SIZE] |
target.file.size |
|
|
target.file.file_type |
The fileType is extracted from the content_name log field usign Grok pattern, Then target.file.file_type UDM field is set to one of the following values:
|
extension_id |
target.resource.product_object_id |
|
events.parameters.name [APP_ID] |
target.resource.product_object_id |
|
extension_name |
target.resource.name |
If the event log field value is equal to badNavigationEvent or the events.name log field value is equal to badNavigationEvent, then the extension_name log field is mapped to the target.resource.name UDM field. |
telemetry_event_signals.signal_name |
target.resource.name |
If the event log field value is equal to extensionTelemetryEvent, then the telemetry_event_signals.signal_name log field is mapped to the target.resource.name UDM field. |
events.parameters.name [APP_NAME] |
target.resource.name |
|
url |
target.url |
|
events.parameters.name [URL] |
target.url |
|
telemetry_event_signals.url |
target.url |
If the telemetry_event_signals.url log field value matches the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.url UDM field. |
device_user |
target.user.userid |
|
deviceUser |
principal.user.userid |
If the event log field value is equal to passwordChangedEvent, then the deviceUser log field is mapped to the principal.user.userid UDM field.Else, the deviceUser log field is mapped to the principal.user.user_display_name UDM field. |
events.parameters.name [DEVICE_USER] |
If the event log field value is equal to passwordChangedEvent, then the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.userid UDM field.Else, the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.user_display_name UDM field. |
|
scan_id |
about.labels [scan_id] |
|
events.parameters.name [CONNECTION_TYPE] |
about.labels [connection_type] |
|
etag |
about.labels [etag] |
|
kind |
about.labels [kind] |
|
actor.key |
principal.user.attribute.labels [actor_key] |
|
actor.callerType |
principal.user.attribute.labels [actor_callerType] |
|
events.parameters.name [EVIDENCE_LOCKER_FILEPATH] |
security_result.about.labels [evidence_locker_filepath] |
|
federated_origin |
security_result.about.labels [federated_origin] |
|
is_federated |
security_result.about.labels [is_federated] |
|
destination |
security_result.about.labels [trigger_destination] |
|
events.parameters.name [TRIGGER_DESTINATION] |
security_result.about.labels [trigger_destination] |
|
source |
security_result.about.labels [trigger_source] |
|
events.parameters.name [TRIGGER_SOURCE] |
security_result.about.labels [trigger_source] |
|
trigger_type |
security_result.about.labels [trigger_type] |
|
trigger_type |
additional.fields [trigger_type] |
|
triggerType |
security_result.about.labels [trigger_type] |
|
triggerType |
additional.fields [trigger_type] |
|
events.parameters.name [TRIGGER_TYPE] |
security_result.about.labels [trigger_type] |
|
trigger_user |
security_result.about.labels [trigger_user] |
|
events.parameters.name [TRIGGER_USER] |
security_result.about.labels [trigger_user] |
|
events.parameters.name [MALWARE_CATEGORY] |
security_result.threat_name |
|
events.parameters.name [MALWARE_FAMILY] |
security_result.detection_fields [malware_family] |
|
events.parameters.name [VENDOR_ID] |
src.labels [vendor_id] |
|
events.parameters.name [VENDOR_NAME] |
src.labels [vendor_name] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
src.labels [virtual_device_id] |
|
events.parameters.name [VIRTUAL_DEVICE_ID] |
additional.fields [virtual_device_id] |
|
events.parameters.name [NEW_BOOT_MODE] |
target.asset.attribute.labels [new_boot_mode] |
|
events.parameters.name [PREVIOUS_BOOT_MODE] |
target.asset.attribute.labels [previous_boot_mode] |
|
id.time |
target.asset.attribute.labels [timestamp] |
|
events.parameters.name [PRODUCT_ID] |
target.labels [product_id] |
If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:
Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field. |
|
extensions.auth.mechanism |
If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD:
|
events.parameters.name [UNLOCK_TYPE] |
target.labels [unlock_type] |
|
extension_description |
target.resource.attribute.labels [extension_description] |
|
extension_action |
target.resource.attribute.labels [extension_action] |
|
extension_version |
target.resource.attribute.labels [extension_version] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource.attribute.labels[extension_source] |
If the event log field value is not equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource.attribute.labels[extension_source] UDM field. |
browser_version |
target.resource.attributes.labels [browser_version] |
|
browserVersion |
target.resource.attributes.labels [browser_version] |
|
events.parameters.name [BROWSER_VERSION] |
target.resource.attributes.labels [browser_version] |
|
profile_user |
target.user.email_addresses |
If the event log field value contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.email_addresses UDM field.
|
profile_user |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the profile_user, then the profile_user log field is mapped to the principal.user.email_addresses UDM field.
|
profile_user |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$, then the profile_user log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
profile_user |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the profile_user, then the profile_user log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.email_addresses |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.email_addresses |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.email_addresses UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
target.user.attribute.labels[profile_user_name] |
If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$, then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.
|
events.parameters.name [PROFILE_USER_NAME] |
principal.user.attribute.labels[profile_user_name] |
If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the events.parameters.name [PROFILE_USER_NAME], then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.
|
|
target.resource.resource_type |
If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE, then the target.resource.resource_type UDM field is set to SETTING. |
url_category |
target.labels [url_category] |
|
browser_channel |
target.resource.attribute.labels [browser_channel] |
|
report_id |
target.labels [report_id] |
|
clickedThrough |
target.labels [clickedThrough] |
|
threat_type |
security_result.detection_fields [threatType] |
|
triggered_rule_info.action |
security_result.action |
If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:
Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field. |
triggered_rule_info.rule_id |
security_result.rule_id |
|
triggered_rule_info.rule_name |
security_result.rule_name |
|
triggered_rule_info.url_category |
security_result.category_details |
|
transfer_method |
additional.fields [transfer_method] |
|
extension_name |
target.resource_ancestors.name |
If the event log field value is equal to extensionTelemetryEvent, then the extension_name log field is mapped to the target.resource_ancestors.name UDM field. |
extension_id |
target.resource_ancestors.product_object_id |
If the event log field value is equal to extensionTelemetryEvent, then the extension_id log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
extension_version |
target.resource_ancestors.attribute.labels[extension_version] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_version log field is mapped to the target.resource_ancestors.attribute.labels[extension_version] UDM field. |
extension_source |
target.resource_ancestors.attribute.labels[extension_source] |
If the event log field value is equal to extensionTelemetryEvent, then the extension_source log field is mapped to the target.resource_ancestors.attribute.labels[extension_source] UDM field. |
profile_identifier |
additional.fields[profile_identifier] |
|
extension_files_info.file_name |
target.resource_ancestors.file.names |
|
extension_files_info.file_hash.hash |
target.resource_ancestors.attribute.labels[file_hash] |
|
telemetry_event_signals.count |
target.resource.attribute.labels[count] |
|
telemetry_event_signals.tabs_api_method |
target.resource.attribute.labels[tabs_api_method] |
|
|
target.hostname |
If the telemetry_event_signals.url log field value does not match the regular expression pattern the [http:\/\/ or https:\/\/].*, then the telemetry_event_signals.url log field is mapped to the target.hostname UDM field. |
telemetry_event_signals.destination |
target.resource.attribute.labels[destination] |
|
telemetry_event_signals.source |
target.resource.attribute.labels[source] |
|
telemetry_event_signals.domain |
target.domain.name |
|
telemetry_event_signals.cookie_name |
target.resource.attribute.labels[cookie_name] |
|
telemetry_event_signals.cookie_path |
target.resource.attribute.labels[cookie_path] |
|
telemetry_event_signals.cookie_is_secure |
target.resource.attribute.labels[cookie_is_secure] |
|
telemetry_event_signals.cookie_store_id |
target.resource.attribute.labels[cookie_store_id] |
|
telemetry_event_signals.cookie_is_session |
target.resource.attribute.labels[cookie_is_session] |
|
telemetry_event_signals.connection_protocol |
network.application_protocol |
If the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS, then the network.application_protocol UDM field is set to HTTP Else, If the telemetry_event_signals.connection_protocol log field value is equal to UNSPECIFIED, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOLElse, the telemetry_event_signals.connection_protocol log field is mapped to the target.resource.attribute.labels UDM field. |
telemetry_event_signals.contacted_by |
target.resource.attribute.labels[contacted_by] |
Passaggi successivi
Per i blog della community sui log di Chrome, consulta:
Hai bisogno di ulteriore assistenza? Ricevi risposte dai membri della community e dai professionisti di Google SecOps.