收集 Cloud 稽核記錄
支援的國家/地區:
Google SecOps
SIEM
本文說明如何啟用遙測資料擷取功能,將 Cloud 稽核記錄匯出至 Google Security Operations,以及 Cloud 稽核記錄欄位如何對應至 Google Security Operations 統一資料模型 (UDM) 欄位。 Google Cloud
詳情請參閱「將資料擷取至 Google Security Operations 總覽」。
一般部署作業會啟用 Cloud 稽核記錄,以便將資料擷取至 Google Security Operations。每個客戶的部署作業可能與此表示法不同,且可能更為複雜。
部署作業包含下列元件:
Google Cloud:您要收集記錄的 Google Cloud 服務和產品
Cloud 稽核記錄:已啟用並可擷取至 Google Security Operations 的 Cloud 稽核記錄
Google Workspace 稽核記錄:已啟用擷取至 Google Security Operations 的 Google Workspace 稽核記錄
Google Security Operations:保留及分析 Cloud 稽核記錄和 Google Workspace 稽核記錄
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 GCP_CLOUDAUDIT 攝取標籤的剖析器。
事前準備
- 確認您已設定 Google Cloud。
請確認您已使用 Identity and Access Management (IAM),為機構和資源設定存取權控管。如要進一步瞭解存取權控管,請參閱「使用 IAM 對機構進行存取權控管」一文。
為 Google Cloud 資源和服務設定資料存取稽核記錄。
請確保部署架構中的所有系統都以世界標準時間設定。
確認 Cloud 稽核記錄剖析器支援的記錄類型。下表列出 Cloud 稽核記錄剖析器支援的記錄來源和類型:
| 記錄來源 | 記錄來源類型 |
|---|---|
| Cloud DNS | 不適用 |
| syslog | 不適用 |
| Google Workspace 稽核記錄 | 登入稽核 |
| Google Workspace 稽核記錄 | 管理員稽核 |
| Cloud 稽核記錄 | 管理員活動 |
| Cloud 稽核記錄 | VPC Service Controls 稽核 |
| Cloud 稽核記錄 | Google Kubernetes Engine 資料存取權 |
| Cloud 稽核記錄 | Resource Manager 資料存取權 |
| Cloud 稽核記錄 | BigQuery 稽核中繼資料資料存取權 |
| Cloud 稽核記錄 | MySQL 資料存取、管理員活動 |
| Cloud 稽核記錄 | PostgreSQL 資料存取、管理員活動 |
| Cloud 稽核記錄 | SQL Server 資料存取、管理員活動 |
| Cloud Load Balancing | Cloud HTTP 負載平衡器 |
| Cloud DNS | 管理員活動 |
| 虛擬私有雲流程 | 虛擬私有雲流程 |
| 防火牆規則 | 防火牆規則 |
| Cloud NAT | Cloud NAT |
設定 Cloud 稽核記錄的擷取作業
如要將 Cloud 稽核記錄擷取至 Google Security Operations,請按照「將記錄擷取至 Google Security Operations Google Cloud 」頁面的步驟操作。
如果在擷取 Cloud 稽核記錄時遇到問題,請與 Google Security Operations 支援團隊聯絡。
支援的 Cloud 稽核記錄記錄格式
Cloud 稽核記錄剖析器支援 JSON 格式的記錄。
支援的 Cloud 稽核記錄範例記錄
JSON:
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "dummyuser@mail.com" }, "requestMetadata": { "callerIp": "198.51.10.0", "callerSuppliedUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)", "requestAttributes": { "time": "2025-02-26T16:35:37.410328Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "compute.googleapis.com", "methodName": "beta.compute.securityPolicies.patchRule", "authorizationInfo": [ { "resource": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext", "permission": "compute.securityPolicies.update", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext", "type": "compute.securityPolicies" }, "permissionType": "ADMIN_WRITE" } ], "resourceName": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext", "request": { "description": "SQL injection", "priority": "10100", "match": { "expr": { "expression": "evaluatePreconfiguredExpr(\\u0027sqli-v33-stable\\u0027)" } }, "action": "deny(403)", "preview": false, "validateOnly": true, "@type": "type.googleapis.com/compute.securityPolicies.patchRule" }, "response": { "id": "4332115325946625078", "name": "operation-1740587736928-62f0e29c291e2-b0056719-3023c13f", "operationType": "PatchRule", "targetLink": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext", "targetId": "6935975992577010740", "status": "DONE", "user": "dummyuser@domain.com", "progress": "100", "insertTime": "2025-02-26T08:35:37.278-08:00", "startTime": "2025-02-26T08:35:37.279-08:00", "endTime": "2025-02-26T08:35:37.279-08:00", "selfLink": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/operations/operation-1740587736928-62f0e29c291e2-b0056719-3023c13f", "selfLinkWithId": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/operations/4332115325946625078", "@type": "type.googleapis.com/operation" }, "resourceLocation": { "currentLocations": [ "global" ] } }, "insertId": "-5srtt8e1oe7o", "resource": { "type": "network_security_policy", "labels": { "policy_name": "hashtag-ext", "project_id": "icd-gcp-prod-net-landing-0", "location": "global" } }, "timestamp": "2025-02-26T16:35:36.961863Z", "severity": "NOTICE", "labels": { "compute.googleapis.com/root_trigger_id": "f0fe0460-63df-4978-8256-e70ce093effa" }, "logName": "projects/icd-gcp-prod-net-landing-0/logs/cloudaudit.googleapis.com%2Factivity", "operation": { "id": "operation-1740587736928-62f0e29c291e2-b0056719-3023c13f", "producer": "compute.googleapis.com", "first": true, "last": true }, "receiveTimestamp": "2025-02-26T16:35:38.342438110Z" }
欄位對應參考資料
本節說明 Google Security Operations 剖析器如何將 Cloud 稽核記錄欄位對應至 Google Security Operations 統合式資料模型 (UDM) 欄位。
GCP_CLOUDAUDIT 記錄類型至 UDM 事件類型
下表列出 GCP_CLOUDAUDIT 事件 ID 和對應的事件類型。| Event identifier | Event type |
|---|---|
dns.managedZones.get |
USER_RESOURCE_ACCESS |
dns.managedZones.list |
USER_RESOURCE_ACCESS |
dns.changes.get |
USER_RESOURCE_ACCESS |
dns.changes.list |
USER_RESOURCE_ACCESS |
dns.activePeeringZones.list |
USER_RESOURCE_ACCESS |
dns.activePeeringZones.getpeeringzoneinfo |
USER_RESOURCE_ACCESS |
dns.resourceRecordSets.get |
USER_RESOURCE_ACCESS |
dns.resourceRecordSets.list |
USER_RESOURCE_ACCESS |
dns.responsePolicies.get |
USER_RESOURCE_ACCESS |
dns.responsePolicies.list |
USER_RESOURCE_ACCESS |
dns.responsePolicyRules.get |
USER_RESOURCE_ACCESS |
dns.responsePolicyRules.list |
USER_RESOURCE_ACCESS |
dns.policies.get |
USER_RESOURCE_ACCESS |
dns.policies.list |
USER_RESOURCE_ACCESS |
dns.projects.get |
USER_RESOURCE_ACCESS |
dns.managedZones.create |
USER_RESOURCE_CREATION |
dns.managedZones.delete |
RESOURCE_DELETION |
dns.managedZones.update |
RESOURCE_WRITTEN |
dns.managedZones.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.changes.create |
USER_RESOURCE_CREATION |
dns.changes.delete |
RESOURCE_DELETION |
dns.activePeeringZones.deactivate |
USER_RESOURCE_UPDATE_CONTENT |
dns.resourceRecordSets.create |
USER_RESOURCE_CREATION |
dns.resourceRecordSets.delete |
RESOURCE_DELETION |
dns.resourceRecordSets.update |
RESOURCE_WRITTEN |
dns.resourceRecordSets.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.responsePolicies.create |
USER_RESOURCE_CREATION |
dns.responsePolicies.delete |
RESOURCE_DELETION |
dns.responsePolicies.update |
RESOURCE_WRITTEN |
dns.responsePolicies.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.responsePolicyRules.create |
USER_RESOURCE_CREATION |
dns.responsePolicyRules.delete |
RESOURCE_DELETION |
dns.responsePolicyRules.update |
RESOURCE_WRITTEN |
dns.responsePolicyRules.patch |
USER_RESOURCE_UPDATE_CONTENT |
dns.policies.create |
USER_RESOURCE_CREATION |
dns.policies.delete |
RESOURCE_DELETION |
dns.policies.update |
RESOURCE_WRITTEN |
dns.policies.patch |
USER_RESOURCE_UPDATE_CONTENT |
CreateRole |
USER_RESOURCE_CREATION |
DeleteRole |
RESOURCE_DELETION |
UndeleteRole |
RESOURCE_CREATION |
UpdateRole |
RESOURCE_WRITTEN |
google.iam.v2beta.Policies.CreatePolicy |
USER_RESOURCE_CREATION |
google.iam.v2beta.Policies.DeletePolicy |
RESOURCE_DELETION |
google.iam.v2beta.Policies.UpdatePolicy |
RESOURCE_WRITTEN |
CreateServiceAccount |
USER_CREATION |
DeleteServiceAccount |
RESOURCE_DELETION |
DisableServiceAccount |
USER_CHANGE_PERMISSIONS |
EnableServiceAccount |
USER_CHANGE_PERMISSIONS |
GetServiceAccount |
USER_RESOURCE_ACCESS |
PatchServiceAccount |
USER_RESOURCE_UPDATE_CONTENT |
SetIAMPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
UndeleteServiceAccount |
USER_CREATION |
UpdateServiceAccount |
RESOURCE_WRITTEN |
CreateServiceAccountKey |
USER_CHANGE_PASSWORD |
DeleteServiceAccountKey |
USER_DELETION |
UploadServiceAccountKey |
USER_CHANGE_PASSWORD |
CreateWorkloadIdentityPool |
USER_RESOURCE_CREATION |
DeleteWorkloadIdentityPool |
RESOURCE_DELETION |
UndeleteWorkloadIdentityPool |
RESOURCE_CREATION |
UpdateWorkloadIdentityPool |
RESOURCE_WRITTEN |
CreateWorkloadIdentityPoolProvider |
USER_RESOURCE_CREATION |
DeleteWorkloadIdentityPoolProvider |
RESOURCE_DELETION |
UndeleteWorkloadIdentityPoolProvider |
RESOURCE_DELETION |
UpdateWorkloadIdentityPoolProvider |
RESOURCE_WRITTEN |
CreateWorkforcePool |
USER_RESOURCE_CREATION |
DeleteWorkforcePool |
RESOURCE_DELETION |
UndeleteWorkforcePool |
RESOURCE_DELETION |
UpdateWorkforcePool |
RESOURCE_WRITTEN |
CreateWorkforcePoolProvider |
USER_RESOURCE_CREATION |
DeleteWorkforcePoolProvider |
RESOURCE_DELETION |
UndeleteWorkforcePoolProvider |
RESOURCE_DELETION |
UpdateWorkforcePoolProvider |
RESOURCE_WRITTEN |
GetEffectivePolicy1 |
USER_RESOURCE_ACCESS |
google.iam.admin.v1.GetPolicyDetails2 |
USER_RESOURCE_ACCESS |
ExchangeToken |
USER_RESOURCE_ACCESS |
Google Cloud console (federated) sign in |
USER_RESOURCE_UPDATE_PERMISSIONS |
GetRole |
USER_RESOURCE_ACCESS |
ListRoles |
USER_RESOURCE_ACCESS |
google.iam.v2beta.Policies.GetPolicy |
USER_RESOURCE_ACCESS |
google.iam.v2beta.Policies.ListPolicies |
USER_RESOURCE_ACCESS |
QueryGrantableRoles |
USER_RESOURCE_ACCESS |
GenerateAccessToken |
USER_RESOURCE_UPDATE_CONTENT |
GenerateIdToken |
USER_RESOURCE_UPDATE_CONTENT |
ListServiceAccounts |
USER_RESOURCE_ACCESS |
SignBlob |
USER_RESOURCE_UPDATE_CONTENT |
SignJwt |
USER_RESOURCE_UPDATE_CONTENT |
GetServiceAccountKey |
USER_RESOURCE_ACCESS |
ListServiceAccountKeys |
USER_RESOURCE_ACCESS |
GetWorkloadIdentityPool |
USER_RESOURCE_ACCESS |
ListWorkloadIdentityPools |
USER_RESOURCE_ACCESS |
GetWorkloadIdentityPoolProvider |
USER_RESOURCE_ACCESS |
ListWorkloadIdentityPoolProviders |
USER_RESOURCE_ACCESS |
GetWorkforcePool |
USER_RESOURCE_ACCESS |
ListWorkforcePools |
USER_RESOURCE_ACCESS |
GetWorkforcePoolProvider |
USER_RESOURCE_ACCESS |
ListWorkforcePoolProviders |
USER_RESOURCE_ACCESS |
io.k8s.authorization.rbac.v1 |
STATUS_UPDATE |
io.k8s.authorization.rbac.v1.roles |
STATUS_UPDATE |
io.k8s.batch.v1.jobs.create |
RESOURCE_CREATION |
io.k8s.authorization.rbac.v1.clusterroles.create |
RESOURCE_CREATION |
io.k8s.apps.v1.daemonsets.create |
RESOURCE_CREATION |
io.k8s.authorization.v1.selfsubjectaccessreviews.create |
RESOURCE_CREATION |
google.container.v1.ClusterManager.CreateCluster |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.TableService.InsertTable |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.TableService.UpdateTable |
RESOURCE_WRITTEN |
google.cloud.bigquery.v2.TableService.PatchTable |
USER_RESOURCE_UPDATE_CONTENT |
google.cloud.bigquery.v2.TableService.DeleteTable |
RESOURCE_DELETION |
google.cloud.bigquery.v2.DatasetService.InsertDataset |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.DatasetService.UpdateDataset |
RESOURCE_WRITTEN |
google.cloud.bigquery.v2.DatasetService.PatchDataset |
USER_RESOURCE_UPDATE_CONTENT |
google.cloud.bigquery.v2.DatasetService.DeleteDataset |
USER_RESOURCE_DELETION |
google.cloud.bigquery.v2.TableDataService.List |
USER_RESOURCE_ACCESS |
google.cloud.bigquery.v2.JobService.InsertJob |
USER_RESOURCE_CREATION |
google.cloud.bigquery.v2.JobService.Query |
USER_RESOURCE_ACCESS |
google.cloud.bigquery.v2.JobService.GetQueryResults |
USER_RESOURCE_ACCESS |
InternalTableExpired |
USER_RESOURCE_DELETION |
google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection |
USER_RESOURCE_CREATION |
google.cloud.bigquery.connection.v1.ConnectionService.DeleteConnection |
RESOURCE_DELETION |
google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection |
RESOURCE_WRITTEN |
google.cloud.bigquery.connection.v1.ConnectionService.SetIamPolicy |
RESOURCE_PERMISSIONS_CHANGE |
google.cloud.bigquery.reservation.v1.ReservationService.CreateReservation |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteReservation |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.UpdateReservation |
RESOURCE_WRITTEN |
google.cloud.bigquery.reservation.v1.ReservationService.CreateCapacityCommitment |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteCapacityCommitment |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.CreateAssignment |
USER_RESOURCE_CREATION |
google.cloud.bigquery.reservation.v1.ReservationService.DeleteAssignment |
RESOURCE_DELETION |
google.cloud.bigquery.reservation.v1.ReservationService.MoveAssignment |
STATUS_UPDATE |
cloudsql.backupRuns.get |
USER_RESOURCE_ACCESS |
cloudsql.backupRuns.list |
USER_RESOURCE_ACCESS |
cloudsql.databases.create |
USER_RESOURCE_CREATION |
cloudsql.databases.delete |
RESOURCE_DELETION |
cloudsql.databases.get |
USER_RESOURCE_ACCESS |
cloudsql.databases.list |
USER_RESOURCE_ACCESS |
cloudsql.databases.update |
RESOURCE_WRITTEN |
cloudsql.instances.export |
USER_RESOURCE_ACCESS |
cloudsql.instances.get |
USER_RESOURCE_ACCESS |
cloudsql.instances.import |
STATUS_UNCATEGORIZED |
cloudsql.instances.list |
USER_RESOURCE_ACCESS |
cloudsql.instances.listEffectiveTags |
USER_RESOURCE_ACCESS |
cloudsql.instances.listServerCas |
USER_RESOURCE_ACCESS |
cloudsql.instances.listTagBindings |
USER_RESOURCE_ACCESS |
cloudsql.instances.login |
USER_LOGIN |
cloudsql.sslCerts.get |
USER_RESOURCE_ACCESS |
cloudsql.sslCerts.list |
USER_RESOURCE_ACCESS |
cloudsql.users.create |
USER_RESOURCE_CREATION |
cloudsql.users.delete |
RESOURCE_DELETION |
cloudsql.users.get |
USER_RESOURCE_ACCESS |
cloudsql.users.list |
USER_RESOURCE_ACCESS |
cloudsql.users.update |
RESOURCE_WRITTEN |
cloudsql.backupRuns.create |
USER_RESOURCE_CREATION |
cloudsql.backupRuns.delete |
RESOURCE_DELETION |
cloudsql.instances.addServerCa |
USER_RESOURCE_CREATION |
cloudsql.instances.clone |
USER_RESOURCE_CREATION |
cloudsql.instances.connect |
USER_LOGIN |
cloudsql.instances.create |
USER_RESOURCE_CREATION |
cloudsql.instances.createTagBinding |
USER_RESOURCE_CREATION |
cloudsql.instances.delete |
RESOURCE_DELETION |
cloudsql.instances.deleteTagBinding |
RESOURCE_DELETION |
cloudsql.instances.demoteMaster |
STATUS_UPDATE |
cloudsql.instances.failover |
STATUS_UPDATE |
cloudsql.instances.promoteReplica |
STATUS_UPDATE |
cloudsql.instances.resetSslConfig |
USER_RESOURCE_UPDATE_CONTENT |
cloudsql.instances.restart |
STATUS_STARTUP |
cloudsql.instances.restoreBackup |
STATUS_UPDATE |
cloudsql.instances.rotateServerCa |
STATUS_UPDATE |
cloudsql.instances.startReplica |
STATUS_STARTUP |
cloudsql.instances.stopReplica |
STATUS_UPDATE |
cloudsql.instances.truncateLog |
STATUS_UPDATE |
cloudsql.instances.update |
RESOURCE_WRITTEN |
cloudsql.sslCerts.create |
USER_RESOURCE_CREATION |
cloudsql.sslCerts.createEphemeral |
USER_RESOURCE_CREATION |
cloudsql.sslCerts.delete |
RESOURCE_DELETION |
compute.instances.insert |
RESOURCE_CREATION |
compute.instanceGroups.removeInstances |
RESOURCE_DELETION |
compute.instances.setMetadata |
USER_RESOURCE_UPDATE_CONTENT |
compute.instances.setLabels |
USER_RESOURCE_CREATION |
compute.instances.setTags |
USER_RESOURCE_CREATION |
compute.instances.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
compute.instances.list |
USER_RESOURCE_ACCESS |
compute.images.get |
USER_RESOURCE_ACCESS |
compute.interconnectAttachments.aggregatedList |
USER_RESOURCE_ACCESS |
compute.instance.getSerialPortOutput |
USER_RESOURCE_ACCESS |
compute.instances.migrateOnHostMaintenance |
RESOURCE_CREATION |
compute.instances.automaticRestart |
USER_RESOURCE_UPDATE_CONTENT |
compute.instanceGroupManagers.resizeAdvanced |
USER_RESOURCE_UPDATE_CONTENT |
google.ssh-serialport.v1.connect |
NETWORK_CONNECTION |
firewalls.delete |
RESOURCE_DELETION |
firewalls.insert |
RESOURCE_CREATION |
firewalls.patch |
USER_RESOURCE_UPDATE_CONTENT |
firewalls.update |
RESOURCE_WRITTEN |
forwardingRules.delete |
RESOURCE_DELETION |
forwardingRules.insert |
RESOURCE_CREATION |
forwardingRules.patch |
USER_RESOURCE_UPDATE_CONTENT |
forwardingRules.setTarget |
STATUS_UPDATE |
networks.addPeering |
STATUS_UPDATE |
networks.delete |
RESOURCE_DELETION |
networks.insert |
RESOURCE_CREATION |
networks.patch |
USER_RESOURCE_UPDATE_CONTENT |
networks.removePeering |
RESOURCE_DELETION |
networks.switchToCustomMode |
STATUS_UPDATE |
networks.updatePeering |
RESOURCE_WRITTEN |
routes.delete |
RESOURCE_DELETION |
routes.insert |
USER_RESOURCE_CREATION |
subnetworks.delete |
RESOURCE_DELETION |
subnetworks.expandIpCidrRange |
STATUS_UPDATE |
subnetworks.insert |
RESOURCE_CREATION |
subnetworks.patch |
USER_RESOURCE_UPDATE_CONTENT |
subnetworks.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
subnetworks.setPrivateIpGoogleAccess |
STATUS_UPDATE |
subnetworks.testIamPermissions |
USER_RESOURCE_ACCESS |
firewalls.get |
USER_RESOURCE_ACCESS |
firewalls.list |
USER_RESOURCE_ACCESS |
forwardingRules.aggregatedList |
USER_RESOURCE_ACCESS |
forwardingRules.get |
USER_RESOURCE_ACCESS |
forwardingRules.list |
USER_RESOURCE_ACCESS |
networks.get |
USER_RESOURCE_ACCESS |
networks.list |
USER_RESOURCE_ACCESS |
networks.listPeeringRoutes |
USER_RESOURCE_ACCESS |
routes.get |
USER_RESOURCE_ACCESS |
routes.list |
USER_RESOURCE_ACCESS |
subnetworks.aggregatedList |
USER_RESOURCE_ACCESS |
subnetworks.get |
USER_RESOURCE_ACCESS |
subnetworks.getIamPolicy |
USER_RESOURCE_ACCESS |
subnetworks.list |
USER_RESOURCE_ACCESS |
subnetworks.listUsable |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterBatchDeleteAlerts |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterBatchUndeleteAlerts |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterCreateAlert |
USER_RESOURCE_CREATION |
google.admin.AdminService.alertCenterCreateFeedback |
USER_RESOURCE_CREATION |
google.admin.AdminService.alertCenterDeleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterGetAlertMetadata |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterGetCustomerSettings |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterGetSitLink |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListChange |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListFeedback |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterListRelatedAlerts |
USER_RESOURCE_ACCESS |
google.admin.AdminService.alertCenterUndeleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertCenterUpdateAlert |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterUpdateAlertMetadata |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterUpdateCustomerSettings |
RESOURCE_WRITTEN |
google.admin.AdminService.alertCenterView |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createApplicationSetting |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteApplicationSetting |
RESOURCE_DELETION |
google.admin.AdminService.reorderGroupBasedPoliciesEvent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.gplusPremiumFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createManagedConfiguration |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteManagedConfiguration |
RESOURCE_DELETION |
google.admin.AdminService.updateManagedConfiguration |
RESOURCE_WRITTEN |
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createBuilding |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteBuilding |
RESOURCE_DELETION |
google.admin.AdminService.updateBuilding |
RESOURCE_WRITTEN |
google.admin.AdminService.createCalendarResource |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteCalendarResource |
RESOURCE_DELETION |
google.admin.AdminService.createCalendarResourceFeature |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteCalendarResourceFeature |
RESOURCE_DELETION |
google.admin.AdminService.updateCalendarResourceFeature |
RESOURCE_WRITTEN |
google.admin.AdminService.renameCalendarResource |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateCalendarResource |
RESOURCE_WRITTEN |
google.admin.AdminService.changeCalendarSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.cancelCalendarEvents |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.releaseCalendarResources |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.meetInteropCreateGateway |
USER_RESOURCE_CREATION |
google.admin.AdminService.meetInteropDeleteGateway |
RESOURCE_DELETION |
google.admin.AdminService.meetInteropModifyGateway |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChatSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsAndroidApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsApplicationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.sendChromeOsDeviceCommand |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceAnnotation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsDeviceState |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsPublicSessionSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.insertChromeOsPrinter |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteChromeOsPrinter |
RESOURCE_DELETION |
google.admin.AdminService.updateChromeOsPrinter |
RESOURCE_WRITTEN |
google.admin.AdminService.changeChromeOsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeChromeOsUserSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeChromeOsApplicationSettings |
RESOURCE_DELETION |
google.admin.AdminService.changeContactsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.assignRole |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.createRole |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteRole |
RESOURCE_DELETION |
google.admin.AdminService.addPrivilege |
USER_RESOURCE_CREATION |
google.admin.AdminService.removePrivilege |
RESOURCE_DELETION |
google.admin.AdminService.renameRole |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateRole |
RESOURCE_WRITTEN |
google.admin.AdminService.unassignRole |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.deleteDevice |
RESOURCE_DELETION |
google.admin.AdminService.moveDeviceToOrgUnit |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.transferDocumentOwnership |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.driveDataRestore |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDocsSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAccountAutoRenewal |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addApplication |
USER_RESOURCE_CREATION |
google.admin.AdminService.addApplicationToWhitelist |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeAdvertisementOption |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createAlert |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeAlertCriteria |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteAlert |
RESOURCE_DELETION |
google.admin.AdminService.alertReceiversChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.renameAlert |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.alertStatusChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addDomainAlias |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeDomainAlias |
RESOURCE_DELETION |
google.admin.AdminService.skipDomainAliasMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifyDomainAliasMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifyDomainAlias |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOauthAccessToAllApis |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAllowAdminPasswordReset |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableApiAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.authorizeApiClientAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeApiClientAccess |
RESOURCE_DELETION |
google.admin.AdminService.chromeLicensesRedeemed |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAutoAddNewService |
USER_RESOURCE_CREATION |
google.admin.AdminService.changePrimaryDomain |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeWhitelistSetting |
USER_RESOURCE_ACCESS |
google.admin.AdminService.communicationPreferencesSettingChange |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeConflictAccountAction |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableFeedbackSolicitation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleContactSharing |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createPlayForWorkToken |
USER_RESOURCE_CREATION |
google.admin.AdminService.toggleUseCustomLogo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCustomLogo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataLocalizationForRussia |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataLocalizationSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDataProtectionOfficerContactInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deletePlayForWorkToken |
RESOURCE_DELETION |
google.admin.AdminService.viewDnsLoginDetails |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainDefaultLocale |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainDefaultTimezone |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleEnablePreReleaseFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeDomainSupportMessage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addTrustedDomains |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeTrustedDomains |
RESOURCE_DELETION |
google.admin.AdminService.changeEduType |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleEnableOauthConsumerKey |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleSsoEnabled |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleSsl |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeEuRepresentativeContactInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.generateTransferToken |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginBackgroundColor |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginBorderColor |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLoginActivityTrace |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.playForWorkEnroll |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.playForWorkUnenroll |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.mxRecordVerificationClaim |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleNewAppFeatures |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleUseNextGenControlPanel |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.uploadOauthCertificate |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.regenerateOauthConsumerSecret |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOpenIdEnabled |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeOrganizationName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleOutboundRelay |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePasswordMaxLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePasswordMinLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateDomainPrimaryAdminEmail |
RESOURCE_WRITTEN |
google.admin.AdminService.enableServiceOrFeatureNotifications |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.removeApplication |
RESOURCE_DELETION |
google.admin.AdminService.removeApplicationFromWhitelist |
RESOURCE_DELETION |
google.admin.AdminService.changeRenewDomainRegistration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeResellerAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.ruleActionsChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createRule |
USER_RESOURCE_CREATION |
google.admin.AdminService.changeRuleCriteria |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteRule |
RESOURCE_DELETION |
google.admin.AdminService.renameRule |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.ruleStatusChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addSecondaryDomain |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeSecondaryDomain |
RESOURCE_DELETION |
google.admin.AdminService.skipSecondaryDomainMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifySecondaryDomainMx |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.verifySecondaryDomain |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateDomainSecondaryEmail |
RESOURCE_WRITTEN |
google.admin.AdminService.changeSsoSettings |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.generatePin |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateRule |
RESOURCE_WRITTEN |
google.admin.AdminService.dropFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.emailLogSearch |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.emailUndelete |
RESOURCE_DELETION |
google.admin.AdminService.changeEmailSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGmailSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createGmailSetting |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteGmailSetting |
RESOURCE_DELETION |
google.admin.AdminService.rejectFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.releaseFromQuarantine |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createGroup |
USER_RESOURCE_CREATION |
google.admin.AdminService.deleteGroup |
RESOURCE_DELETION |
google.admin.AdminService.changeGroupDescription |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.groupListDownload |
USER_RESOURCE_ACCESS |
google.admin.AdminService.addGroupMember |
GROUP_MODIFICATION |
google.admin.AdminService.removeGroupMember |
RESOURCE_DELETION |
google.admin.AdminService.updateGroupMember |
RESOURCE_WRITTEN |
google.admin.AdminService.updateGroupMemberDeliverySettings |
RESOURCE_WRITTEN |
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride |
RESOURCE_WRITTEN |
google.admin.AdminService.groupMemberBulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.groupMembersDownload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGroupName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeGroupSetting |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.whitelistedGroupsUpdated |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationAction |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionCancellation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionCompletion |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionRetry |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationConfirmation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationRequest |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationChartCreate |
USER_RESOURCE_CREATION |
google.admin.AdminService.securityInvestigationContentAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationDownloadAttachment |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationExportActionResults |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationExportQuery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation |
USER_RESOURCE_CREATION |
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation |
RESOURCE_DELETION |
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectSaveInvestigation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing |
RESOURCE_WRITTEN |
google.admin.AdminService.securityInvestigationQuery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityInvestigationSettingUpdate |
RESOURCE_WRITTEN |
google.admin.AdminService.addToTrustedOauth2Apps |
USER_RESOURCE_CREATION |
google.admin.AdminService.allowAspWithout2Sv |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.allowServiceForOauth2Access |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.allowStrongAuthentication |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.blockOnDeviceAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAllowedTwoStepVerificationMethods |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeAppAccessSettingsCollectionId |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaAppAssignments |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaDefaultAssignments |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeCaaErrorMessage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeSessionLength |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationFrequency |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeTwoStepVerificationStartDate |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.disallowServiceForOauth2Access |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableNonAdminUserPasswordRecovery |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enforceStrongAuthentication |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.removeFromTrustedOauth2Apps |
RESOURCE_DELETION |
google.admin.AdminService.sessionControlSettingsChange |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleCaaEnablement |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.trustDomainOwnedOauth2Apps |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unblockOnDeviceAccess |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.untrustDomainOwnedOauth2Apps |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps |
RESOURCE_WRITTEN |
google.admin.AdminService.weakProgrammaticLoginSettingsChanged |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.delete2SvScratchCodes |
RESOURCE_DELETION |
google.admin.AdminService.generate2SvScratchCodes |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revoke3LoDeviceTokens |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revoke3LoToken |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.addRecoveryEmail |
USER_RESOURCE_CREATION |
google.admin.AdminService.addRecoveryPhone |
USER_RESOURCE_CREATION |
google.admin.AdminService.grantAdminPrivilege |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeAdminPrivilege |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeAsp |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.toggleAutomaticContactSharing |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.bulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.bulkUploadNotificationSent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.cancelUserInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserCustomField |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserExternalId |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserGender |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserIm |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.enableUserIpWhitelist |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserKeyword |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserLanguage |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserLocation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserOrganization |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserPhoneNumber |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeRecoveryEmail |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeRecoveryPhone |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserRelation |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeUserAddress |
USER_RESOURCE_CREATION |
google.admin.AdminService.createEmailMonitor |
USER_RESOURCE_CREATION |
google.admin.AdminService.createDataTransferRequest |
USER_RESOURCE_CREATION |
google.admin.AdminService.grantDelegatedAdminPrivileges |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.deleteAccountInfoDump |
RESOURCE_DELETION |
google.admin.AdminService.deleteEmailMonitor |
RESOURCE_DELETION |
google.admin.AdminService.deleteMailboxDump |
RESOURCE_DELETION |
google.admin.AdminService.changeFirstName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.gmailResetUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changeLastName |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.mailRoutingDestinationAdded |
USER_RESOURCE_CREATION |
google.admin.AdminService.mailRoutingDestinationRemoved |
RESOURCE_DELETION |
google.admin.AdminService.addNickname |
USER_RESOURCE_CREATION |
google.admin.AdminService.removeNickname |
RESOURCE_DELETION |
google.admin.AdminService.changePassword |
USER_CHANGE_PASSWORD |
google.admin.AdminService.changePasswordOnNextLogin |
USER_CHANGE_PASSWORD |
google.admin.AdminService.downloadPendingInvitesList |
USER_RESOURCE_ACCESS |
google.admin.AdminService.removeRecoveryEmail |
RESOURCE_DELETION |
google.admin.AdminService.removeRecoveryPhone |
RESOURCE_DELETION |
google.admin.AdminService.requestAccountInfo |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.requestMailboxDump |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.resendUserInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.resetSigninCookies |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.securityKeyRegisteredForUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.revokeSecurityKey |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userInvite |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.viewTempPassword |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.turnOff2StepVerification |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unblockUserSession |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unenrollUserFromTitanium |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.archiveUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.updateBirthdate |
RESOURCE_WRITTEN |
google.admin.AdminService.createUser |
USER_CREATION |
google.admin.AdminService.deleteUser |
RESOURCE_DELETION |
google.admin.AdminService.downgradeUserFromGplus |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userEnrolledInTwoStepVerification |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.downloadUserlistCsv |
USER_RESOURCE_ACCESS |
google.admin.AdminService.moveUserToOrgUnit |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.renameUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.unenrollUserFromStrongAuth |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.suspendUser |
USER_CHANGE_PERMISSIONS |
google.admin.AdminService.unarchiveUser |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.undeleteUser |
RESOURCE_DELETION |
google.admin.AdminService.upgradeUserToGplus |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.usersBulkUpload |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.usersBulkUploadNotificationSent |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.createAccessLevelV2 |
USER_RESOURCE_CREATION |
google.admin.AdminService.systemDefinedRuleUpdated |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.admin.AdminService.createDeviceEnrollmentToken |
USER_RESOURCE_CREATION |
google.login.LoginService.2svDisable |
STATUS_UPDATE |
google.login.LoginService.2svEnroll |
STATUS_UPDATE |
google.login.LoginService.accountDisabledPasswordLeak |
STATUS_UPDATE |
google.login.LoginService.accountDisabledGeneric |
USER_LOGIN |
google.login.LoginService.accountDisabledSpammingThroughRelay |
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledSpamming |
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledHijacked |
USER_LOGIN
Security category: |
google.login.LoginService.emailForwardingOutOfDomain |
EMAIL_TRANSACTION |
google.login.LoginService.govAttackWarning |
USER_LOGIN
Security category: |
google.login.LoginService.loginChallenge |
USER_LOGIN |
google.login.LoginService.loginFailure |
USER_LOGIN
Security category: |
google.login.LoginService.loginVerification |
USER_LOGIN |
google.login.LoginService.logout |
USER_LOGOUT |
google.login.LoginService.loginSuccess |
USER_LOGIN |
google.login.LoginService.passwordEdit |
USER_CHANGE_PASSWORD |
google.login.LoginService.recoveryEmailEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.recoveryPhoneEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.recoverySecretQaEdit |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.suspiciousLogin |
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousLoginLessSecureApp |
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousProgrammaticLogin |
USER_LOGIN
Security category: |
google.login.LoginService.titaniumEnroll |
USER_RESOURCE_UPDATE_CONTENT |
google.login.LoginService.titaniumUnenroll |
USER_RESOURCE_CREATION |
google.identity.accesscontextmanager.v1.AccessContextManager.CreateAccessLevel |
USER_RESOURCE_CREATION |
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.core.v1.pods.create |
RESOURCE_CREATION |
io.k8s.authorization.rbac.v1.clusterrolebindings.create |
RESOURCE_CREATION |
beta.compute.instanceTemplates.insert |
RESOURCE_CREATION |
SetOrgPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
beta.compute.instanceGroupManagers.patch |
RESOURCE_WRITTEN |
beta.compute.autoscalers.update |
RESOURCE_WRITTEN |
compute.v1.InstancesService.Get |
USER_RESOURCE_ACCESS |
google.storage.objects.list |
USER_RESOURCE_ACCESS |
google.cloudresourcemanager.v1.Projects.SetIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
cloudsql.instances.query |
USER_RESOURCE_ACCESS |
cloudtrace.googleapis.com/ListInsights |
RESOURCE_READ |
google.cloud.functions.v1.CloudFunctionsService.CreateFunction |
RESOURCE_CREATION |
google.api.servicemanagement.v1.ServiceManager.ActivateServices |
USER_RESOURCE_UPDATE_CONTENT |
google.admin.AdminService.changePassword |
USER_CHANGE_PASSWORD |
google.api.serviceusage.v1.ServiceUsage.DisableService |
USER_RESOURCE_UPDATE_CONTENT |
AuthorizeUser |
USER_LOGIN |
google.cloud.oslogin.v1.OsLoginService.CheckPolicy |
USER_LOGIN |
google.admin.AdminService.unsuspendUser |
USER_CHANGE_PERMISSIONS |
jobservice.jobcompleted |
RESOURCE_WRITTEN |
compute.v1.ProjectsService.Get |
USER_RESOURCE_ACCESS |
v1.compute.projects.setCommonInstanceMetadata |
USER_RESOURCE_UPDATE_CONTENT |
CreateCryptoKey |
RESOURCE_CREATION |
storage.buckets.get |
RESOURCE_READ |
google.longrunning.Operations.GetOperation |
RESOURCE_READ |
io.k8s.core.v1.pods.delete |
RESOURCE_DELETION |
v1.compute.disks.delete |
RESOURCE_DELETION |
v1.compute.disks.insert |
RESOURCE_CREATION |
ScheduledSnapshots |
RESOURCE_WRITTEN |
v1.compute.disks.setLabels |
RESOURCE_WRITTEN |
google.cloud.healthcare.v1alpha2.dataset.DatasetService.AccessEhrSearch |
STATUS_UPDATE |
io.k8s.apiextensions.v1.customresourcedefinitions.patch |
RESOURCE_WRITTEN |
io.k8s.post |
USER_UNCATEGORIZED |
v1.compute.instances.delete |
RESOURCE_DELETION |
storage.buckets.list |
RESOURCE_READ |
storage.objects.create |
RESOURCE_CREATION |
google.pubsub.v1.Publisher.CreateTopic |
RESOURCE_CREATION |
google.devtools.cloudbuild.v1.CloudBuild.ListBuilds |
USER_RESOURCE_ACCESS |
google.cloud.asset.v1.AssetService.UpdateFeed |
USER_RESOURCE_UPDATE_PERMISSIONS |
storage.objects.update |
RESOURCE_WRITTEN |
datasetservice.insert |
USER_RESOURCE_CREATION |
storage.setIamPermissions |
USER_RESOURCE_UPDATE_PERMISSIONS |
io.k8s.coordination.v1.leases.update |
RESOURCE_WRITTEN |
datasetservice.delete |
USER_RESOURCE_DELETION |
compute.instances.repair.recreateInstance |
RESOURCE_CREATION |
tableservice.delete |
USER_RESOURCE_DELETION |
io.k8s.core.v1.configmaps.update |
RESOURCE_WRITTEN |
io.k8s.core.v1.nodes.proxy.get |
RESOURCE_READ |
compute.instances.repair.deleteInstance |
RESOURCE_DELETION |
google.cloud.dataproc.v1.JobController.SubmitJob |
RESOURCE_WRITTEN |
google.cloud.dataproc.v1beta2.ClusterController.UpdateCluster |
RESOURCE_WRITTEN |
io.k8s.app.v1beta1.applications.update |
RESOURCE_WRITTEN |
io.gke.networking.v1beta1.managedcertificates.update |
RESOURCE_WRITTEN |
io.k8s.extensions.v1beta1.deployments.patch |
RESOURCE_WRITTEN |
compute.instanceGroupManagers.deleteInstances |
RESOURCE_DELETION |
io.k8s.authorization.rbac.v1.rolebindings.patch |
RESOURCE_WRITTEN |
google.admin.AdminService.toggleServiceEnabled |
USER_UNCATEGORIZED |
io.k8s.core.v1.services.proxy.get |
RESOURCE_READ |
google.datastore.v1.Datastore.RunQuery |
STATUS_UPDATE |
google.appengine.Datastore.Put |
STATUS_UPDATE |
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateSecurityHealthAnalyticsSettings |
RESOURCE_WRITTEN |
v1.compute.securityPolicies.patchRule |
RESOURCE_WRITTEN |
beta.compute.images.setIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
google.iam.v1.IAMPolicy.SetIamPolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
io.k8s.certificates.v1.certificatesigningrequests.create |
RESOURCE_CREATION |
io.k8s.core.v0.id.create |
RESOURCE_CREATION |
google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy |
RESOURCE_WRITTEN |
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings |
RESOURCE_DELETION |
UpdateCryptoKeyVersion |
RESOURCE_WRITTEN |
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup |
RESOURCE_WRITTEN |
v1 |
STATUS_UPDATE |
google.cloud.run.v1.Services.ReplaceService |
SERVICE_UNCATEGORIZED |
updatePolicy |
RESOURCE_WRITTEN |
updateBackup |
RESOURCE_WRITTEN |
欄位對應參考資料:GCP_CLOUDAUDIT
下表列出 GCP_CLOUDAUDIT 記錄類型的記錄欄位,以及對應的 UDM 欄位。| 記錄欄位 | UDM 對應 | 邏輯 |
|---|---|---|
jsonPayload.accesses[].resourceName |
about.resource.name |
|
protoPayload.response.selfLink |
about.url |
|
protoPayload.metadata.event.eventName.parameter.name[login_challenge_method] |
extensions.auth.auth_details |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 login_failure、login_verification、login_challenge 或 login_success,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 login_challenge_method,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 extensions.auth.auth_details UDM 欄位。 |
extensions.auth.auth_mechanism |
如果 protoPayload.metadata.event.eventName 等於 login_failure、login_verification、login_challenge 或 logic_success,則 extensions.auth.auth_mechanism UDM 欄位為:
|
|
extensions.auth.type |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 login_failure、login_verification、login_challenge 或 login_success,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 login_challenge_method,則 extensions.auth.type UDM 欄位會設為 MACHINE。 |
|
protoPayload.response.vulnerability.shortDescription |
extensions.vulns.vulnerabilities.cve_id |
|
protoPayload.response.vulnerability.effectiveSeverity |
extensions.vulns.vulnerabilities.severity |
如果 protoPayload.response.vulnerability.effectiveSeverity 記錄檔欄位值包含下列其中一個值,則 protoPayload.response.vulnerability.effectiveSeverity 記錄檔欄位會對應至 extensions.vulns.vulnerabilities.severity UDM 欄位。
|
protoPayload.request.occurrence.vulnerability.shortDescription |
extensions.vulns.vulnerabilities.cve_id |
|
protoPayload.request.occurrence.vulnerability.effectiveSeverity |
extensions.vulns.vulnerabilities.severity |
如果 protoPayload.request.occurrence.vulnerability.effectiveSeverity 記錄檔欄位值包含下列其中一個值,則 protoPayload.request.occurrence.vulnerability.effectiveSeverity 記錄檔欄位會對應至 extensions.vulns.vulnerabilities.severity UDM 欄位。
|
protoPayload.request.occurrence.resourceUri |
additional.fields[request_resourceuri] |
|
protoPayload.request.spec.type |
target.resource.attribute.labels[request_spec_type] |
|
protoPayload.response.spec.type |
target.resource.attribute.labels[response_spec_type] |
|
protoPayload.request.spec.template.spec.shareProcessNamespace |
target.resource.attribute.labels[req_spec_template_spec_share_process_namespace] |
|
protoPayload.response.spec.template.spec.shareProcessNamespace |
target.resource.attribute.labels[resp_spec_template_spec_share_process_namespace] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.shareProcessNamespace |
target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_share_process_namespace] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.restartPolicy |
target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_restart_policy] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.args |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_arg_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_command_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image_pull_policy] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_memory] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_capabilities_drop_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_privileged] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_path] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_policy] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_mount_path_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_name_{index}] |
|
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_readonly_{index}] |
|
protoPayload.metadata.event.eventName.parameter.name[GATEWAY_NAME] |
intermediary.resource.name |
|
receiveTimestamp |
metadata.collected_timestamp |
|
protoPayload.response.operationType |
metadata.description |
如果 protoPayload.methodName 記錄檔欄位值等於 cloudsql.instances.create,則 protoPayload.response.operationType - protoPayload.response.kind 記錄檔欄位會對應至 metadata.description UDM 欄位。 |
protoPayload.response.kind |
target.resource.attribute.labels[response_kind] |
|
protoPayload.status.message |
metadata.description |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_DESCRIPTION] |
metadata.description |
|
timestamp |
metadata.event_timestamp |
|
protoPayload.methodName |
metadata.product_event_type |
|
resource.labels.method |
metadata.product_event_type |
|
jsonPayload.event_subtype |
metadata.product_event_type |
|
insertId |
metadata.product_log_id |
|
protoPayload.metadata.event.eventName.parameter.name[PRODUCT_NAME] |
metadata.product_name |
如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (compute.googleapis.com),則 metadata.product_name UDM 欄位會設為 Google Compute Engine。如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (bigquery.googleapis.com),則 metadata.product_name UDM 欄位會設為 BigQuery。如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com),則 metadata.product_name UDM 欄位會設為 G Suite。如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (k8s.io),則 metadata.product_name UDM 欄位會設為 Google Kubernetes Engine。如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (servicemanagement.googleapis.com),則 metadata.product_name UDM 欄位會設為 Google Service Management。如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (storage.googleapis.com),則 metadata.product_name UDM 欄位會設為 Google Cloud Storage。如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (cloudsql.googleapis.com),則 metadata.product_name UDM 欄位會設為 Google Cloud SQL。如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (dataproc.googleapis.com),則 metadata.product_name UDM 欄位會設為 Google Dataproc。如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (iam.googleapis.com),則 metadata.product_name UDM 欄位會設為 Google Cloud IAM。如果 protoPayload.serviceName 記錄檔欄位值符合規則運算式 (accesscontextmanager.googleapis.com),則 metadata.product_name UDM 欄位會設為 Context Manager API。 |
logName |
metadata.url_back_to_product |
|
protoPayload.response.selfLinkWithId |
metadata.url_back_to_product |
|
metadata.vendor_name |
metadata.vendor_name UDM 欄位設為 Google Cloud Platform。 |
|
httpRequest.protocol |
network.application_protocol |
|
protoPayload.metadata.request_id |
network.community_id |
|
protoPayload.resourceOriginalState.direction |
network.direction |
|
protoPayload.request.direction |
network.direction |
|
protoPayload.response.duration |
network.session_duration |
|
protoPayload.request.serialConsoleOptions |
principal.port |
逐一查看記錄欄位 protoPayload.request.serialConsoleOptions,然後如果 protoPayload.request.serialConsoleOptions.name 值等於 port,則 protoPayload.request.serialConsoleOptions.value 記錄欄位會對應至 principal.port UDM 欄位。否則, protoPayload.request.serialConsoleOptions.name 記錄檔欄位會對應至 principal.resource.attribute.labels.key UDM 欄位,而 protoPayload.request.serialConsoleOptions.value 記錄檔欄位會對應至 principal.resource.attribute.labels.value UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SENDER] |
network.email.from |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_MSG_ID] |
network.email.mail_id |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_RECIPIENT] |
network.email.to |
|
httpRequest.requestMethod |
network.http.method |
|
protoPayload.requestMetadata.requestAttributes.method |
network.http.method |
|
httpRequest.referer |
network.http.referral_url |
|
protoPayload.requestMetadata.requestAttributes.path |
network.http.referral_url |
|
httpRequest.requestUrl |
network.http.referral_url |
|
protoPayload.resourceOriginalState.network |
network.http.referral_url |
|
httpRequest.status |
network.http.response_code |
|
protoPayload.response.error.code |
network.http.response_code |
|
protoPayload.status.code |
security_result.detection_fields [status_code] |
|
protoPayload.requestMetadata.callerSuppliedUserAgent |
network.http.user_agent |
如果 protoPayload.requestMetadata.callerSuppliedUserAgent 記錄檔欄位值符合規則運算式 Group,則 protoPayload.requestMetadata.callerSuppliedUserAgent 記錄檔欄位會對應至 principal.group.group_display_name UDM 欄位。 |
httpRequest.userAgent |
network.http.user_agent |
|
protoPayload.resourceOriginalState.alloweds.IPProtocol |
network.ip_protocol |
|
protoPayload.requestMetadata.requestAttributes.protocol |
network.ip_protocol |
|
protoPayload.request.IPProtocol |
network.ip_protocol |
|
protoPayload.request.alloweds.IPProtocol |
network.ip_protocol |
|
jsonPayload.connection.protocol |
network.ip_protocol |
|
protoPayload.metadata.event.eventName.parameter.name[ORG_UNIT_NAME] |
network.organization_name |
|
httpRequest.responseSize |
network.received_bytes |
|
httpRequest.requestSize |
network.sent_bytes |
|
jsonPayload.bytes_sent |
network.sent_bytes |
|
protoPayload.requestMetadata.requestAttributes.id |
network.session_id |
|
ProtoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail |
principal.email |
|
jsonPayload.src_instance.vm_name |
principal.hostname |
|
protoPayload.requestMetadata.callerIp |
principal.ip |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_SENDER_IP] |
principal.ip |
|
jsonPayload.connection.src_ip |
principal.ip |
|
httpRequest.serverIp |
principal.ip |
|
resourceLocation.originalLocations |
principal.location.name |
|
jsonPayload.connection.nat_ip |
principal.nat_ip |
|
jsonPayload.connection.nat_port |
principal.nat_port |
|
jsonPayload.connection.src_port |
principal.port |
|
protoPayload.authorizationInfo.resource |
principal.resource.name |
如果 protoPayload.authorizationInfo.resource 記錄檔欄位值不為空,則 protoPayload.authorizationInfo.resource 記錄檔欄位會對應至 principal.resource.name UDM 欄位。 |
protoPayload.authorizationInfo.resourceAttributes.name |
principal.resource.name |
如果 protoPayload.authorizationInfo.resourceAttributes.name 記錄檔欄位值不為空,則 protoPayload.authorizationInfo.resourceAttributes.name 記錄檔欄位會對應至 principal.resource.name UDM 欄位。 |
protoPayload.authorizationInfo.permission |
target.resource_ancestors.attribute.permissions.name |
|
protoPayload.authorizationInfo.permissionType |
target.resource_ancestors.attribute.permissions.type |
|
protoPayload.authorizationInfo.resourceAttributes.service |
target.resource_ancestors.attribute.labels[resource_attribute_service] |
|
protoPayload.authorizationInfo.granted |
target.resource_ancestors.attribute.labels[authorization_granted] |
|
protoPayload.resourceOriginalState.name |
principal.resource.name |
|
protoPayload.authorizationInfo.resourceAttributes.type |
principal.resource.resource_subtype |
|
principal.user.account_type |
如果 access.principalSubject 記錄檔欄位值符合規則運算式 serviceAccount,則 principal.user.account_type UDM 欄位會設為 SERVICE_ACCOUNT_TYPE。如果 access.principalSubject 記錄檔欄位值符合規則運算式 user,則 principal.user.account_type UDM 欄位會設為 CLOUD_ACCOUNT_TYPE。 |
|
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType |
principal.user.attribute.permissions.description |
|
protoPayload.request.serviceAccounts[].scopes |
principal.user.attribute.permissions.name |
|
protoPayload.authorizationInfo.permission |
principal.user.attribute.permissions.name |
|
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType |
principal.user.attribute.permissions.type |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].action |
principal.user.attribute.roles.description |
|
protoPayload.request.bindings.role |
principal.user.attribute.roles.name |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].role |
principal.user.attribute.roles.name |
|
jsonPayload.location.principalEmployingEntity |
principal.user.company_name |
|
jsonPayload.location.principalOfficeCountry |
principal.user.office_address.country_or_region |
|
protoPayload.authenticationInfo.principalEmail |
principal.user.userid |
如果 protoPayload.authenticationInfo.principalEmail 記錄檔欄位值不為空,系統會使用 Grok 模式從 protoPayload.authenticationInfo.principalEmail 記錄檔欄位擷取 userid_auth,並對應至 principal.user.userid UDM 欄位。 |
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query |
additional.fields[job_insertion_query_org_id_{index}] |
如果 protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query 記錄檔欄位值不是空白,系統會使用 Grok 模式從 protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query 記錄檔欄位擷取 org_ids,並對應至 additional.fields.job_insertion_query_org_id_{index} UDM 欄位。 |
protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query |
additional.fields[job_insert_request_query_org_id_{index}] |
如果 protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query 記錄檔欄位值不是空白,系統會使用 Grok 模式從 protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query 記錄檔欄位擷取 org_ids,並對應至 additional.fields.job_insert_request_query_org_id_{index} UDM 欄位。 |
protoPayload.request.permissions |
target.resource.attribute.labels.permission |
|
protoPayload.request.username |
principal.user.userid |
|
protoPayload.metadata.event.eventName.parameter.value |
principal.user.userid |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 CREATE_EMAIL_MONITOR 或 CREATE_DATA_TRANSFER_REQUEST:protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 USER_EMAIL,系統會使用 Grok 模式從 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位擷取 userid,並對應至 principal.user.userid UDM 欄位。 |
protoPayload.authenticationInfo.authoritySelector |
principal.user.userid |
如果 protoPayload.authenticationInfo.authoritySelector 記錄檔欄位值不為空,系統會使用 Grok 模式從 protoPayload.authenticationInfo.authoritySelector 記錄檔欄位擷取 userid_selector,並對應至 principal.user.userid UDM 欄位。 |
jsonPayload.actor.user |
principal.user.userid |
如果 jsonPayload.actor.user 記錄檔欄位值不為空,系統會使用 Grok 模式從 jsonPayload.actor.user 記錄檔欄位擷取 userid_actor,並對應至 principal.user.userid UDM 欄位。 |
protoPayload.authenticationInfo.principalEmail |
principal.user.email_addresses |
如果 protoPayload.authenticationInfo.principalEmail 記錄檔欄位值不為空,且 protoPayload.authenticationInfo.principalEmail 記錄檔欄位值符合規則運算式 .@.,則 protoPayload.authenticationInfo.principalEmail 記錄檔欄位會對應至 principal.user.email_addresses UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.value |
principal.user.email_addresses |
如果符合下列條件,protoPayload.metadata.event.eventName.parameter.value 會對應至 principal.user.email_addresses:
|
protoPayload.authenticationInfo.authoritySelector |
principal.user.email_addresses |
如果 protoPayload.authenticationInfo.authoritySelector 記錄檔欄位值不為空,且 protoPayload.authenticationInfo.authoritySelector 記錄檔欄位值符合規則運算式 .@.,則 protoPayload.authenticationInfo.authoritySelector 記錄檔欄位會對應至 principal.user.email_addresses UDM 欄位。 |
jsonPayload.actor.user |
principal.user.email_addresses |
如果 jsonPayload.actor.user 記錄檔欄位值不為空,且 jsonPayload.actor.user 記錄檔欄位值符合規則運算式 .@.,則 jsonPayload.actor.user 記錄檔欄位會對應至 principal.user.email_addresses UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[login_challenge_status] |
security_result.action |
符合下列條件時,security_result.action 會設為 ALLOW:
security_result.action 會設為 FAIL:
|
protoPayload.metadata.event.eventName.parameter.name[ACTION_TYPE] |
security_result.action |
符合下列條件時,security_result.action 會設為 ALLOW:
security_result.action 會設為 BLOCK:
security_result.action 會設為 ALLOW_WITH_MODIFICATION:
security_result.action 會設為 QUARANTINE:
security_result.action 會設為 QUARANTINE:
|
security_result.action_details |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 login_challenge 或 login_verification,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 login_challenge_status,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 security_result.action_details UDM 欄位。如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 ACTION_CANCELLED 或 ACTION_REQUESTED,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 ACTION_TYPE,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 security_result.action_details UDM 欄位。 |
|
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] |
security_result.category |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 login_success,則如果 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 is_suspicious,則如果 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位值等於 True,則 security_result.category UDM 欄位會設為 NETWORK_SUSPICIOUS。 |
logName |
security_result.category_details |
|
protoPayload.response.status |
security_result.description |
|
protoPayload.response.error.errors[].reason |
security_result.description |
|
protoPayload.metadata.tableCreation.reason |
security_result.description |
|
protoPayload.metadata.tableChange.reason |
security_result.description |
|
protoPayload.metadata.tableDeletion.reason |
security_result.description |
|
protoPayload.metadata.datasetCreation.reason |
security_result.description |
|
protoPayload.metadata.datasetDeletion.reason |
security_result.description |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.errorMessage |
security_result.description |
|
protoPayload.status.message |
security_result.description |
|
protoPayload.request.status |
security_result.description |
|
jsonPayload.reason[].detail |
security_result.description |
|
protoPayload.response.status.state |
security_result.description |
|
protoPayload.response.status.conditions[].message |
security_result.description |
如果 message 記錄檔欄位值符合規則運算式 response.*status.*conditions.*message,則 protoPayload.response.status.conditions.0.message 記錄檔欄位會對應至 security_result.description UDM 欄位。 |
protoPayload.resourceOriginalState.priority |
security_result.priority_details |
|
protoPayload.request.priority |
security_result.priority_details |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.queryPriority |
security_result.priority_details |
|
protoPayload.metadata.vpcServiceControlsUniqueId |
security_result.rule_id |
|
protoPayload.request.body.settings.activationPolicy |
security_result.rule_name |
|
protoPayload.request.policy |
security_result.rule_name |
|
protoPayload.metadata.violationReason |
security_result.rule_name |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.policyType |
security_result.rule_type |
|
protoPayload.metadata.dryRun |
security_result.rule_type |
|
severity |
security_result.severity |
|
security_result.severity_details |
如果 severity 記錄檔欄位值等於 CRITICAL,則 security_result.severity UDM 欄位會設為 CRITICAL。如果 severity 記錄檔欄位值等於 ERROR,則 security_result.severity UDM 欄位會設為 ERROR。如果 severity 記錄檔欄位值等於 ALERT 或 EMERGENCY,則 security_result.severity UDM 欄位會設為 HIGH。如果 severity 記錄檔欄位值等於 INFO 或 NOTICE,則 security_result.severity UDM 欄位會設為 INFORMATIONAL。如果 severity 記錄檔欄位值等於 DEBUG,則 security_result.severity UDM 欄位會設為 LOW。如果 severity 記錄檔欄位值等於 WARNING,則 security_result.severity UDM 欄位會設為 MEDIUM。否則, security_result.severity UDM 欄位會設為 UNKNOWN_SEVERITY。 |
|
protoPayload.response.error.message |
security_result.summary |
|
protoPayload.response.error.errors[].message |
security_result.summary |
|
protoPayload.status.details.violations.description |
security_result.summary |
|
protoPayload.response.message |
security_result.summary |
|
protoPayload.request.description |
security_result.summary |
|
jsonPayload.reason[].type |
security_result.summary |
|
sourceLocation.file |
src.file.full_path |
|
protoPayload.serviceName |
target.application |
|
resource.labels.service |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[APP_NAME] |
target.application |
如果 protoPayload.metadata.event.eventName.parameter.name1 記錄檔欄位值等於 APP_NAME,且 protoPayload.metadata.event.eventName.parameter.name2 記錄檔欄位值等於 APP_ID,則 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 記錄檔欄位會對應至 target.application UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[APP_ID] |
target.application |
如果 protoPayload.metadata.event.eventName.parameter.name1 記錄檔欄位值等於 APP_NAME,且 protoPayload.metadata.event.eventName.parameter.name2 記錄檔欄位值等於 APP_ID,則 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 記錄檔欄位會對應至 target.application UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[SERVICE_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_SERVICE_NAME] |
target.application |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_NAME] |
target.application |
如果 protoPayload.metadata.event.eventName.parameter.name1 記錄檔欄位值等於 OAUTH2_APP_NAME,且 protoPayload.metadata.event.eventName.parameter.name2 記錄檔欄位值等於 OAUTH2_APP_ID,則 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 記錄檔欄位會對應至 target.application UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_ID] |
target.application |
如果 protoPayload.metadata.event.eventName.parameter.name1 記錄檔欄位值等於 OAUTH2_APP_NAME,且 protoPayload.metadata.event.eventName.parameter.name2 記錄檔欄位值等於 OAUTH2_APP_ID,則 protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1 記錄檔欄位會對應至 target.application UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[REAUTH_APPLICATION, SITE_NAME] |
target.application |
|
jsonPayload.product |
target.application |
|
protoPayload.metadata.device_id |
target.asset.asset_id |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_SERIAL_NUMBER] |
target.asset.hardware.serial_number |
|
protoPayload.metadata.event.eventName.parameter.name[PRINT_SERVER_NAME] |
target.asset.hostname |
|
protoPayload.metadata.event.eventName.parameter.name[PRINTER_NAME] |
target.asset.hostname |
|
protoPayload.request.instances.instance |
target.asset.product_object_id |
當 protoPayload.request.instances.instance 中的索引值等於 0 時,protoPayload.request.instances.instance 記錄欄位會對應至 target.asset.product_object_id UDM 欄位。對於其他索引值, target.asset.labels.key UDM 欄位會設為 request_instance,而 protoPayload.request.instances.instance 記錄欄位會對應至 target.asset.labels.value UDM 欄位。 |
protoPayload.request.instance |
target.asset.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_ID] |
target.asset.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[COMPANY_DEVICE_ID] |
target.asset.product_object_id |
|
target.asset.type |
如果 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 PRINTER_SERVER_NAME,則 target.asset.type UDM 欄位會設為 SERVER。如果 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 PRINTER_NAME,則 target.asset.type UDM 欄位會設為 PRINTER。如果 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 DEVICE_TYPE,則 target.asset.type UDM 欄位會設為 ROLE_UNSPECIFIED。 |
|
protoPayload.metadata.event.eventName.parameter.name[SITE_LOCATION] |
target.file.full_path |
|
protoPayload.metadata.event.eventName.parameter.name[PERMISSION_GROUP_NAME] |
target.group.attribute.permissions.name |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_EMAIL] |
target.group.email_addresses |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_NAME] |
target.hostname |
|
jsonPayload.dest_instance.vm_name |
target.hostname |
|
protoPayload.requestMetadata.requestAttributes.host |
target.hostname |
|
httpRequest.remoteIp |
target.ip |
|
protoPayload.requestMetadata.destinationAttributes.ip |
target.ip |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP] |
target.ip |
|
protoPayload.request.ip |
target.ip |
|
jsonPayload.connection.dest_ip |
target.ip |
|
resource.labels.region |
target.location.country_or_region |
|
protoPayload.response.region |
target.location.country_or_region |
|
protoPayload.request.body.region |
target.location.country_or_region |
|
protoPayload.request.region |
target.location.country_or_region |
|
resource.labels.region |
target.location.country_or_region |
|
jsonPayload.dest_location.country |
target.location.country_or_region |
|
jsonPayload.dest_location.continent |
target.location.country_or_region |
|
protoPayload.request.override.overrideValue |
target.resource.attribute.labels[request_override_value] |
|
protoPayload.response.overrideValue |
target.resource.attribute.labels[response_override_value] |
|
resource.labels.location |
target.location.name |
|
protoPayload.resourceOriginalState.alloweds.ports |
target.port |
|
protoPayload.requestMetadata.destinationAttributes.port |
target.port |
|
jsonPayload.connection.dest_port |
target.port |
|
protoPayload.metadata.tableCreation.table.view.query |
target.process.command_line |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query |
target.process.command_line |
|
protoPayload.serviceData.jobQueryRequest.query |
target.process.command_line |
|
protoPayload.serviceData.tableInsertResponse.resource.view.query |
target.process.command_line |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query |
target.process.command_line |
|
protoPayload.metadata.tableChange.jobName |
target.process.pid |
|
protoPayload.metadata.tableCreation.jobName |
target.process.pid |
|
protoPayload.request.networkInterfaces[].subnetwork |
target.resource_ancestors.name |
|
protoPayload.request.body.instanceUid |
target.resource_ancestors.product_object_id |
|
protoPayload.response.instanceUid |
target.resource_ancestors.product_object_id |
|
protoPayload.request.disk[].mode |
target.resource_ancestors.attributes.permission.name |
|
protoPayload.request.disk[].autoDelete |
target.resource_ancestors.attributes.permission.name |
|
protoPayload.response.project_id |
target.resource_ancestors.id |
|
protoPayload.response.targetProject |
target.resource_ancestors.name |
|
protoPayload.request.target |
target.resource_ancestors.name |
|
protoPayload.resourceName |
target.resource_ancestors.name |
如果 protoPayload.methodName 記錄檔欄位值符合規則運算式 (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider),則 protoPayload.resourceName 記錄檔欄位會對應至 target.resource_ancestors.name UDM 欄位。 |
protoPayload.resource.role_name |
target.resource_ancestors.name |
|
protoPayload.request.parent |
target.resource_ancestors.name |
|
protoPayload.request.disks[].deviceName |
target.resource_ancestors.name |
|
protoPayload.request.network |
target.resource_ancestors.name |
|
resource.labels.project_id |
target.cloud.project.name |
|
resource.labels.project_id |
target.resource_ancestors.name |
|
protoPayload.request.disk[].type |
target.resource_ancestors.resource_subtype |
如果 protoPayload.request.cluster.subnetwork 記錄檔欄位值「不」為空,則 target.resource_ancestors.resource_subtype UDM 欄位會設為 subnetwork。如果 protoPayload.request.cluster.network 記錄檔欄位值「不」為空,則 target.resource_ancestors.resource_subtype UDM 欄位會設為 network。如果 protoPayload.request.cluster.nodePools.name 記錄檔欄位值「不」為空,則 target.resource_ancestors.resource_subtype UDM 欄位會設為 nodepool。 |
resource.location |
target.resource.attribute.cloud.availability_zone |
|
resourceLocation.currentLocations |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.zone |
target.resource.attribute.cloud.availability_zone |
|
protoPayload.request.body.settings.locationPreference.zone |
target.resource.attribute.cloud.availability_zone |
|
protoPayload.metadata.tableChange.table.createTime |
target.resource.attribute.creation_time |
|
protoPayload.metadata.tableCreation.table.createTime |
target.resource.attribute.creation_time |
|
protoPayload.resourceOriginalState.creationTimestamp |
target.resource.attribute.creation_time |
|
protoPayload.response.insertTime |
target.resource.attribute.creation_time |
|
protoPayload.metadata.tableChange.table.updateTime |
target.resource.attribute.last_update_time |
|
protoPayload.metadata.tableCreation.table.updateTime |
target.resource.attribute.last_update_time |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas[].logType |
target.resource.attribute.permissions.type |
|
request.role.title |
target.resource.attribute.roles.name |
|
protoPayload.request.role.included_permissions[] |
target.resource.attributes.permission.name |
|
protoPayload.request.role.description |
target.resource.attributes.roles.description |
|
protoPayload.resource.labels.firewall_rule_id |
target.resource.id |
|
protoPayload.resourceName |
target.resource.name |
如果 protoPayload.resourceName 記錄檔欄位值不為空,則 protoPayload.resourceName 記錄檔欄位會對應至 target.resource.name UDM 欄位。 |
protoPayload.resource.labels.role_name |
target.resource.name |
如果 protoPayload.methodName 記錄檔欄位值等於 google.iam.admin.v1.CreateRole,則 protoPayload.resource.labels.role_name 記錄檔欄位會對應至 target.resource.name UDM 欄位。 |
protoPayload.resource.role_name |
target.resource.name |
|
protoPayload.request.service_account.display_name |
target.resource.name |
|
protoPayload.request.workloadIdentityPool.displayName |
target.resource.name |
|
protoPayload.request.name |
target.resource.name |
如果 protoPayload.methodName 記錄檔欄位值等於 beta.compute.instances.insert,則 protoPayload.request.name 記錄檔欄位會對應至 target.resource.name UDM 欄位。 |
protoPayload.request.cluster.name |
target.resource.name |
|
protoPayload.metadata.tableCreation.table.tableName |
target.resource.name |
|
protoPayload.metadata.datasetCreation.dataset.datasetName |
target.resource.name |
|
jsonPayload.accessApprovals[] |
target.resource.name |
|
jsonPayload.resource.name |
target.resource.name |
|
resource.labels.email_id |
target.resource.name |
如果 resource.labels.email_id 記錄檔欄位值不為空,則 resource.labels.email_id 記錄檔欄位會對應至 target.resource.name UDM 欄位。 |
protoPayload.request.accessLevel.title |
target.resource.name |
|
resource.discoveryName |
target.resource.name |
|
protoPayload.response.name |
target.resource.name |
|
protoPayload.request.name |
target.resource.name |
|
resource.labels.network_id |
target.resource.name |
|
request.cluster.name |
target.resource.name |
|
resource.labels.cluster_name |
target.resource.name |
|
protoPayload.metadata.tableChange.table.tableName |
target.resource.name |
|
resource.labels.function_name |
target.resource.name |
如果 resource.type 記錄檔欄位值符合規則運算式 cloud_function,則 resource.labels.function_name 記錄檔欄位會對應至 target.resource.name UDM 欄位。 |
resource.parent |
target.resource.parent |
|
resource.labels.bucket_name |
target.resource.parent |
如果 resource.type 記錄檔欄位值等於 gcs_bucket,則 resource.labels.bucket_name 記錄檔欄位會對應至 target.resource.parent UDM 欄位。 |
resource.labels.dataset_id |
target.resource.product_object_id |
|
resource.labels.instance_group_id |
target.resource.product_object_id |
|
resource.labels.subnetwork_id |
target.resource.product_object_id |
|
resource.labels.firewall_rule_id |
target.resource.product_object_id |
|
resource.labels.forwarding_rule_id |
target.resource.product_object_id |
|
resource.labels.network_id |
target.resource.product_object_id |
|
resource.labels.unique_id |
target.resource.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[RESOURCE_IDENTIFIER] |
target.resource.product_object_id |
|
protoPayload.metadata.event.eventName.parameter.name[SHARED_DRIVE_ID] |
target.resource.product_object_id |
|
protoPayload.response.unique_id |
target.resource.product_object_id |
如果 protoPayload.methodName 記錄檔欄位值符合規則運算式 (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider),則 protoPayload.response.unique_id 記錄檔欄位會對應至 target.resource.product_object_Id UDM 欄位。 |
protoPayload.request.account_id |
target.resource.product_object_id |
|
protoPayload.request.role_id |
target.resource.product_object_id |
如果 protoPayload.methodName 記錄檔欄位值等於 google.iam.admin.v1.CreateRole,則 protoPayload.request.role_id 記錄檔欄位會對應至 target.resource.product_object_id UDM 欄位。 |
protoPayload.request.workloadIdentityPoolId |
target.resource.product_object_id |
|
jsonPayload.resource.id |
target.resource.product_object_id |
|
resource.labels.instance_id |
target.resource.product_object_id |
|
resource.data.uniqueId |
target.resource.product_object_id |
|
protoPayload.request.workloadIdentityPoolProviderId |
target.resource.product_object_id |
|
protoPayload.request.machineType |
target.resource.resource_subtype |
如果 resource.type 記錄檔欄位值符合規則運算式 gce_(autoscaler or instance_group) or gae_app",則 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。 |
target.resource.resource_type |
如果 resource.type 記錄檔欄位值符合規則運算式 gce_(firewall or forwarding_rule) or network_security_policy,則 target.resource.resource_type UDM 欄位會設為 FIREWALL_RULE,且 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gce_(subnetwork or network),則 target.resource.resource_type UDM 欄位會設為 VPC_NETWORK。否則,如果 resource.type 記錄檔欄位值符合規則運算式 cloud_dataproc_(batch or session),則 target.resource.resource_type UDM 欄位會設為 TASK。否則,如果 resource.type 記錄檔欄位值等於 gce_backend_service,則 target.resource.resource_type UDM 欄位會設為 BACKEND_SERVICE。否則,如果 resource.type 記錄檔欄位值等於 build,則 target.resource.resource_type UDM 欄位會設為 TASK,且 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。否則,如果 resource.type 記錄檔欄位值等於 pubsub_topic,則 target.resource.resource_type UDM 欄位會設為 PIPE,且 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。否則,如果 resource.type 記錄檔欄位值符合規則運算式 cloudkms_cryptokey,則 target.resource.resource_type UDM 欄位會設為 CREDENTIAL,且 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。否則,如果 resource.type 記錄檔欄位值等於 iam_role,則 target.resource.resource_type UDM 欄位會設為 ACCESS_POLICY,且 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。否則,如果 resource.type 記錄檔欄位值等於 cloud_run_job,則 target.resource.resource_type UDM 欄位會設為 TASK,且 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。否則,如果 resource.type 記錄檔欄位值等於 cloud_run_revision,則 target.resource.resource_type UDM 欄位會設為 BACKEND_SERVICE,且 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gcs_bucket,則 target.resource.resource_type UDM 欄位會設為 STORAGE_BUCKET。否則,如果 resource.type 記錄檔欄位值符合規則運算式 bigquery\.googleapis\.com/SparkJob,則 target.resource.resource_type UDM 欄位會設為 TASK。否則,如果 resource.type 記錄檔欄位值符合規則運算式 bigquery_(biengine_model or dataset),則 target.resource.resource_type UDM 欄位會設為 DATASET。否則,如果 resource.type 記錄檔欄位值符合規則運算式 bigquery_dts_config,則 target.resource.resource_type UDM 欄位會設為 SETTING。否則,如果 resource.type 記錄檔欄位值符合規則運算式 cloudsql or bigquery_project or bigquery_resource,則 target.resource.resource_type UDM 欄位會設為 DATABASE。否則,如果 resource.type 記錄檔欄位值符合規則運算式 service_account,則 target.resource.resource_type UDM 欄位會設為 SERVICE_ACCOUNT。否則,如果 resource.type 記錄檔欄位值符合規則運算式 organization,則 target.resource.resource_type UDM 欄位會設為 CLOUD_ORGANIZATION。否則,如果 resource.type 記錄檔欄位值符合規則運算式 audited_resource or gae_app,則 target.resource.resource_type UDM 欄位會設為 BACKEND_SERVICE。否則,如果 resource.type 記錄檔欄位值符合規則運算式 cloud_function,則 target.resource.resource_type UDM 欄位會設為 FUNCTION。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gce_(network_endpoint_group or node_group),則 target.resource.resource_type UDM 欄位會設為 BACKEND_SERVICE。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gce_(node_template or resource_policy),則 target.resource.resource_type UDM 欄位會設為 SETTING。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gce_disk,則 target.resource.resource_type UDM 欄位會設為 DISK。否則,如果 resource.type 記錄檔欄位值符合規則運算式 k8s_(scale or service),則 target.resource.resource_type UDM 欄位會設為 BACKEND_SERVICE。否則,如果 resource.type 記錄檔欄位值符合規則運算式 k8s_(control_plane_component or container),則 target.resource.resource_type UDM 欄位會設為 CONTAINER。否則,如果 resource.type 記錄檔欄位值符合規則運算式 k8s_node,則 target.resource.resource_type UDM 欄位會設為 VIRTUAL_MACHINE。否則,如果 resource.type 記錄檔欄位值符合規則運算式 k8s_pod,則 target.resource.resource_type UDM 欄位會設為 POD。否則,如果 resource.type 記錄檔欄位值符合規則運算式 k8s_cluster or cloud_dataproc_cluster or gke_cluster or gke_nodepool,則 target.resource.resource_type UDM 欄位會設為 CLUSTER。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gke_container,則 target.resource.resource_type UDM 欄位會設為 CONTAINER。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gkebackup\.googleapis\.com/(BackupPlan or RestorePlan),則 target.resource.resource_type UDM 欄位會設為 SETTING。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gce_(instance or snapshot),則 target.resource.resource_type UDM 欄位會設為 VIRTUAL_MACHINE。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gce_image,則 target.resource.resource_type UDM 欄位會設為 IMAGE。否則,如果 resource.type 記錄檔欄位值包含下列其中一個值,則 resource.type 記錄檔欄位會設為 UNSPECIFIED,且 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。
否則,如果 resource.type 記錄檔欄位值符合規則運算式 project,則 target.resource.resource_type UDM 欄位會設為 CLOUD_PROJECT。否則,如果 resource.type 記錄檔欄位值符合規則運算式 gke_,則 target.resource.resource_type UDM 欄位會設為 CLUSTER。否則, target.resource.resource_type UDM 欄位會設為 UNSPECIFIED,且 resource.type 原始記錄檔欄位會對應至 target.resource.resource_subtype UDM 欄位。 |
|
protoPayload.response.targetLink |
target.url |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ADDRESS] |
target.url |
|
protoPayload.request.httpRequest.url |
target.url |
|
resource.discoveryDocumentUri |
target.url |
|
httpRequest.requestUrl |
target.url |
|
protoPayload.request.role.included_permissions[] |
target.user.attribute.permissions.name |
|
protoPayload.metadata.event.eventName.parameter.name[ROLE_ID] |
target.user.attribute.roles.description |
如果 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 ROLE_ID,則 Role_ID - protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 target.user.attribute.roles.description UDM 欄位。 |
protoPayload.response.bindings[].role |
target.user.attribute.roles.name |
|
protoPayload.metadata.event.eventName.parameter.name[ROLE_NAME] |
target.user.attribute.roles.name |
|
protoPayload.request.serviceAccounts[].email |
target.user.email_addresses |
|
protoPayload.metadata.event.eventName.parameter.value |
target.user.email_addresses |
如果 protoPayload.metadata.event.eventName.parameter.value 記錄欄位值不是空白,且 protoPayload.metadata.event.eventName 記錄欄位值等於 USER_EMAIL、EMAIL_MONITOR_DEST_EMAIL 或 DESTINATION_USER_EMAIL,則 protoPayload.metadata.event.eventName.parameter.value 記錄欄位會對應至 target.user.email_addresses UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.first_name |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 FIRST_NAME,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 NEW_VALUE,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 target.user.first_name UDM 欄位。 |
protoPayload.request.personIdentifier.canonicalPersonId |
target.user.group_identifiers |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.last_name |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 LAST_NAME,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 NEW_VALUE,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 target.user.last_name UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.user.user_display_name |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 RENAME_USER,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 NEW_VALUE,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 target.user.user_display_name UDM 欄位。 |
protoPayload.response.user |
target.user.userid |
|
protoPayload.metadata.event.eventName.parameter.name[USER_EMAIL] |
target.user.userid |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 CREATE_EMAIL_MONITOR 或 CREATE_DATA_TRANSFER_REQUEST,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 USER_EMAIL,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 principal.user.userid UDM 欄位。否則,如果 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 USER_EMAIL,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 target.user.userid UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_DEST_EMAIL] |
target.user.userid |
|
protoPayload.metadata.event.eventName.parameter.name[DESTINATION_USER_EMAIL] |
target.user.userid |
|
protoPayload.request.user |
target.user.userid |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].member |
target.user.userid |
|
protoPayload.request.objects.db |
about.labels [database_name] (已淘汰) |
|
jsonPayload.accesses[].methodName |
about.labels [methodName] (已淘汰) |
|
protoPayload.request.objects.name |
about.labels [objects_name] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] |
about.labels[api_client_name] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] |
about.labels[api_scopes] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] |
about.labels[begin_date_time] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] |
about.labels[bulk_upload_fail_users_number] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] |
about.labels[bulk_upload_total_users_number] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] |
about.labels[caa_assignments_new] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] |
about.labels[caa_assignments_old] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] |
about.labels[caa_enforcement_endpoints_new] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] |
about.labels[caa_enforcement_endpoints_old] (已淘汰) |
|
protoPayload.requestMetadata.requestAttributes.size |
about.labels[caller_network_request_size] (已淘汰) |
|
protoPayload.requestMetadata.requestAttributes.time |
about.labels[caller_network_request_time] (已淘汰) |
|
protoPayload.requestMetadata.callerNetwork |
about.labels[caller_network] (已淘汰) |
|
protoPayload.requestMetadata.requestAttributes.size |
principal.labels[caller_network_request_size] (已淘汰) |
|
protoPayload.requestMetadata.requestAttributes.time |
principal.labels[request_attributes_time] (已淘汰) |
|
protoPayload.requestMetadata.callerNetwork |
principal.labels[caller_network] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] |
about.labels[chrome_licenses_enabled] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] |
about.labels[end_date_time] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE] |
about.labels[end_date] (已淘汰) |
|
protoType.metadata.event[].eventName |
about.labels[event_name] (已淘汰) |
|
protoPayload.metadata.event.parameter[].label |
about.labels[event_param_label] (已淘汰) |
|
protoPayload.metadata.event.parameter[].type |
about.labels[event_param_type] (已淘汰) |
|
protoType.metadata.event[].eventType |
about.labels[event_type] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] |
about.labels[field_name] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] |
about.labels[full_org_unit_path] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] |
about.labels[grp_member_bulk_upload_failed] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] |
about.labels[grp_member_bulk_upload_total] (已淘汰) |
|
httpRequest.cacheFillBytes |
about.labels[httpreq_cache_fill_bytes] (已淘汰) |
|
httpRequest.cacheHit |
about.labels[httpreq_cache_hit] (已淘汰) |
|
httpRequest.cacheLookup |
about.labels[httpreq_cache_lookup] (已淘汰) |
|
httpRequest.cacheValidatedWithOriginServer |
about.labels[httpreq_cache_validated_with_origin_server] (已淘汰) |
|
httpRequest.latency |
about.labels[httprequest_latency] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] |
about.labels[info_type] (已淘汰) |
|
protoPayload.metadata.activityId.timeUsec |
about.labels[metadata_activityId_time_usec] (已淘汰) |
|
protoPayload.metadata.activityId.uniqQualifier |
about.labels[metadata_activityId_uniq_qualifier] (已淘汰) |
|
protoPayload.metadata.@type |
about.labels[metadata_type] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] |
about.labels[new_permission_grant_state] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] |
about.labels[num_of_company_owned_device] (已淘汰) |
|
protoPayload.numResponseItems |
about.labels[num_response_items] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] |
about.labels[old_permission_grant_state] (已淘汰) |
|
operation.first |
about.labels[operation_first] (已淘汰) |
|
operation.id |
about.labels[operation_id] (已淘汰) |
|
operation.last |
about.labels[operation_last] (已淘汰) |
|
operation.producer |
about.labels[operation_producer] (已淘汰) |
|
protoPayload.resourceOriginalState.selfLinkWithId |
about.labels[rc_old_selflinkWithId] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] |
about.labels[reauth_setting_new] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] |
about.labels[reauth_setting_old] (已淘汰) |
|
protoPayload.request.alloweds[].ports |
about.labels[req_alloweds_ports] (已淘汰) |
|
protoPayload.request.body.name |
about.labels[req_body_name] (已淘汰) |
|
protoPayload.request.body.settings.activityPolicy |
about.labels[req_body_settings_activity_policy] (已淘汰) |
|
protoPayload.request.deletionProtection |
about.labels[req_deletion_protection] (已淘汰) |
|
protoPayload.request.disabled |
about.labels[req_disabled] (已淘汰) |
|
protoPayload.request.displayDevice.enableDisplay |
about.labels[req_display_device_enable_display] (已淘汰) |
|
protoPayload.request.enableFlowLogs |
about.labels[req_enable_flow_logs] (已淘汰) |
|
protoPayload.request.fingerprint |
about.labels[req_fingerprint] (已淘汰) |
|
protoPayload.request.shieldedInstanceConfig.enableSecureBoot |
about.labels[req_instance_config_enable_secure_boot] (已淘汰) |
|
protoPayload.request.shieldedInstanceConfig.enableVtpm |
about.labels[req_instance_config_enable_vtpm] (已淘汰) |
|
protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring |
about.labels[req_instance_enable_integrity_monitoring] (已淘汰) |
|
protoPayload.request.key_types[] |
about.labels[req_key_types] (已淘汰) |
|
protoPayload.request.logconfig.enable |
about.labels[req_logconfig_enable] (已淘汰) |
|
protoPayload.request.networkTier |
about.labels[req_network_tier] (已淘汰) |
|
protoPayload.request.network |
about.labels[req_network] (已淘汰) |
|
protoPayload.request.page_size |
about.labels[req_page_size] (已淘汰) |
|
request.pagesize |
about.labels[req_page_size] (已淘汰) |
|
protoPayload.request.policy.etag |
about.labels[req_policy_etag] (已淘汰) |
|
protoPayload.request.portRange |
about.labels[req_port_range] (已淘汰) |
|
protoPayload.request.privateIpGoogleAccess |
about.labels[req_private_ip_google_access] (已淘汰) |
|
protoPayload.request.private_key_type |
about.labels[req_private_key_type] (已淘汰) |
|
protoPayload.request.remove_deleted_service_accounts |
about.labels[req_remove_deleted_serviceAcc] (已淘汰) |
|
protoPayload.request.showDeleted |
about.labels[req_show_deleted] (已淘汰) |
|
protoPayload.request.skip_visibility_check |
about.labels[req_skip_visibility_check] (已淘汰) |
|
protoPayload.request.stackType |
about.labels[req_stack_type] (已淘汰) |
|
protoPayload.request.type |
about.labels[req_type] (已淘汰) |
|
protoPayload.request.updateMask |
about.labels[req_update_mask] (已淘汰) |
|
protoPayload.request.version |
about.labels[req_version] (已淘汰) |
|
protoPayload.response.clientOperationId |
about.labels[res_client_operation_id] (已淘汰) |
|
protoPayload.response.endTime |
about.labels[res_end_time] (已淘汰) |
|
protoPayload.response.id |
about.labels[res_id] (已淘汰) |
|
protoPayload.response.key_algorithm |
about.labels[res_key_algorithm] (已淘汰) |
|
protoPayload.response.key_origin |
about.labels[res_key_origin] (已淘汰) |
|
protoPayload.response.key_type |
about.labels[res_key_type] (已淘汰) |
|
protoPayload.response.kind |
about.labels[res_kind] (已淘汰) |
|
protoPayload.response.private_key_type |
about.labels[res_private_key_type] (已淘汰) |
|
protoPayload.response.progress |
about.labels[res_progress] (已淘汰) |
|
protoPayload.response.startTime |
about.labels[res_start_time] (已淘汰) |
|
protoPayload.response.status |
about.labels[res_status] (已淘汰) |
如果 protoPayload.methodName 記錄檔欄位值等於 cloudsql.instances.create,則 protoPayload.response.status 記錄檔欄位會對應至 security_result.description UDM 欄位。 |
protoPayload.response.type |
about.labels[res_type] (已淘汰) |
|
protoPayload.response.unique_id |
about.labels[res_unique_id] (已淘汰) |
如果 protoPayload.methodName 記錄檔欄位值符合規則運算式 (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider),則 protoPayload.response.unique_id 記錄檔欄位會對應至 target.resource.product_object_id UDM 欄位。 |
protoPayload.response.valid_after_time.seconds |
about.labels[res_valid_after_time] (已淘汰) |
|
protoPayload.response.valid_before_time.seconds |
about.labels[res_valid_before_time] (已淘汰) |
|
protoPayload.response.version |
about.labels[res_version] (已淘汰) |
|
protoPayload.response.zone |
about.labels[res_zone] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] |
about.labels[search_query_for_dump] (已淘汰) |
|
spanId |
about.labels[span_id] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[START_DATE] |
about.labels[start_date] (已淘汰) |
|
traceSampled |
about.labels[trace_sampled] (已淘汰) |
|
Trace |
about.labels[trace] (已淘汰) |
|
protoPayload.@type |
about.labels[type] (已淘汰) |
|
protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_added] |
|
protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_deletion] |
|
protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels [instance_metadata_key_modification] |
|
protoPayload.metadata.projectMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels [AddedMetadataKeys] |
|
protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels [DeletedMetadataKeys] |
|
protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels [ModifiedMetadataKeys] |
|
protoPayload.redactions.reason |
principal.labels [protoPayload.redactions.field] (已淘汰) |
|
protoPayload.redactions.type |
principal.labels [protoPayload.redactions.field] (已淘汰) |
|
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata |
principal.labels [service_metadata] (已淘汰) |
|
jsonPayload.sourceNetwork |
principal.labels [source_network] (已淘汰) |
|
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims |
principal.labels [third_party_claims] (已淘汰) |
|
protoPayload.requestMetadata.requestAttributes.time |
principal.labels[caller_network_request_time] (已淘汰) |
|
protoPayload.request.description |
principal.labels[req_description] (已淘汰) |
|
protoPayload.request.ipCidrRange |
principal.labels[req_ip_cidr_range] (已淘汰) |
|
protoPayload.request.sourceRanges[] |
principal.labels[req_source_ranges] (已淘汰) |
|
protoPayload.requestMetadata.requestAttributes.reason |
principal.labels[request_attributes_reason] (已淘汰) |
|
protoPayload.authenticationInfo.thirdPartyPrincipal |
principal.labels[third_party_principal] (已淘汰) |
|
protoPayload.metadata.jobChange.after |
target.resource_ancestors.attribute.labels[jobchange_after] |
|
protoPayload.metadata.jobChange.before |
target.resource_ancestors.attribute.labels[jobchange_before] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_query] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.createDisposition |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_createdisposition] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.destinationTable |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_destinationtable] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.priority |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_priority] |
|
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.writeDisposition |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_writedisposition] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.createDisposition |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_createdisposition] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.destinationTable |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_destinationtable] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.operationType |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_operationtype] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.writeDisposition |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_writedisposition] |
|
protoPayload.metadata.jobChange.job.jobConfig.type |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_type] |
|
protoPayload.metadata.jobChange.job.jobName |
target.resource_ancestors.name |
|
protoPayload.metadata.jobChange.job.jobStats.createTime |
target.resource_ancestors.attribute.creation_time |
|
protoPayload.metadata.jobChange.job.jobStats.endTime |
target.resource_ancestors.attribute.labels[jobchange_jobstats_endtime] |
|
protoPayload.metadata.jobChange.job.jobStats.queryStats |
target.resource_ancestors.attribute.labels[jobchange_jobstats_querystats] |
|
protoPayload.metadata.jobChange.job.jobStats.reservation |
target.resource_ancestors.attribute.labels[jobchange_jobstats_reservation] |
|
protoPayload.metadata.jobChange.job.jobStats.startTime |
target.resource_ancestors.attribute.labels[jobchange_jobstats_starttime] |
|
protoPayload.metadata.jobChange.job.jobStatus.errorResult.code |
security_result.detection_fields[jobchange_jobstatus_errorresult_code] |
|
protoPayload.metadata.jobChange.job.jobStatus.errorResult.message |
security_result.detection_fields[jobchange_jobstatus_errorresult_message] |
|
protoPayload.metadata.jobChange.job.jobStatus.jobState |
target.resource_ancestors.attribute.labels[jobstatus_jobstate] |
|
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.sourceTables |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_sourcetables] |
|
protoPayload.metadata.jobChange.job.jobStatus.errors.code |
security_result.detection_fields[jobchange_jobstatus_errors_code] |
|
protoPayload.metadata.jobChange.job.jobStatus.errors.message |
security_result.detection_fields[jobchange_jobstatus_errors_message] |
|
protoPayload.metadata.jobChange.job.jobConfig.extractConfig.sourceTable |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_sourcetable] |
|
protoPayload.metadata.jobChange.job.jobConfig.extractConfig.destinationUris |
target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_destinationuris] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_query] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.createDisposition |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_createdisposition] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.destinationTable |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_destinationtable] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.priority |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_priority] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.writeDisposition |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_writedisposition] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.createDisposition |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_createdisposition] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.destinationTable |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_destinationtable] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.operationType |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_operationtype] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.writeDisposition |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_writedisposition] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.type |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_type] |
|
protoPayload.metadata.jobInsertion.job.jobName |
target.resource_ancestors.name |
|
protoPayload.metadata.jobInsertion.job.jobStats.createTime |
target.resource_ancestors.attribute.creation_time |
|
protoPayload.metadata.jobInsertion.job.jobStats.reservation |
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_reservation] |
|
protoPayload.metadata.jobInsertion.job.jobStats.queryStats |
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_querystats] |
|
protoPayload.metadata.jobInsertion.job.jobStats.startTime |
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_starttime] |
|
protoPayload.metadata.jobInsertion.job.jobStats.endTime |
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_endtime] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.code |
security_result.detection_fields[jobinsertion_jobstatus_errorresult_code] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.message |
security_result.detection_fields[jobinsertion_jobstatus_errorresult_message] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.jobState |
target.resource_ancestors.attribute.labels[jobinsertion_jobstatus_jobstate] |
|
protoPayload.metadata.jobInsertion.reason |
target.resource_ancestors.attribute.labels[jobinsertion_reason] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.sourceTables |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_sourcetables] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.errors.code |
security_result.detection_fields[jobinsertion_jobstatus_errors_code] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.errors.message |
security_result.detection_fields[jobinsertion_jobstatus_errors_message] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.sourceTable |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_sourcetable] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris |
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_destinationuris] |
|
protoPayload.response.buildConfig.entryPoint |
target.resource.attribute.labels[buildconfig_entrypoint] |
|
protoPayload.request.member |
target.user.email_addresses |
|
protoPayload.request.email |
target.user.email_addresses |
|
protoPayload.metadata.jobInsertion.reason |
target.resource.attribute.labels[job_insertion_reason] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.statementType |
target.resource.attribute.labels[job_insertion_job_job_config_query_config_statement_type] |
|
protoPayload.metadata.jobInsertion.job.jobStatus.jobState |
target.resource.attribute.labels[job_insertion_job_job_status_job_state] |
|
protoPayload.response.state |
target.resource.attribute.labels[response_state] |
|
protoPayload.request.metadata.state |
target.resource.attribute.labels[request_state] |
|
protoPayload.authenticationInfo.principalSubject |
principal.user.userid |
如果 protoPayload.authenticationInfo.principalSubject 記錄檔欄位值不為空,系統會使用 Grok 模式從 protoPayload.authenticationInfo.principalSubject 記錄檔欄位擷取 new_user_id,並對應至 principal.user.userid UDM 欄位。 |
protoPayload.authenticationInfo.principalSubject |
principal.user.email_addresses |
如果 protoPayload.authenticationInfo.principalSubject 記錄檔欄位值不為空,系統會使用 Grok 模式從 protoPayload.authenticationInfo.principalSubject 記錄檔欄位擷取 new_email_id,並對應至 principal.user.email_addresses UDM 欄位。 |
protoPayload.authenticationInfo.serviceAccountDelegationInfo.principalSubject |
principal.user.attribute.labels[access_serviceAcc_principalSubject] |
|
protoPayload.response.oauth2_client_id |
principal.user.attribute.labels[response_oauth2_client_id] |
|
protoPayload.authorizationInfo.resourceAttributes.service |
principal.resource.attribute.labels[authorization_info_rcService] |
|
protoPayload.authorizationInfo.granted |
principal.user.attributes.labels[authorization_granted] |
|
protoPayload.request.cryptoKey.versionTemplate.algorithm |
security_result.detection_fields [algorithm] |
|
protoPayload.response.details[].@type |
security_result.detection_fields [details_type] |
|
protoPayload.request.cryptoKey.nextRotationTime |
security_result.detection_fields [next_rotation_time] |
|
protoPayload.request.cryptoKey.versionTemplate.protectionLevel |
security_result.detection_fields [protection_level] |
|
protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value |
security_result.detection_fields [protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind] |
|
protoPayload.request.cryptoKey.purpose |
security_result.detection_fields [purpose] |
|
protoPayload.resourceName |
security_result.detection_fields [resource_name] |
|
protoPayload.authorizationInfo.resource |
security_result.detection_fields [resource] |
|
protoPayload.response.code |
security_result.detection_fields [response_code] |
|
protoPayload.request.cryptoKey.rotationPeriod |
security_result.detection_fields [rotation_period] |
|
protoPayload.metadata.securityPolicyInfo.organizationId |
security_result.detection_fields [securityPolicyInfo.organizationId] |
|
protoPayload.request.serviceAccounts[].scopes |
security_result.detection_fields [service_account_scope] |
|
protoPayload.response.details[].violations[].subject |
security_result.detection_fields [violation_subject] |
|
protoPayload.response.details[].violations[].type |
security_result.detection_fields [violation_type] |
|
protoPayload.metadata.event.eventName.parameter.name[ACTION_ID] |
security_result.detection_fields[action_id] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas[].action |
security_result.detection_fields[action] |
|
protoPayload.metadata.event.eventName.parameter.name[ALERT_NAME] |
security_result.detection_fields[alert_name] |
|
protoPayload.metadata.event.eventName.parameter.name[ALLOWED_TWO_STEP_VERIFICATION_METHOD] |
security_result.detection_fields[allowed_two_step_verification_method] |
|
protoPayload.requestMetadata.callerNetwork.requestAttributes.reason |
security_result.detection_fields[caller_network_request_reason] |
|
protoPayload.metadata.event.eventName.parameter.name[is_second_factor] |
security_result.detection_fields[is_second_factor] |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 login_verification,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 is_second_factor,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 security_result.detection_fields.value UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[is_suspicious] |
security_result.detection_fields[is_suspicious] |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 login_success,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 is_suspicious,則 protoPayload.metadata.event.eventName.parameter.boolValue 記錄檔欄位會對應至 security_result.detection_fields.value UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[login_failure_type] |
security_result.detection_fields[login_failure_type] |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 login_failure,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 login_failure_type,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 security_result.detection_fields.value UDM 欄位。 |
protoPayload.metadata.event.eventName.parameter.name[login_type] |
security_result.detection_fields[login_type] |
如果 protoPayload.metadata.event.eventName 記錄檔欄位值等於 login_failure、login_challenge、login_verification、login_success 或 logout,且 protoPayload.metadata.event.eventName.parameter.name 記錄檔欄位值等於 login_type,則 protoPayload.metadata.event.eventName.parameter.value 記錄檔欄位會對應至 about.labels.value UDM 欄位。 |
protoPayload.request.bindings.members[] |
security_result.detection_fields[members] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.checkedValue |
security_result.detection_fields[policy_violation_checked_value] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.constraint |
security_result.detection_fields[policy_violation_constraint] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags |
security_result.detection_fields[policy_violation_resource_tags] |
|
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType |
security_result.detection_fields[policy_violation_resource_type] |
|
protoPayload.metadata.event.eventName.parameter.name[QUARANTINE_NAME] |
security_result.detection_fields[quarantine_name] |
|
protoPayload.resourceOriginalState.logconfig.enable |
security_result.detection_fields[rc_orgState_logconfig_enable] |
|
protoPayload.request.alloweds[].ports |
security_result.detection_fields[req_alloweds_ports] |
|
protoPayload.response.error.errors[].domain |
security_result.detection_fields[res_error_domain] |
|
protoPayload.resourceOriginalState.direction |
security_result.detection_fields[resource_original_state_direction] |
|
protoPayload.authenticationInfo.serviceAccountKeyName |
security_result.detection_fields[service_account_key_name] |
|
Referred this from Default parser. |
security_result.detection_fields[SERVICE] |
|
protoPayload.status.details.type |
security_result.detection_fields[status_details_type] |
|
protoPayload.status.details.violations.subject |
security_result.detection_fields[status_details_violation_subject] |
|
protoPayload.status.details.violations.type |
security_result.detection_fields[status_details_violation_type] |
|
sourceLocation.function |
src.labels[src_location_function] |
|
sourceLocation.line |
src.labels[src_location_line] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_STATE] |
target.asset.attribute.labels[dvc_new_state] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_STATE] |
target.asset.attribute.labels[dvc_previous_state] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_TYPE] |
target.asset.attribute.labels[dvc_type] |
|
protoPayload.metadata.event.eventName.parameter.name[MANAGED_CONFIGURATION_NAME] |
target.asset.attribute.labels[managed_config_name] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_APP_PACKAGE_ID] |
target.asset.attribute.labels[mobile_app_package_id] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_CERTIFICATE_COMMON_NAME] |
target.asset.attribute.labels[mobile_certificate_common_name] |
|
protoPayload.metadata.event.eventName.parameter.name[MOBILE_WIRELESS_NETWORK_NAME] |
target.asset.attribute.labels[mobile_wireless_network_name] |
|
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_MDM_VENDOR_NAME] |
target.asset.attribute.labels[play_for_work_mdm_vendor_name] |
|
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_TOKEN_ID] |
target.asset.attribute.labels[play_for_work_token_id] |
|
resource.labels.instance_id |
target.asset.attribute.labels[rc_instance_id] |
|
protoPayload.metadata.event.eventName.parameter.name[SKU_NAME] |
target.asset.attribute.labels[sku_name] |
|
protoPayload.response.targetId |
target.asset.attribute.labels[target_id] |
如果 protoPayload.methodName 記錄檔欄位值不等於 cloudsql.instances.create,則 protoPayload.response.targetId 記錄檔欄位會對應至 target.asset.attribute.labels.value UDM 欄位。 |
resource.labels.backend_service_name |
target.labels [backend_service_name] (已淘汰) |
|
protoPayload.requestMetadata.requestAttributes.auth.claims |
target.labels [request_auth_claims] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] |
target.labels[application_edition] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] |
target.labels[asp_id] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] |
target.labels[chrome_os_session_type] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] |
target.labels[device_new_org_unit] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] |
target.labels[device_previous_org_unit] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] |
target.labels[domain_alias] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] |
target.labels[email_export_include_deleted] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] |
target.labels[email_export_package_content] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] |
target.labels[email_log_search_end_date] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] |
target.labels[email_log_search_start_date] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] |
target.labels[email_monitor_level_chat] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] |
target.labels[email_monitor_level_draft_email] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] |
target.labels[email_monitor_level_in_email] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] |
target.labels[email_monitor_level_out_email] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] |
target.labels[email_reset_reason] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
target.labels[new_value] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] |
target.labels[oauth2_app_type] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] |
target.labels[old_value] (已淘汰) |
|
protoPayload.requestMetadata.destinationAttributes.principal |
target.labels[peer_principal] (已淘汰) |
|
protoPayload.requestMetadata.destinationAttributes.regionCode |
target.labels[peer_region_code] (已淘汰) |
|
protoPayload.request.loadBalancingScheme |
target.labels[req_load_balancing_scheme] (已淘汰) |
|
protoPayload.request.requestId |
target.labels[request_id] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] |
target.labels[request_id] (已淘汰) |
|
protoPayload.resourceOriginalState.description |
target.labels[res_originalState_description] (已淘汰) |
|
protoPayload.response.bindings[].members[] |
target.labels[response_bindings_members] (已淘汰) |
|
protoPayload.response.description |
target.labels[response_description] (已淘汰) |
|
protoPayload.response.display_name |
target.labels[response_display_name] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] |
target.labels[secondary_domain_name] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] |
target.labels[setting_name] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] |
target.labels[user_custom_field] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] |
target.labels[user_defined_setting_name] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] |
target.labels[web_origin] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] |
target.labels[whitelisted_groups] (已淘汰) |
|
protoPayload.metadata.event.eventName.parameter.name[APP_LICENSES_ORDER_NUMBER] |
target.asset.labels[app_licenses_order_number] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_NUM_LICENSES_PURCHASED] |
target.asset.labels[chrome_num_licenses_purchased] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_COMMAND_DETAILS] |
target.asset.labels[device_command_details] |
|
protoPayload.metadata.event.eventName.parameter.name[DIRECTORY_API_ID] |
target.asset.labels[directory_api_id] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_PRIORITIES] |
target.group.attribute.labels[group_priorities] |
|
protoPayload.request.cluster.subnetwork |
target.resource_ancestor.attribute.labels[req_cls_subnetwork] |
|
protoPayload.request.cluster.nodePools[].autoscaling.enabled |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_enabled] |
|
protoPayload.request.cluster.nodePools[].autoscaling.maxNodeCount |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_max_node_cnt] |
|
protoPayload.request.cluster.nodePools[].autoscaling.minNodeCount |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_min_node_cnt] |
|
protoPayload.request.cluster.nodePools[].management.autoupgrade |
target.resource_ancestor.attribute.labels[req_clsNodePools_autoupgrade] |
|
protoPayload.request.cluster.nodePools[].config.diskSizeGb |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_disksize] |
|
protoPayload.request.cluster.nodePools[].config.imageType |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_imagetype] |
|
protoPayload.request.cluster.nodePools[].config.machineType |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_machinetype] |
|
protoPayload.request.cluster.nodePools[].config.oauthScopes[] |
target.resource_ancestor.attribute.labels[req_clsNodePools_config_oauth_scopes] |
|
protoPayload.request.cluster.nodePools[].name |
target.resource_ancestor.attribute.labels[req_clsNodePools_name] |
|
protoPayload.request.cluster.nodePools[].initialNodeCount |
target.resource_ancestor.attribute.labels[req_clsterNodePools_autoscaling_initial_node_cnt] |
|
resource.data.oauth2ClientId |
target.resource.attribute.labels [oauth_client_id] |
|
protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute |
target.resource.attribute.labels [ enable_confidential_compute] |
|
protoPayload.request.function.timeout |
target.resource.attribute.labels [ function_time_out] |
|
protoPayload.requestMetadata.requestAttributes.auth.accessLevels |
target.resource.attribute.labels [accessLevel] |
|
protoPayload.request.date |
target.resource.attribute.labels [audit_event_occurred] |
|
protoPayload.request.auditId |
target.resource.attribute.labels [audit_id] |
|
protoPayload.request.autoscalingPolicy.mode |
target.resource.attribute.labels [autoscaling_policy_mode] |
|
protoPayload.request.autoscalingPolicy.coolDownPeriodSec |
target.resource.attribute.labels [cool_down_period] |
|
protoPayload.request.denieds.0.IPProtocol |
target.resource.attribute.labels [Denied Protocol] |
|
protoPayload.request.destinationRanges |
target.resource.attribute.labels [destination_ranges] |
|
protoPayload.request.function.entryPoint |
target.resource.attribute.labels [function_entry_point] |
|
protoPayload.request.function.httpsTrigger.securityLevel |
target.resource.attribute.labels [function_httptrigger_security_level] |
|
protoPayload.request.function.runtime |
target.resource.attribute.labels [function_runtime] |
|
protoPayload.request.function.serviceAccountEmail |
target.resource.attribute.labels [function_service_account_email] |
|
protoPayload.request.function.sourceUploadUrl |
target.resource.attribute.labels [function_source_upload_url] |
|
protoPayload.metadata.iapEnabled |
target.resource.attribute.labels [iapEnabled] |
|
protoPayload.request.listManagedInstancesResults |
target.resource.attribute.labels [managed_instances_result] |
|
protoPayload.request.autoscalingPolicy.maxNumReplicas |
target.resource.attribute.labels [max_replicas] |
|
protoPayload.request.autoscalingPolicy.minNumReplicas |
target.resource.attribute.labels [min_replicas] |
|
protoPayload.request.msgType |
target.resource.attribute.labels [msg_type] |
|
protoPayload.metadata.oauth_client_id |
target.resource.attribute.labels [oauth_client_id] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod |
target.resource.attribute.labels [predictive_method] |
|
protoPayload.request.labels.0.value |
target.resource.attribute.labels [protoPayload.request.labels.0.key] |
|
protoPayload.request.queryId |
target.resource.attribute.labels [query_id] |
|
protoPayload.request.constraint |
target.resource.attribute.labels [request_constraint] |
|
protoPayload.request.dataAccessed |
target.resource.attribute.labels [request_data_accessed] |
|
protoPayload.request.function.labels.deployment-tool |
target.resource.attribute.labels [request_deployment_tool] |
|
protoPayload.request.properties.description |
target.resource.attribute.labels [request_description] |
|
protoPayload.request.function.name |
target.resource.attribute.labels [request_function_name] |
|
protoPayload.request.location |
target.resource.attribute.labels [request_location] |
|
protoPayload.request.policy.constraint |
target.resource.attribute.labels [request_policy_constraint] |
|
protoPayload.request.@type |
target.resource.attribute.labels [request_type] |
|
protoPayload.request.cmd |
target.resource.attribute.labels [sql_operation_type ] |
|
protoPayload.request.threadId |
target.resource.attribute.labels [thread_id] |
|
protoPayload.metadata.unsatisfied_access_levels |
target.resource.attribute.labels [unsatisfied_access_levels] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget |
target.resource.attribute.labels [utilization_target] |
|
protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled |
target.resource.attribute.labels[backup_config_binarylog_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.enabled |
target.resource.attribute.labels[backup_config_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays |
target.resource.attribute.labels[backup_config_logRetention_days] |
|
protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled |
target.resource.attribute.labels[backup_config_point_in_time_recovery_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups |
target.resource.attribute.labels[backup_config_retention_settings_retained_backups] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit |
target.resource.attribute.labels[backup_config_retention_settings_unit] |
|
protoPayload.request.body.settings.backupConfiguration.startTime |
target.resource.attribute.labels[backup_config_start_time] |
|
protoPayload.request.canIpForward |
target.resource.attribute.labels[can_ip_forward] |
|
resource.labels.cluster_name |
target.resource.attribute.labels[cls_name] |
|
request.cluster.name |
target.resource.attribute.labels[cls_name] |
|
protoPayload.request.body.settings.dataDiskSizeGb |
target.resource.attribute.labels[data_disk_size_gb] |
|
protoPayload.request.body.settings.dataDiskType |
target.resource.attribute.labels[data_disk_type] |
|
protoPayload.metadata.tableDataRead.fields |
target.resource.attribute.labels[data_read_fields] |
|
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris[] |
target.resource.attribute.labels[destination_uris] |
|
protoPayload.request.direction |
target.resource.attribute.labels[direction] |
|
resource.labels.email_id |
target.resource.attribute.labels[email_id] |
|
resource.email_id |
target.resource.attribute.labels[email_id] |
|
resource.labels.forwarding_rule_name |
target.resource.attribute.labels[forwarding_rule_name] |
|
protoPayload.request.body.settings.ipConfiguration.ipv4Enabled |
target.resource.attribute.labels[ip_config_ipv4_enabled] |
|
protoPayload.request.body.settings.ipconfiguration.privatNetwork |
target.resource.attribute.labels[ip_config_private_network] |
|
protoPayload.request.body.settings.ipconfiguration.requireSsl |
target.resource.attribute.labels[ip_config_require_ssl] |
|
protoPayload.metadata.jobChange.job.jobConfig.type |
target.resource.attribute.labels[job_type] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id |
target.resource.attribute.labels[job_change_looker_studio_report_id] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.requestor |
target.resource.attribute.labels[job_change_requestor] |
|
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id |
target.resource.attribute.labels[job_change_looker_studio_datasource_id] |
|
protoPayload.metadata.tableChange.table.tableName |
target.resource.attribute.labels[metadata_changedTable_name] |
|
protoPayload.metadata.tableCreation.table.expireTime |
target.resource.attribute.labels[metadata_creationTable_expire_time] |
|
protoPayload.request.body.settings.pricingPlan |
target.resource.attribute.labels[pricing_plan] |
|
resource.data.projectId |
target.resource.attribute.labels[projectId] |
|
resource.labels.instance_group_name |
target.resource.attribute.labels[rc_instance_groupName] |
|
resource.labels.method |
target.resource.attribute.labels[rc_method] |
|
protoPayload.resourceOriginalState.disabled |
target.resource.attribute.labels[rc_orgState_disabled] |
|
protoPayload.resourceOriginalState.enableLogging |
target.resource.attribute.labels[rc_orgState_enable_logging] |
|
protoPayload.resourceOriginalState.logconfig.enable |
target.resource.attribute.labels[rc_orgState_logconfig_enable] |
|
protoPayload.resourceOriginalState.selfLink |
target.resource.attribute.labels[rc_orgState_selflink] |
|
protoPayload.resourceOriginalState.sourceRanges |
target.resource.attribute.labels[rc_orgState_srcranges] |
|
protoPayload.resourceOriginalState.targetTags |
target.resource.attribute.labels[rc_orgState_target_tags] |
|
protoPayload.resourceOriginalState.@type |
target.resource.attribute.labels[rc_orgState_type] |
|
resource.labels.service |
target.resource.attribute.labels[rc_service] |
|
resource.labels.subnetwork_name |
target.resource.attribute.labels[rc_subnetwork_name] |
|
resource.labels.version |
target.resource.attribute.labels[rc_version] |
|
protoPayload.request.body.databaseVersion |
target.resource.attribute.labels[req_body_dbVersion] |
|
protoPayload.request.cluster.releaseChannel.channel |
target.resource.attribute.labels[req_cls_channel] |
|
protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled |
target.resource.attribute.labels[req_cls_policy_config_disabled] |
|
protoPayload.request.reservationAffinity.consumeReservationType |
target.resource.attribute.labels[req_consumeReservation_type] |
|
protoPayload.request.disabled |
target.resource.attribute.labels[req_disabled] |
|
protoPayload.request.disks[].boot |
target.resource.attribute.labels[req_disk_boot] |
|
protoPayload.request.disks[].initializeParams.diskSizeGb |
target.resource.attribute.labels[req_disk_initialize_disk_size] |
|
protoPayload.request.disks[].initializeParams.diskType |
target.resource.attribute.labels[req_disk_initialize_disk_type] |
|
protoPayload.request.disks[].initializeParams.sourceImage |
target.resource.attribute.labels[req_disk_initialize_source_image] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeCondition |
target.resource.attribute.labels[req_identityPool_attribute_condition] |
|
protoPayload.request.workloadIdentityPoolProvider.aws.accountId |
target.resource.attribute.labels[req_identityPool_aws_accountId] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.attribute.aws_role |
target.resource.attribute.labels[req_identityPool_aws_role] |
|
protoPayload.request.workloadIdentityPool.description |
target.resource.attribute.labels[req_identityPool_description] |
|
protoPayload.request.workloadIdentityPool.disabled |
target.resource.attribute.labels[req_identityPool_disabled] |
|
protoPayload.request.workloadIdentityPoolProvider.displayName |
target.resource.attribute.labels[req_identityPool_displayName] |
|
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.google.subject |
target.resource.attribute.labels[req_identityPool_googleSubject] |
|
protoPayload.request.workloadIdentityPoolProvider.disabled |
target.resource.attribute.labels[req_identityPool_provider_disabled] |
|
protoPayload.request.workloadIdentityPoolProviderId |
target.resource.attribute.labels[req_identityPool_providerId] |
|
protoPayload.request.instances[].instance |
target.resource.attribute.labels[req_instance] |
|
protoPayload.request.logconfig.enable |
target.resource.attribute.labels[req_logconfig_enable] |
|
protoPayload.serviceData.tabelDataListRequest.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.serviceData.jobGetQueryResultsRequest.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.request.maxResults |
target.resource.attribute.labels[req_max_results] |
|
protoPayload.request.name |
target.resource.attribute.labels[req_name] |
|
protoPayload.request.networkInterfaces[].accessConfig.name |
target.resource.attribute.labels[req_network_access_config_name] |
|
protoPayload.request.networkInterfaces[].accessConfig.networkTier |
target.resource.attribute.labels[req_network_access_config_network_tier] |
|
protoPayload.request.networkInterfaces[].accessConfig.type |
target.resource.attribute.labels[req_network_access_config_type] |
|
protoPayload.request.network |
target.resource.attribute.labels[req_network] |
|
protoPayload.request.network |
target.resource.attribute.labels[req_network] |
|
protoPayload.request.priority |
target.resource.attribute.labels[Request Priority] |
|
protoPayload.request.project |
target.resource.attribute.labels[req_project] |
|
protoPayload.request.role.stage |
target.resource.attribute.labels[req_role_stage] |
|
protoPayload.request.scheduling.automaticRestart |
target.resource.attribute.labels[req_scheduling_automatic_restart] |
|
protoPayload.request.scheduling.onHostMaintenance |
target.resource.attribute.labels[req_scheduling_on_host_mainten] |
|
protoPayload.request.scheduling.preemptible |
target.resource.attribute.labels[req_scheduling_preemptible] |
|
protoPayload.request.service_account.description |
target.resource.attribute.labels[req_serviceAcc_description] |
|
protoPayload.request.serviceAccounts[].email |
target.resource.attribute.labels[req_serviceAcc_email] |
|
protoPayload.request.policy.booleanPolicy.enforced |
target.resource.attribute.labels[request_constraint] |
|
protoPayload.response.email |
target.resource.attribute.labels[res_email] |
|
protoPayload.response.etag |
target.resource.attribute.labels[res_etag] |
|
protoPayload.response.name |
target.resource.attribute.labels[res_name] |
|
protoPayload.response.operationType |
target.resource.attribute.labels[response_operation_type] |
|
protoPayload.response.zone |
target.resource.attribute.labels[res_zone] |
|
resource.data.name |
target.resource.attribute.labels[resource_data_name] |
|
protoPayload.response.booleanPolicy.enforced |
target.resource.attribute.labels[response_enforce_policy] |
|
protoPayload.response.status |
target.resource.attribute.labels[response_status] |
|
protoPayload.response.status.conditions.message |
target.resource.attribute.labels[response_status] |
|
protoPayload.serviceData.permissionDelta.addedPermissions[] |
target.resource.attribute.labels[ser_added_perm] |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].action |
target.resource.attribute.labels[ser_binding_deltas_action] |
|
protoPayload.serviceData.policyDelta.bindingDeltas[].member |
target.resource.attribute.labels[ser_binding_deltas_member] |
|
Referred this from default parser. |
target.resource.attribute.labels[ser_binding_deltas_member] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.datasetId |
target.resource.attribute.labels[ser_destTable_datasetId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.projectId |
target.resource.attribute.labels[ser_destTable_projectId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.tableId |
target.resource.attribute.labels[ser_destTable_tableId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime |
target.resource.attribute.labels[ser_jobCreate_time] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.jobId |
target.resource.attribute.labels[ser_req_jobId] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.query |
target.resource.attribute.labels[ser_req_query] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.createDisposotion |
target.resource.attribute.labels[ser_reqCreate_disposotion] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.location |
target.resource.attribute.labels[ser_reqJob_location] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.projectId |
target.resource.attribute.labels[ser_reqJob_projectid] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.startTime |
target.resource.attribute.labels[ser_reqJob_start_time] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatus.state |
target.resource.attribute.labels[ser_reqJob_state] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.totalSlotMs |
target.resource.attribute.labels[ser_reqJob_total_slot_ms] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.statementType |
target.resource.attribute.labels[ser_reqStatement_type] |
|
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.writeDisposition |
target.resource.attribute.labels[ser_reqWrite_disposition] |
|
protoPayload.serviceData.tableInsertRequest.resource.view.query |
target.resource.attribute.labels[ser_tableInsert_query] |
|
protoPayload.serviceData.@type |
target.resource.attribute.labels[ser_type] |
|
protoPayload.request.sourceRanges[] |
target.resource.attribute.labels[source_ranges] |
|
protoPayload.request.body.settings.storageAutoResize |
target.resource.attribute.labels[storage_auto_resize] |
|
resource.labels.target_proxy_name |
target.resource.attribute.labels[target_proxy_name] |
|
protoPayload.request.body.settings.tier |
target.resource.attribute.labels[tier] |
|
resource.labels.url_map_name |
target.resource.attribute.labels[url_map_name] |
|
protoPayload.request.cluster.network |
target.resource_ancestors.attribute.labels[req_cls_network] |
|
protoPayload.request.cluster.nodePools[].management.autoRepair |
target.resource_ancestors.attribute.labels[req_clsNodePools_autorepair] |
|
protoPayload.request.body.settings.availabilityType |
target.resource.attributes.labels[resource_avaibilitytype] |
|
protoPayload.metadata.tableCreation.table.schemaJSON |
target.resource.attributes.labels[table_schemaJson] |
|
protoPayload.metadata.event.eventName.parameter.name[BIRTHDATE] |
target.user.attribute.labels[birthdate] |
|
protoPayload.metadata.event.eventName.parameter.name[PRIVILEGE_NAME] |
target.user.attribute.labels[privilege_name] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_NICKNAME] |
target.user.attribute.labels[user_nickname] |
|
resource.type |
target.resource_ancestors.resource_type |
如果 resource.type 記錄檔欄位值符合規則運算式 gce_(firewall or forwarding_rule),則 target.resource_ancestors.resource_type UDM 欄位會設為 FIREWALL_RULE。如果 resource.type 記錄檔欄位值符合規則運算式 gce_(subnetwork or network),則 target.resource_ancestors.resource_type UDM 欄位會設為 VPC_NETWORK。如果 resource.type 記錄檔欄位值符合規則運算式 dataproc,則 target.resource_ancestors.resource_type UDM 欄位會設為 CLUSTER。如果 resource.type 記錄檔欄位值符合規則運算式 k8s or gke_,則 target.resource_ancestors.resource_type UDM 欄位會設為 CLUSTER。如果 resource.type 記錄檔欄位值等於 gce_backend_service,則 target.resource_ancestors.resource_type UDM 欄位會設為 BACKEND_SERVICE。如果 resource.type 記錄檔欄位值符合規則運算式 (gce_ or dns_query),則 target.resource.resource_type UDM 欄位會設為 VIRTUAL_MACHINE。如果 resource.type 記錄檔欄位值符合規則運算式 gcs_bucket,則 target.resource_ancestors.resource_type UDM 欄位會設為 STORAGE_BUCKET。如果 resource.type 記錄檔欄位值符合規則運算式 bigquery,則 target.resource_ancestors.resource_type UDM 欄位會設為 DATABASE。如果 resource.type 記錄檔欄位值符合規則運算式 cloudsql,則 target.resource_ancestors.resource_type UDM 欄位會設為 DATABASE。如果 resource.type 記錄檔欄位值符合規則運算式 service_account,則 target.resource_ancestors.resource_type UDM 欄位會設為 SERVICE_ACCOUNT。如果 resource.type 記錄檔欄位值符合規則運算式 project,則 target.resource_ancestors.resource_type UDM 欄位會設為 CLOUD_PROJECT。如果 resource.type 記錄檔欄位值符合規則運算式 organization,則 target.resource_ancestors.resource_type UDM 欄位會設為 CLOUD_ORGANIZATION。否則, target.resource_ancestors.resource_type UDM 欄位會設為 UNSPECIFIED。如果 resource.labels.project_id 記錄檔欄位值不為空,則 target.resource_ancestors.resource_type UDM 欄位會設為 CLOUD_PROJECT。 |
jsonPayload.end_time |
about.labels[jsonPayload_end_time] (已淘汰) |
|
jsonPayload.packets_sent |
network.sent_packets |
|
jsonPayload.reporter |
about.labels[jsonPayload_reporter] (已淘汰) |
|
jsonPayload.src_vpc.vpc_name |
principal.resource.name |
|
jsonPayload.src_vpc.project_id |
principal.resource.product_object_id |
|
jsonPayload.src_vpc.subnetwork_name |
principal.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name] |
|
jsonPayload.start_time |
about.labels[jsonPayload_start_time] (已淘汰) |
|
jsonPayload.src_instance.region |
principal.location.name |
|
jsonPayload.src_instance.project_id |
principal.labels[jsonPayload_src_instance_project_id] (已淘汰) |
|
jsonPayload.src_instance.zone |
principal.cloud.availability_zone |
|
resource.labels.subnetwork_id |
target.resource.attribute.labels[resource_labels_subnetwork_id] |
|
jsonPayload.dest_vpc.project_id |
target.resource.product_object_id |
|
jsonPayload.dest_vpc.subnetwork_name |
target.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name] |
|
jsonPayload.dest_vpc.vpc_name |
target.resource.name |
|
jsonPayload.dest_instance.region |
target.location.name |
|
jsonPayload.dest_instance.project_id |
target.labels[jsonPayload_dest_instance_project_id] (已淘汰) |
|
jsonPayload.dest_instance.zone |
target.cloud.availability_zone |
|
jsonPayload.src_location.asn |
principal.labels[jsonPayload_src_location_asn] (已淘汰) |
|
jsonPayload.src_location.city |
principal.location.city |
|
jsonPayload.src_location.continent |
principal.labels[jsonPayload_src_location_continent] (已淘汰) |
|
jsonPayload.src_location.country |
principal.location.country_or_region |
|
jsonPayload.src_location.region |
principal.labesl[jsonPayload_src_location_region] |
|
jsonPayload.dest_location.asn |
target.labels[jsonPayload_dest_location_asn] (已淘汰) |
|
jsonPayload.dest_location.city |
target.location.city |
|
jsonPayload.dest_location.continent |
target.labels[jsonPayload_dest_location_continent] (已淘汰) |
|
jsonPayload.dest_location.region |
target.labesl[jsonPayload_dest_location_region] |
|
protoPayload.metadata.ingressViolations.servicePerimeter |
security_result.detection_fields[protoPayload_metadata_ingressViolations_serviceParameter] |
|
protoPayload.metadata.ingressViolations.source |
security_result.detection_fields[protoPayload_metadata_ingressViolations_source] |
|
protoPayload.metadata.ingressViolations.sourceType |
security_result.detection_fields[protoPayload_metadata_ingressViolations_sourceType] |
|
protoPayload.metadata.ingressViolations.targetResource |
security_result.detection_fields[protoPayload_metadata_ingressViolations_targetResource] |
|
protoPayload.request.subjects.name |
target.user.attribute.labels[subject_name] |
|
protoPayload.request.spec.containers.0.image |
target.process.command_line |
|
protoPayload.request.spec.containers.0.name |
target.resource.attribute.labels[name] |
|
protoPayload.request.spec.containers.0.terminationMessagePolicy |
traget.resource.attribute.labels[terminationMessagePolicy] |
|
protoPayload.request.spec.containers.0.terminationMessagePath |
traget.resource.attribute.labels[terminationMessagePath] |
|
protoPayload.request.spec.containers.0.imagePullPolicy |
traget.resource.attribute.labels[imagePullPolicy] |
|
protoPayload.request.spec.dnsPolicy |
target.resource.attribute.labels[imagePullPolicy] |
|
protoPayload.request.spec.enableServiceLinks |
traget.resource.attribute.labels[enableServiceLinks] |
|
protoPayload.request.spec.restartPolicy |
target.resource.attribute.labels[restartPolicy] |
|
protoPayload.request.spec.schedulerName |
target.resource.attribute.labels[schedulerName] |
|
protoPayload.request.spec.terminationGracePeriodSeconds |
traget.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds] |
|
protoPayload.request.metadata.namespace |
principal.namespace |
|
protoPayload.request.apiVersion |
target.resource.attribute.labels [request apiVersion] |
|
protoPayload.request.kind |
target.resource.attribute.labels[request.kind] |
|
protoPayload.request.metadata.name |
target.resource.attribute.labels[request.metadata.name] |
|
labels.mutation.webhook.admission.k8s.io/round_0_index_0 |
security_result.about.resource.attribute.labels[labels_round_0_index_0] |
|
protoPayload.request.spec.containers.0.args |
about.file.capabilities_tags |
|
protoPayload.request.properties.disks.0.initializeParams.diskSizeGb |
principal.resource.attribute.labels[diskSizeGb] |
|
protoPayload.request.properties.disks.0.initializeParams.diskType |
principal.resource.attribute.labels[diskType] |
|
protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type |
principal.resource.attribute.labels[guestOsFeatures type] |
|
protoPayload.request.properties.disks.0.initializeParams.labels.0.key |
principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key] |
|
protoPayload.request.properties.disks.0.initializeParams.sourceImage |
principal.resource.attribute.labels[sourceImage] |
|
protoPayload.request.properties.disks.0.type |
principal.resource.attribute.labels[disks Type] |
|
key_id |
security_result.detection_field[key_id] |
系統會使用 Grok 模式,從 message 記錄欄位擷取 key_id 欄位值。 |
protoPayload.request.securityHealthAnalyticsSettings.modules.PUBLIC_BUCKET_ACL.moduleEnablementState |
target.resource.attribute.labels[PUBLIC_BUCKET_ACL_module_enablement_state] |
|
protoPayload.response.serviceEnablementState |
target.resource.attribute.labels[service_enablement_state] |
|
protoPayload.request.metadata.creationTimestamp |
target.resource.attribute.creation_time |
|
protoPayload.request.metadata.labels.trivy.automatic.created |
target.resource.attribute.labels[req_metadata_trivy_automatic_created] |
|
protoPayload.request.metadata.labels.trivy.collector.name |
target.resource.attribute.labels[req_metadata_trivy_collector_name] |
|
protoPayload.request.metadata.labels.trivy.resource.kind |
target.resource.attribute.labels[req_metadata_trivy_resource_kind] |
|
protoPayload.request.metadata.labels.trivy.resource.name |
target.resource.attribute.labels[req_metadata_trivy_resource_name] |
|
protoPayload.request.spec.backoffLimit |
target.resource.attribute.labels[req_spec_backoff_limit] |
|
protoPayload.request.spec.completionMode |
target.resource.attribute.labels[req_spec_completion_mode] |
|
protoPayload.request.spec.completions |
target.resource.attribute.labels[req_spec_completions] |
|
protoPayload.request.spec.parallelism |
target.resource.attribute.labels[req_spec_parallelism] |
|
protoPayload.request.spec.suspend |
target.resource.attribute.labels[req_spec_suspend] |
|
protoPayload.request.spec.template.metadata.creationTimestamp |
target.resource.attribute.labels[req_spec_template_metadata_creation_time] |
|
protoPayload.request.spec.template.metadata.labels.app |
target.resource.attribute.labels[req_spec_template_metadata_app] |
|
protoPayload.request.spec.template.spec.automountServiceAccountToken |
target.resource.attribute.labels[req_spec_template_spec_automount_service_account_token] |
|
protoPayload.request.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_command] |
|
protoPayload.request.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image] |
|
protoPayload.request.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image_pull_policy] |
|
protoPayload.request.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.request.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.request.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.request.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.request.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_memory] |
|
protoPayload.request.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_capabilities_drop] |
|
protoPayload.request.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_privileged] |
|
protoPayload.request.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_path] |
|
protoPayload.request.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_policy] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_mount_path] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_name] |
|
protoPayload.request.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_readonly] |
|
protoPayload.request.spec.template.spec.dnsPolicy |
target.resource.attribute.labels[req_spec_template_spec_dns_policy] |
|
protoPayload.request.spec.template.spec.hostPID |
target.resource.attribute.labels[req_spec_template_spec_host_pid] |
|
protoPayload.request.spec.template.spec.restartPolicy |
target.resource.attribute.labels[req_spec_template_spec_restart_policy] |
|
protoPayload.request.spec.template.spec.schedulerName |
target.resource.attribute.labels[req_spec_template_spec_scheduler_name] |
|
protoPayload.request.spec.template.spec.securityContext.runAsGroup |
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_group] |
|
protoPayload.request.spec.template.spec.securityContext.runAsUser |
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_user] |
|
protoPayload.request.spec.template.spec.securityContext.seccompProfile.type |
target.resource.attribute.labels[req_spec_template_spec_security_context_seccomp_profile_type] |
|
protoPayload.request.spec.template.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[req_spec_template_spec_termination_grace_period_seconds] |
|
protoPayload.request.spec.template.spec.volumes.hostPath.path |
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path] |
|
protoPayload.request.spec.template.spec.volumes.hostPath.type |
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path_type] |
|
protoPayload.request.spec.template.spec.volumes.name |
target.resource.attribute.labels[req_spec_template_spec_volumes_name] |
|
protoPayload.request.spec.automountServiceAccountToken |
target.resource.attribute.labels[req_spec_automount_service_account_token] |
|
protoPayload.request.spec.containers.command |
target.resource.attribute.labels[req_spec_container_command] |
|
protoPayload.request.spec.containers.securityContext.privileged |
target.resource.attribute.labels[req_spec_container_security_context_privileged] |
|
protoPayload.request.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource.attribute.labels[req_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource.attribute.labels[req_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.containers.securityContext.capabilities.drop |
target.resource.attribute.labels[req_spec_container_security_context_capabilities_drop] |
|
protoPayload.request.spec.containers.volumeMounts.mountPath |
target.resource.attribute.labels[req_spec_container_volume_mount_path] |
|
protoPayload.request.spec.containers.volumeMounts.name |
target.resource.attribute.labels[req_spec_container_volume_mount_name] |
|
protoPayload.request.spec.containers.volumeMounts.readOnly |
target.resource.attribute.labels[req_spec_container_volume_mount_read_only] |
|
protoPayload.request.metadata.annotations.deprecated.daemonset.template.generation |
target.resource.attribute.labels[req_metadata_annotations_deprecated_daemonset_template_generation] |
|
protoPayload.request.metadata.labels.app |
target.resource.attribute.labels[req_metadata_app] |
|
protoPayload.request.metadata.labels.type |
target.resource.attribute.labels[req_metadata_labels_type] |
|
protoPayload.request.spec.serviceAccount |
target.resource.attribute.labels[req_spec_service_account] |
|
protoPayload.request.spec.serviceAccountName |
target.resource.attribute.labels[req_spec_serivce_account_name] |
|
protoPayload.request.spec.hostIPC |
target.resource.attribute.labels[req_spec_host_ipc] |
|
protoPayload.request.spec.hostNetwork |
target.resource.attribute.labels[req_spec_host_network] |
|
protoPayload.request.spec.hostPID |
target.resource.attribute.labels[req_spec_host_pid] |
|
protoPayload.request.spec.nodeName |
target.resource.attribute.labels[req_spec_node_name] |
|
protoPayload.request.spec.securityContext.privileged |
target.resource.attribute.labels[req_spec_security_context_privileged] |
|
protoPayload.request.spec.securityContext.allowPrivilegeEscalation |
target.resource.attribute.labels[req_spec_security_context_allow_privilege_escalation] |
|
protoPayload.request.spec.securityContext.readOnlyRootFilesystem |
target.resource.attribute.labels[req_spec_security_context_read_only_root_filesystem] |
|
protoPayload.request.spec.securityContext.capabilities.drop |
target.resource.attribute.labels[req_spec_security_context_capabilities_drop] |
|
protoPayload.request.spec.volumes.hostPath.path |
target.resource.attribute.labels[req_spec_volume_host_path] |
|
protoPayload.request.spec.volumes.hostPath.type |
target.resource.attribute.labels[req_spec_volume_host_path_type] |
|
protoPayload.request.spec.volumes.name |
target.resource.attribute.labels[req_spec_volume_name] |
|
protoPayload.request.spec.revisionHistoryLimit |
target.resource.attribute.labels[req_spec_revision_history_limit] |
|
protoPayload.request.spec.selector.matchLabels.app |
target.resource.attribute.labels[req_spec_selector_match_label_app] |
|
protoPayload.request.spec.selector.matchLabels.type |
target.resource.attribute.labels[req_spec_selector_match_label_type] |
|
protoPayload.request.spec.template.metadata.labels.type |
target.resource.attribute.labels[req_spec_template_metadata_labels_type] |
|
protoPayload.request.spec.template.spec.containers.args |
target.resource.attribute.labels[req_spec_template_spec_container_arg] |
|
protoPayload.request.spec.template.spec.hostIPC |
target.resource.attribute.labels[req_spec_template_spec_host_ipc] |
|
protoPayload.request.spec.template.spec.hostNetwork |
target.resource.attribute.labels[req_spec_template_spec_host_network] |
|
protoPayload.request.spec.updateStrategy.rollingUpdate.maxSurge |
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_surge] |
|
protoPayload.request.spec.updateStrategy.rollingUpdate.maxUnavailable |
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_unavailable] |
|
protoPayload.request.spec.updateStrategy.type |
target.resource.attribute.labels[req_spec_update_strategy_type] |
|
protoPayload.request.status.currentNumberScheduled |
target.resource.attribute.labels[req_status_current_number_scheduled] |
|
protoPayload.request.status.desiredNumberScheduled |
target.resource.attribute.labels[req_status_desired_number_scheduled] |
|
protoPayload.request.status.numberMisscheduled |
target.resource.attribute.labels[req_status_number_miss_scheduled] |
|
protoPayload.request.status.numberReady |
target.resource.attribute.labels[req_status_number_ready] |
|
protoPayload.response.@type |
target.resource.attribute.labels[res_type] |
|
protoPayload.response.apiVersion |
target.resource.attribute.labels[res_api_version] |
|
protoPayload.response.metadata.annotations.deprecated.daemonset.template.generation |
target.resource.attribute.labels[res_metadata_annotations_deprecated_daemonset_template_generation] |
|
protoPayload.response.metadata.generation |
target.resource.attribute.labels[res_metadata_generation] |
|
protoPayload.response.metadata.labels.type |
target.resource.attribute.labels[res_metadata_labels_type] |
|
protoPayload.response.metadata.labels.app |
target.resource.attribute.labels[res_metadata_label_app] |
|
protoPayload.response.metadata.creationTimestamp |
target.resource.attribute.labels[res_metadata_creation_time] |
|
protoPayload.response.metadata.name |
target.resource.attribute.labels[res_metadata_name] |
|
protoPayload.response.metadata.namespace |
target.resource.attribute.labels[res_metadata_namespace] |
|
protoPayload.response.metadata.resourceVersion |
target.resource.attribute.labels[res_metadata_resource_version] |
|
protoPayload.response.metadata.uid |
target.resource.attribute.labels[res_metadata_uid] |
|
protoPayload.response.spec.revisionHistoryLimit |
target.resource.attribute.labels[res_spec_revision_history_limit] |
|
protoPayload.response.spec.selector.matchLabels.app |
target.resource.attribute.labels[res_spec_selector_match_label_app] |
|
protoPayload.response.spec.selector.matchLabels.type |
target.resource.attribute.labels[res_spec_selector_match_label_type] |
|
protoPayload.response.spec.template.metadata.creationTimestamp |
target.resource.attribute.labels[res_spec_template_metadata_creation_time] |
|
protoPayload.response.spec.template.metadata.labels.app |
target.resource.attribute.labels[res_spec_template_metadata_app] |
|
protoPayload.response.spec.template.metadata.labels.type |
target.resource.attribute.labels[res_spec_template_metadata_type] |
|
protoPayload.response.spec.template.spec.containers.args |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_arg] |
|
protoPayload.response.spec.template.spec.containers.command |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_command] |
|
protoPayload.response.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image] |
|
protoPayload.response.spec.template.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image_pull_policy] |
|
protoPayload.response.spec.template.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.response.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.response.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.response.spec.template.spec.containers.resources.requests.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_cpu] |
|
protoPayload.response.spec.template.spec.containers.resources.requests.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_memory] |
|
protoPayload.response.spec.template.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_privileged] |
|
protoPayload.response.spec.template.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.response.spec.template.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.response.spec.template.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_capabilities_drop] |
|
protoPayload.response.spec.template.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_path] |
|
protoPayload.response.spec.template.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_policy] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_mount_path] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_name] |
|
protoPayload.response.spec.template.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_read_only] |
|
protoPayload.response.spec.template.spec.dnsPolicy |
target.resource.attribute.labels[res_spec_template_spec_dns_policy] |
|
protoPayload.response.spec.template.spec.hostIPC |
target.resource.attribute.labels[res_spec_template_spec_host_pid] |
|
protoPayload.response.spec.template.spec.hostNetwork |
target.resource.attribute.labels[res_spec_template_spec_host_network] |
|
protoPayload.response.spec.template.spec.hostPID |
target.resource.attribute.labels[res_spec_template_spec_host_ipc] |
|
protoPayload.response.spec.template.spec.nodeName |
target.resource.attribute.labels[res_spec_template_spec_node_name] |
|
protoPayload.response.spec.template.spec.restartPolicy |
target.resource.attribute.labels[res_spec_template_spec_restart_policy] |
|
protoPayload.response.spec.template.spec.schedulerName |
target.resource.attribute.labels[res_spec_template_spec_scheduler_name] |
|
protoPayload.response.spec.template.spec.securityContext.runAsGroup |
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_group] |
|
protoPayload.response.spec.template.spec.securityContext.runAsUser |
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_user] |
|
protoPayload.response.spec.template.spec.securityContext.seccompProfile.type |
target.resource.attribute.labels[res_spec_template_spec_security_context_seccomp_profile_type] |
|
protoPayload.response.spec.template.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[res_spec_template_spec_termination_grace_period_seconds] |
|
protoPayload.response.spec.template.spec.volumes.hostPath.path |
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path] |
|
protoPayload.response.spec.template.spec.volumes.hostPath.type |
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path_type] |
|
protoPayload.response.spec.template.spec.volumes.name |
target.resource.attribute.labels[res_spec_template_spec_volumes_name] |
|
protoPayload.response.spec.updateStrategy.rollingUpdate.maxSurge |
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_surge] |
|
protoPayload.response.spec.updateStrategy.rollingUpdate.maxUnavailable |
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_unavailable] |
|
protoPayload.response.spec.updateStrategy.type |
target.resource.attribute.labels[res_spec_update_strategy_type] |
|
protoPayload.response.spec.containers.args |
target.resource_ancestors.attribute.labels[res_spec_container_arg] |
|
protoPayload.response.spec.containers.command |
target.resource_ancestors.attribute.labels[res_spec_container_command] |
|
protoPayload.response.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_container_image] |
|
protoPayload.response.spec.containers.imagePullPolicy |
target.resource_ancestors.attribute.labels[res_spec_container_image_pull_policy] |
|
protoPayload.response.spec.containers.name |
target.resource_ancestors.name |
|
protoPayload.response.spec.containers.securityContext.privileged |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_privileged] |
|
protoPayload.response.spec.containers.securityContext.allowPrivilegeEscalation |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_allow_privilege_escalation] |
|
protoPayload.response.spec.containers.securityContext.readOnlyRootFilesystem |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_read_only_root_filesystem] |
|
protoPayload.response.spec.containers.securityContext.capabilities.drop |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_drop] |
|
protoPayload.response.spec.containers.terminationMessagePath |
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_path] |
|
protoPayload.response.spec.containers.terminationMessagePolicy |
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_policy] |
|
protoPayload.response.spec.containers.volumeMounts.mountPath |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_path] |
|
protoPayload.response.spec.containers.volumeMounts.name |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_name] |
|
protoPayload.response.spec.containers.volumeMounts.readOnly |
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_read_only] |
|
protoPayload.response.spec.dnsPolicy |
target.resource.attribute.labels[res_spec_dns_policy] |
|
protoPayload.response.spec.enableServiceLinks |
target.resource.attribute.labels[res_spec_enable_service_links] |
|
protoPayload.response.spec.hostIPC |
target.resource.attribute.labels[res_spec_host_ipc] |
|
protoPayload.response.spec.hostNetwork |
target.resource.attribute.labels[res_spec_host_network] |
|
protoPayload.response.spec.hostPID |
target.resource.attribute.labels[res_spec_host_pid] |
|
protoPayload.response.spec.nodeName |
target.resource.attribute.labels[res_spec_node_name] |
|
protoPayload.response.spec.preemptionPolicy |
target.resource.attribute.labels[res_spec_preemption_policy] |
|
protoPayload.response.spec.priority |
target.resource.attribute.labels[res_spec_priority] |
|
protoPayload.response.spec.restartPolicy |
target.resource.attribute.labels[res_spec_restart_policy] |
|
protoPayload.response.spec.schedulerName |
target.resource.attribute.labels[res_spec_scheduler_name] |
|
protoPayload.response.spec.serviceAccount |
target.resource.attribute.labels[res_spec_service_account] |
|
protoPayload.response.spec.serviceAccountName |
target.resource.attribute.labels[res_spec_serivce_account_name] |
|
protoPayload.response.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[res_spec_termination_grace_period_seconds] |
|
protoPayload.response.spec.tolerations.effect |
target.resource.attribute.labels[res_spec_toleration_effect] |
|
protoPayload.response.spec.tolerations.key |
target.resource.attribute.labels[res_spec_toleration_key] |
|
protoPayload.response.spec.tolerations.operator |
target.resource.attribute.labels[res_spec_toleration_operator] |
|
protoPayload.response.spec.tolerations.tolerationSeconds |
target.resource.attribute.labels[res_spec_toleration_second] |
|
protoPayload.response.spec.volumes.hostPath.path |
target.resource.attribute.labels[res_spec_volume_host_path] |
|
protoPayload.response.spec.volumes.hostPath.type |
target.resource.attribute.labels[res_spec_volume_host_path_type] |
|
protoPayload.response.spec.volumes.name |
target.resource.attribute.labels[res_spec_volume_name] |
|
protoPayload.response.spec.volumes.projected.defaultMode |
target.resource.attribute.labels[res_spec_volume_projected_default_mode] |
|
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.expirationSeconds |
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_ecpiration_sec] |
|
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.path |
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_path] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.items.key |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_key] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.items.path |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_path] |
|
protoPayload.response.spec.volumes.projected.sources.configMap.name |
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_name] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.apiVersion |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_api_version] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.fieldPath |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_field_path] |
|
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.path |
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_path] |
|
protoPayload.response.status.phase |
target.resource.attribute.labels[res_status_phase] |
|
protoPayload.response.status.qosClass |
target.resource.attribute.labels[res_status_qos_class] |
|
protoPayload.response.status.currentNumberScheduled |
target.resource.attribute.labels[res_status_current_number_scheduled] |
|
protoPayload.response.status.desiredNumberScheduled |
target.resource.attribute.labels[res_status_desired_number_scheduled] |
|
protoPayload.response.status.numberMisscheduled |
target.resource.attribute.labels[res_status_number_miss_scheduled] |
|
protoPayload.response.status.numberReady |
target.resource.attribute.labels[res_status_number_ready] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor |
target.resource.attribute.labels[ser_jobconf_requestor] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id |
target.resource.attribute.labels[ser_jobconf_looker_studio_datasource_id] |
|
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id |
target.resource.attribute.labels[ser_jobconf_looker_studio_report_id] |
|
labels.authorization.k8s.io/decision |
security_result.action |
如果 labels.authorization.k8s.io/decision 記錄檔欄位值等於 allow,則 security_result.action UDM 欄位會設為 ALLOW。否則,如果 labels.authorization.k8s.io/decision 記錄檔欄位值等於 block,則 security_result.action UDM 欄位會設為 BLOCK。 |
labels.pod-security.kubernetes.io/enforce-policy |
security_result.detection_fields[pod_security_kubernetes_io_enforce_policy] |
|
labels.authorization.k8s.io/reason |
security_result.action_details |
|
protoPayload.request.roleRef.apiGroup |
target.user.attribute.labels[req_role_ref_api_group] |
|
protoPayload.request.roleRef.kind |
target.user.attribute.labels[req_role_ref_kind] |
|
protoPayload.request.roleRef.name |
target.user.attribute.roles.name |
|
protoPayload.request.subjects.apiGroup |
target.user.attribute.labels[req_subject_api_group] |
|
protoPayload.request.subjects.kind |
target.user.attribute.labels[req_subject_kind] |
|
protoPayload.request.rules.apiGroups |
security_result.rule_labels[req_rule_api_group] |
|
protoPayload.request.rules.resources |
security_result.rule_labels[req_rule_resource] |
|
protoPayload.request.rules.verbs |
security_result.rule_labels[req_rule_verb] |
|
protoPayload.request.rules.resourceNames |
security_result.rule_labels[req_rule_resource_name] |
|
protoPayload.response.metadata.managedFields.apiVersion |
target.resource.attribute.labels[res_managed_field_api_version] |
|
protoPayload.response.metadata.managedFields.fieldsType |
target.resource.attribute.labels[res_managed_field_type] |
|
protoPayload.response.metadata.managedFields.manager |
target.resource.attribute.labels[res_managed_field_manager] |
|
protoPayload.response.metadata.managedFields.operation |
target.resource.attribute.labels[res_managed_field_operation] |
|
protoPayload.response.metadata.managedFields.time |
target.resource.attribute.labels[res_managed_field_time] |
|
protoPayload.request.spec.containers.securityContext.capabilities.add |
target.resource_ancestors.attribute.labels[req_spec_container_security_context_capabilities_add] |
|
protoPayload.request.spec.containers.securityContext.seccompProfile.type |
target.resource_ancestors.attribute.labels[req_spec_container_security_context_seccomp_profile_type] |
|
protoPayload.request.spec.shareProcessNamespace |
target.resource.attribute.labels[req_spec_share_process_namespace] |
|
protoPayload.response.spec.containers.securityContext.capabilities.add |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_add] |
|
protoPayload.response.spec.containers.securityContext.seccompProfile.type |
target.resource_ancestors.attribute.labels[res_spec_container_security_context_seccomp_profile_type] |
|
protoPayload.response.spec.shareProcessNamespace |
target.resource.attribute.labels[res_spec_share_process_namespace] |
|
protoPayload.metadata.membershipDelta.member |
target.resource.attribute.labels[membership_delta_member] |
|
protoPayload.metadata.membershipDelta.roleDeltas.action |
target.resource.attribute.labels[membership_role_deltas_action] |
|
protoPayload.metadata.membershipDelta.roleDeltas.role |
target.resource.attribute.labels[membership_role_deltas_role] |
|
protoPayload.request.spec.resourceAttributes.namespace |
target.resource.attribute.labels[req_spec_resource_attribute_namespace] |
|
protoPayload.request.spec.resourceAttributes.resource |
target.resource.attribute.labels[req_spec_resource_attribute_resource] |
|
protoPayload.request.spec.resourceAttributes.verb |
target.resource.attribute.labels[req_spec_resource_attribute_verb] |
|
protoPayload.request.status.allowed |
target.resource.attribute.labels[req_status_allowed] |
|
protoPayload.response.spec.resourceAttributes.namespace |
target.resource.attribute.labels[res_spec_resource_attribute_namespace] |
|
protoPayload.response.spec.resourceAttributes.resource |
target.resource.attribute.labels[res_spec_resource_attribute_resource] |
|
protoPayload.response.spec.resourceAttributes.verb |
target.resource.attribute.labels[res_spec_resource_attribute_verb] |
|
protoPayload.response.status.allowed |
target.resource.attribute.labels[res_status_allowed] |
|
protoPayload.request.objects.db |
additional.fields[database_name] |
|
jsonPayload.accesses.methodName |
additional.fields[methodName] |
|
protoPayload.request.objects.name |
additional.fields[objects_name] |
|
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME] |
additional.fields[api_client_name] |
|
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES] |
additional.fields[api_scopes] |
|
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME] |
additional.fields[begin_date_time] |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER] |
additional.fields[bulk_upload_fail_users_number] |
|
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER] |
additional.fields[bulk_upload_total_users_number] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW] |
additional.fields[caa_assignments_new] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD] |
additional.fields[caa_assignments_old] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW] |
additional.fields[caa_enforcement_endpoints_new] |
|
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD] |
additional.fields[caa_enforcement_endpoints_old] |
|
protoPayload.requestMetadata.requestAttributes.size |
additional.fields[caller_network_request_size] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[caller_network_request_time] |
|
protoPayload.requestMetadata.callerNetwork |
additional.fields[caller_network] |
|
protoPayload.requestMetadata.requestAttributes.size |
additional.fields[caller_network_request_size] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[request_attributes_time] |
|
protoPayload.requestMetadata.callerNetwork |
additional.fields[caller_network] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED] |
additional.fields[chrome_licenses_enabled] |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME] |
additional.fields[end_date_time] |
|
protoPayload.metadata.event.eventName.parameter.name[END_DATE] |
additional.fields[end_date] |
|
protoType.metadata.event.eventName |
additional.fields[event_name] |
|
protoPayload.metadata.event.parameter.label |
additional.fields[event_param_label] |
|
protoPayload.metadata.event.parameter.type |
additional.fields[event_param_type] |
|
protoType.metadata.event.eventType |
additional.fields[event_type] |
|
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME] |
additional.fields[field_name] |
|
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH] |
additional.fields[full_org_unit_path] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER] |
additional.fields[grp_member_bulk_upload_failed] |
|
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER] |
additional.fields[grp_member_bulk_upload_total] |
|
httpRequest.cacheFillBytes |
additional.fields[httpreq_cache_fill_bytes] |
|
httpRequest.cacheHit |
additional.fields[httpreq_cache_hit] |
|
httpRequest.cacheLookup |
additional.fields[httpreq_cache_lookup] |
|
httpRequest.cacheValidatedWithOriginServer |
additional.fields[httpreq_cache_validated_with_origin_server] |
|
httpRequest.latency |
additional.fields[httprequest_latency] |
|
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE] |
additional.fields[info_type] |
|
protoPayload.metadata.activityId.timeUsec |
additional.fields[metadata_activityId_time_usec] |
|
protoPayload.metadata.activityId.uniqQualifier |
additional.fields[metadata_activityId_uniq_qualifier] |
|
protoPayload.metadata.@type |
additional.fields[metadata_type] |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE] |
additional.fields[new_permission_grant_state] |
|
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES] |
additional.fields[num_of_company_owned_device] |
|
protoPayload.numResponseItems |
additional.fields[num_response_items] |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE] |
additional.fields[old_permission_grant_state] |
|
operation.first |
additional.fields[operation_first] |
|
operation.id |
additional.fields[operation_id] |
|
operation.last |
additional.fields[operation_last] |
|
operation.producer |
additional.fields[operation_producer] |
|
protoPayload.resourceOriginalState.selfLinkWithId |
additional.fields[rc_old_selflinkWithId] |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW] |
additional.fields[reauth_setting_new] |
|
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD] |
additional.fields[reauth_setting_old] |
|
protoPayload.request.alloweds.ports |
additional.fields[req_alloweds_ports] |
|
protoPayload.request.body.name |
additional.fields[req_body_name] |
|
protoPayload.request.body.settings.activityPolicy |
additional.fields[req_body_settings_activity_policy] |
|
protoPayload.request.deletionProtection |
additional.fields[req_deletion_protection] |
|
protoPayload.request.disabled |
additional.fields[req_disabled] |
|
protoPayload.request.displayDevice.enableDisplay |
additional.fields[req_display_device_enable_display] |
|
protoPayload.request.enableFlowLogs |
additional.fields[req_enable_flow_logs] |
|
protoPayload.request.fingerprint |
additional.fields[req_fingerprint] |
|
protoPayload.request.shieldedInstanceConfig.enableSecureBoot |
additional.fields[req_instance_config_enable_secure_boot] |
|
protoPayload.request.shieldedInstanceConfig.enableVtpm |
additional.fields[req_instance_config_enable_vtpm] |
|
protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring |
additional.fields[req_instance_enable_integrity_monitoring] |
|
protoPayload.request.key_types |
additional.fields[req_key_types] |
|
protoPayload.request.logconfig.enable |
additional.fields[req_logconfig_enable] |
|
protoPayload.request.networkTier |
additional.fields[req_network_tier] |
|
protoPayload.request.network |
additional.fields[req_network] |
|
protoPayload.request.page_size |
additional.fields[req_page_size] |
|
request.pagesize |
additional.fields[req_page_size] |
|
protoPayload.request.policy.etag |
additional.fields[req_policy_etag] |
|
protoPayload.request.portRange |
additional.fields[req_port_range] |
|
protoPayload.request.privateIpGoogleAccess |
additional.fields[req_private_ip_google_access] |
|
protoPayload.request.private_key_type |
additional.fields[req_private_key_type] |
|
protoPayload.request.remove_deleted_service_accounts |
additional.fields[req_remove_deleted_serviceAcc] |
|
protoPayload.request.showDeleted |
additional.fields[req_show_deleted] |
|
protoPayload.request.skip_visibility_check |
additional.fields[req_skip_visibility_check] |
|
protoPayload.request.stackType |
additional.fields[req_stack_type] |
|
protoPayload.request.type |
additional.fields[req_type] |
|
protoPayload.request.updateMask |
additional.fields[req_update_mask] |
|
protoPayload.request.version |
additional.fields[req_version] |
|
protoPayload.response.clientOperationId |
additional.fields[res_client_operation_id] |
|
protoPayload.response.endTime |
additional.fields[res_end_time] |
|
protoPayload.response.id |
additional.fields[res_id] |
|
protoPayload.response.key_algorithm |
additional.fields[res_key_algorithm] |
|
protoPayload.response.key_origin |
additional.fields[res_key_origin] |
|
protoPayload.response.key_type |
additional.fields[res_key_type] |
|
protoPayload.response.kind |
additional.fields[res_kind] |
|
protoPayload.response.private_key_type |
additional.fields[res_private_key_type] |
|
protoPayload.response.progress |
additional.fields[res_progress] |
|
protoPayload.response.startTime |
additional.fields[res_start_time] |
|
protoPayload.response.status |
security_result.action |
符合下列條件時,security_result.action 會設為 FAIL:
|
protoPayload.response.status |
additional.fields[res_status] |
|
protoPayload.response.type |
additional.fields[res_type] |
|
protoPayload.response.unique_id |
additional.fields[res_unique_id] |
|
protoPayload.response.valid_after_time.seconds |
additional.fields[res_valid_after_time] |
|
protoPayload.response.valid_before_time.seconds |
additional.fields[res_valid_before_time] |
|
protoPayload.response.version |
additional.fields[res_version] |
|
protoPayload.response.zone |
additional.fields[res_zone] |
|
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP] |
additional.fields[search_query_for_dump] |
|
spanId |
additional.fields[span_id] |
|
protoPayload.metadata.event.eventName.parameter.name[START_DATE] |
additional.fields[start_date] |
|
traceSampled |
additional.fields[trace_sampled] |
|
Trace |
additional.fields[trace] |
|
protoPayload.@type |
additional.fields[type] |
|
protoPayload.redactions.reason |
additional.fields[protoPayload.redactions.field] |
|
protoPayload.redactions.type |
additional.fields[protoPayload.redactions.field] |
|
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata |
additional.fields[service_metadata] |
|
jsonPayload.sourceNetwork |
additional.fields[source_network] |
|
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims |
additional.fields[third_party_claims] |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[caller_network_request_time] |
|
protoPayload.request.ipCidrRange |
additional.fields[req_ip_cidr_range] |
|
protoPayload.request.description |
additional.labels[req_description] |
|
protoPayload.request.sourceRanges |
additional.fields[req_source_ranges] |
|
protoPayload.requestMetadata.requestAttributes.reason |
additional.fields[request_attributes_reason] |
|
protoPayload.authenticationInfo.thirdPartyPrincipal |
additional.fields[third_party_principal] |
|
sourceLocation.function |
additional.fields[src_location_function] |
|
sourceLocation.line |
additional.fields[src_location_line] |
|
resource.labels.backend_service_name |
additional.fields[backend_service_name] |
|
protoPayload.requestMetadata.requestAttributes.auth.claims |
additional.fields[request_auth_claims] |
|
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION] |
additional.fields[application_edition] |
|
protoPayload.metadata.event.eventName.parameter.name[ASP_ID] |
additional.fields[asp_id] |
|
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE] |
additional.fields[chrome_os_session_type] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT] |
additional.fields[device_new_org_unit] |
|
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT] |
additional.fields[device_previous_org_unit] |
|
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS] |
additional.fields[domain_alias] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED] |
additional.fields[email_export_include_deleted] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT] |
additional.fields[email_export_package_content] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE] |
additional.fields[email_log_search_end_date] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE] |
additional.fields[email_log_search_start_date] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT] |
additional.fields[email_monitor_level_chat] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL] |
additional.fields[email_monitor_level_draft_email] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL] |
additional.fields[email_monitor_level_in_email] |
|
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL] |
additional.fields[email_monitor_level_out_email] |
|
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON] |
additional.fields[email_reset_reason] |
|
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE] |
additional.fields[new_value] |
|
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE] |
additional.fields[oauth2_app_type] |
|
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE] |
additional.fields[old_value] |
|
protoPayload.requestMetadata.destinationAttributes.principal |
additional.fields[peer_principal] |
|
protoPayload.requestMetadata.destinationAttributes.regionCode |
additional.fields[peer_region_code] |
|
protoPayload.request.loadBalancingScheme |
additional.fields[req_load_balancing_scheme] |
|
protoPayload.request.requestId |
additional.fields[request_id] |
|
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID] |
additional.fields[request_id] |
|
protoPayload.resourceOriginalState.description |
additional.fields[res_originalState_description] |
|
protoPayload.response.bindings.members |
additional.fields[response_bindings_members] |
|
protoPayload.response.description |
additional.fields[response_description] |
|
protoPayload.response.display_name |
additional.fields[response_display_name] |
|
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME] |
additional.fields[secondary_domain_name] |
|
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME] |
additional.fields[setting_name] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD] |
additional.fields[user_custom_field] |
|
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME] |
additional.fields[user_defined_setting_name] |
|
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN] |
additional.fields[web_origin] |
|
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS] |
additional.fields[whitelisted_groups] |
|
jsonPayload.end_time |
additional.fields[jsonPayload_end_time] |
|
jsonPayload.reporter |
additional.fields[jsonPayload_reporter] |
|
jsonPayload.start_time |
additional.fields[jsonPayload_start_time] |
|
jsonPayload.src_instance.project_id |
additional.fields[jsonPayload_src_instance_project_id] |
|
jsonPayload.dest_instance.project_id |
additional.fields[jsonPayload_dest_instance_project_id] |
|
jsonPayload.src_location.asn |
additional.fields[jsonPayload_src_location_asn] |
|
jsonPayload.src_location.continent |
additional.fields[jsonPayload_src_location_continent] |
|
jsonPayload.dest_location.asn |
additional.fields[jsonPayload_dest_location_asn] |
|
jsonPayload.dest_location.continent |
additional.fields[jsonPayload_dest_location_continent] |
|
protoPayload.request.spec.expirationSeconds |
target.resource.attribute.labels[req_spec_expiration_seconds] |
|
protoPayload.request.spec.request |
target.resource.attribute.labels[req_spec_request] |
|
protoPayload.request.spec.signerName |
target.resource.attribute.labels[req_spec_signer_name] |
|
protoPayload.request.spec.usages |
target.resource.attribute.labels[req_spec_usage] |
|
protoPayload.response.spec.expirationSeconds |
target.resource.attribute.labels[res_spec_expiration_seconds] |
|
protoPayload.response.spec.extra.iam.gke.io/user-assertion |
target.resource.attribute.labels[res_spec_extra_iam_gke_io/user_assertion] |
|
protoPayload.response.spec.extra.user-assertion.cloud.google.com |
target.resource.attribute.labels[res_spec_extra_user_assertion_cloud_google_com] |
|
protoPayload.response.spec.groups |
target.resource.attribute.labels[res_spec_group] |
|
protoPayload.response.spec.request |
target.resource.attribute.labels[res_spec_request] |
|
protoPayload.response.spec.signerName |
target.resource.attribute.labels[res_spec_signer_name] |
|
protoPayload.response.spec.usages |
target.resource.attribute.labels[res_spec_usage] |
|
protoPayload.response.spec.username |
target.resource.attribute.labels[res_spec_username] |
|
protoPayload.request.cryptoKeyVersion.state |
target.resource.attribute.labels[req_cryptokey_version_state] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.action |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_action] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.service |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_service] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.exemptedMember |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_exempted_member] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.logType |
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_log_type] |
|
protoPayload.request.policy.bindings.role |
target.resource.attribute.labels[req_policy_bindings_role] |
|
protoPayload.request.policy.bindings.members |
target.resource.attribute.labels[req_bindings_members] |
|
protoPayload.metadata.tableChange.bindingDeltas.action |
target.resource.attribute.labels[table_change_binding_deltas_action] |
|
protoPayload.metadata.tableChange.bindingDeltas.member |
target.resource.attribute.labels[table_change_binding_deltas_member] |
|
protoPayload.metadata.tableChange.bindingDeltas.role |
target.resource.attribute.labels[table_change_binding_deltas_role] |
|
protoPayload.metadata.datasetChange.bindingDeltas.action |
target.resource.attribute.labels[dataset_change_binding_deltas_action] |
|
protoPayload.metadata.datasetChange.bindingDeltas.member |
target.resource.attribute.labels[dataset_change_binding_deltas_member] |
|
protoPayload.metadata.datasetChange.bindingDeltas.role |
target.resource.attribute.labels[dataset_change_binding_deltas_role] |
|
protoPayload.metadata.tableChange.table.policy.etag |
target.resource.attribute.labels[table_change_table_policy_etag] |
|
protoPayload.metadata.tableChange.table.policy.bindings.role |
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_role] |
|
protoPayload.metadata.tableChange.table.policy.bindings.members |
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_members_{index1}] |
|
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.role |
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_role] |
|
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members |
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_members_{index1}] |
|
protoPayload.request.bindings.role |
target.resource.attribute.labels[request_bindings_{index}_role] |
|
protoPayload.request.bindings.members |
target.resource.attribute.labels[request_bindings_{index}_members_{index1}] |
|
protoPayload.metadata.groupDelta.newGroup.description |
target.group.attribute.labels[metadata_group_delta_new_group_description] |
|
protoPayload.metadata.groupDelta.newGroup.email |
target.group.email_addresses |
|
protoPayload.metadata.groupDelta.newGroup.name |
target.group.group_display_name |
|
protoPayload.metadata.groupDelta.action |
target.group.attribute.labels[metadata_group_delta_action] |
|
protoPayload.response.spec.template.metadata.labels.client.knative.dev/nonce |
target.resource.attribute.labels[res_spec_template_metadata_nonce] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-name |
target.resource.attribute.labels[res_spec_template_metadata_client_name] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-version |
target.resource.attribute.labels[res_spec_template_metadata_client_version] |
|
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/execution-environment |
target.resource.attribute.labels[res_spec_template_metadata_exection_environment] |
|
protoPayload.response.spec.template.spec.taskCount |
target.resource.attribute.labels[res_spec_template_spec_taskcount] |
|
protoPayload.response.spec.template.spec.template.spec.containers.image |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_image] |
|
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.memory |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_memory] |
|
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.cpu |
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_cpu] |
|
protoPayload.response.spec.template.spec.template.spec.maxRetries |
target.resource.attribute.labels[res_spec_template_spec_template_spec_max_retries] |
|
protoPayload.response.spec.template.spec.template.spec.timeoutSeconds |
target.resource.attribute.labels[res_spec_template_spec_template_spec_timeout_seconds] |
|
protoPayload.response.spec.template.spec.template.spec.serviceAccountName |
principal.user.email_addresses |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-name |
target.resource_ancestors.attribute.labels[req_service_metadata_client_name] |
|
protoPayload.request.service.metadata.annotations.serving.knative.dev/creator |
target.resource_ancestors.attribute.labels[req_service_metadata_creator] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-version |
target.resource_ancestors.attribute.labels[req_service_metadata_client_version] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/operation-id |
target.resource_ancestors.attribute.labels[req_service_metadata_client_operation_id] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/binary-authorization |
target.resource_ancestors.attribute.labels[req_service_metadata_binary_authorization] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress-status |
target.resource_ancestors.attribute.labels[req_service_metadata_client_ingress_status] |
|
protoPayload.request.service.metadata.annotations.serving.knative.dev/lastModifier |
target.resource_ancestors.attribute.labels[req_service_metadata_last_modifier] |
|
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress |
target.resource_ancestors.attribute.labels[req_service_metadata_ingress] |
|
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-name |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_name] |
|
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-version |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_version] |
|
protoPayload.request.service.spec.template.metadata.annotations.autoscaling.knative.dev/maxScale |
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_max_scale] |
|
protoPayload.request.New Data |
target.resource_ancestors.attribute.labels[req_new_data] |
|
protoPayload.response.Original Data |
target.resource_ancestors.attribute.labels[req_original_data] |
|
protoPayload.response.spec.template.spec.containers.securityContext.runAsUser |
target.resource_ancestors.attribute.labels[res_spec_template_spec_containers_securitycontext_run_as_user] |
|
protoPayload.request.timestampRange.startTime |
target.resource.attribute.labels[timestamp_range_start_time] |
|
protoPayload.request.timestampRange.endTime |
target.resource.attribute.labels[timestamp_range_end_time] |
|
protoPayload.request.regexSearch |
target.resource.attribute.labels[request_regex_search] |
|
protoPayload.request.productSources |
target.resource.attribute.labels[request_product_sources] |
|
protoPayload.request.query |
target.resource.attribute.labels[request_query] |
|
protoPayload.request.caseSensitive |
target.resource.attribute.labels[request_case_sensitive] |
|
protoPayload.request.baselineQuery |
target.resource.attribute.labels[baseline_query] |
|
protoPayload.request.baselineTimeRange.startTime |
target.resource.attribute.labels[baseline_time_range_start_time] |
|
protoPayload.request.baselineTimeRange.endTime |
target.resource.attribute.labels[baseline_time_range_end_time] |
|
protoPayload.response.serviceConfig.timeoutSeconds |
target.resource.attribute.labels[response_service_config_timeout_seconds] |
|
labels.execution_id |
additional.fields[execution_id] |
|
labels.instance_id |
additional.fields[instance_id] |
|
labels.runtime_version |
additional.fields[runtime_version] |
|
protoPayload.metadata.updatedGrant.requester |
principal.user.userid |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.updatedGrant.requester 記錄檔欄位會對應至 principal.user.userid UDM 欄位。 |
protoPayload.metadata.updatedGrant.requestedDuration |
target.resource.attribute.labels[requestedDuration] |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.updatedGrant.requestedDuration 記錄檔欄位會對應至 target.resource.attribute.labels UDM 欄位。 |
protoPayload.metadata.updatedGrant.justification.unstructuredJustification |
target.resource.attribute.labels[justification] |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.updatedGrant.justification.unstructuredJustification 記錄檔欄位會對應至 target.resource.attribute.labels UDM 欄位。 |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role |
target.resource.attribute.roles.name |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role 記錄檔欄位會對應至 target.resource.attribute.roles.name UDM 欄位。 |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType |
target.resource.attribute.labels[resourceType] |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType 記錄檔欄位會對應至 target.resource.attribute.labels UDM 欄位。 |
protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource |
target.resource.attribute.labels[resource] |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource 記錄檔欄位會對應至 target.resource.attribute.labels UDM 欄位。 |
protoPayload.metadata.updatedGrant.state |
target.resource.attribute.labels[state] |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.updatedGrant.state 記錄檔欄位會對應至 target.resource.attribute.labels UDM 欄位。 |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id |
target.resource.attribute.labels[job_insertion_looker_studio_report_id] |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id 記錄檔欄位會對應至 target.resource.attribute.labels UDM 欄位。 |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor |
target.resource.attribute.labels[job_insertion_requestor] |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor 記錄檔欄位會對應至 target.resource.attribute.labels UDM 欄位。 |
protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id |
target.resource.attribute.labels[job_insertion_looker_studio_datasource_id] |
如果 protoPayload.serviceName 記錄檔欄位值等於 privilegedaccessmanager.googleapis.com,則 protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id 記錄檔欄位會對應至 target.resource.attribute.labels UDM 欄位。 |
protoPayload.response.displayName |
security_result.associations.name |
如果 protoPayload.response.displayName 記錄檔欄位值不為空,則 protoPayload.response.displayName 記錄檔欄位會對應至 security_result.associations.name UDM 欄位。 |
protoPayload.request.referenceList.displayName |
security_result.associations.name |
如果 protoPayload.response.displayName 記錄檔欄位值為空白,則 protoPayload.request.referenceList.displayName 記錄檔欄位會對應至 security_result.associations.name UDM 欄位。 |
protoPayload.resourceName |
security_result.detection_fields[rule_id] |
如果 protoPayload.resourceName 記錄檔欄位值不為空,且 protoPayload.response.@type 記錄檔欄位值為 type.googleapis.com/google.cloud.chronicle.v1alpha.Rule,系統就會使用 Grok 模式從 protoPayload.resourceName 記錄檔欄位擷取 new_rule_id,並對應至 security_result.detection_fields[rule_id] UDM 欄位。 |
protoPayload.request.projection |
target.resource.attribute.labels[req_projection] |
|
protoPayload.response.items.metageneration |
target.resource.attribute.labels[res_items_metageneration] |
|
protoPayload.response.items.labels.created_date |
target.resource.attribute.labels[res_items_labels_created_date] |
|
protoPayload.response.items.labels.team_email |
target.resource.attribute.labels[res_items_labels_team_email] |
|
protoPayload.response.items.labels.team_name |
target.resource.attribute.labels[res_items_labels_team_name] |
|
protoPayload.response.items.labels.office_number |
target.resource.attribute.labels[res_items_labels_official_number] |
|
protoPayload.response.items.labels.department |
target.resource.attribute.labels[res_items_labels_department] |
|
protoPayload.response.items.labels.business_project_number |
target.resource.attribute.labels[res_items_labels_business_project_number] |
|
protoPayload.response.items.labels.owner_email |
target.resource.attribute.labels[res_items_labels_owner_email] |
|
protoPayload.response.items.labels.purchase_order_number |
target.resource.attribute.labels[res_items_labels_purchase_order_number] |
|
protoPayload.response.items.labels.office_name |
target.resource.attribute.labels[res_items_labels_office_name] |
|
protoPayload.response.items.labels.environment |
target.resource.attribute.labels[res_items_labels_environment] |
|
protoPayload.response.items.labels.created_by |
target.resource.attribute.labels[res_items_labels_created_by] |
|
protoPayload.response.items.labels.project_name |
target.resource.attribute.labels[res_items_labels_project_name] |
|
protoPayload.response.items.labels.finops_tag |
target.resource.attribute.labels[res_items_labels_finops_tag] |
|
protoPayload.response.items.labels.owner_role |
target.resource.attribute.labels[res_items_labels_owner_role] |
|
protoPayload.response.items.versioning.enabled |
target.resource.attribute.labels[res_items_versioning_enabled] |
|
protoPayload.response.items.iamConfiguration.publicAccessPrevention |
target.resource.attribute.labels[res_items_iam_conf_public_access_prevention] |
|
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime |
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_locked_time] |
|
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled |
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_enabled] |
|
protoPayload.response.items.id |
target.resource.attribute.labels[res_items_id] |
|
protoPayload.response.items.updated |
target.resource.attribute.labels[res_items_updated] |
|
protoPayload.response.items.storageClass |
target.resource.attribute.labels[res_items_storage_class] |
|
protoPayload.response.items.timeCreated |
target.resource.attribute.labels[res_items_time_created] |
|
protoPayload.response.items.location |
target.resource.attribute.labels[res_items_location] |
|
protoPayload.response.items.locationType |
target.resource.attribute.labels[res_items_location_type] |
|
protoPayload.response.items.projectNumber |
target.resource.attribute.labels[res_items_project_number] |
|
protoPayload.response.items.name |
target.resource.attribute.labels[res_items_name] |
|
protoPayload.response.items.softDeletePolicy.effectiveTime |
target.resource.attribute.labels[res_items_soft_delete_policy_effective_time] |
|
protoPayload.response.items.softDeletePolicy.retentionDurationSeconds |
target.resource.attribute.labels[res_items_soft_delete_policy_retention_duration_seconds] |
|
protoPayload.response.items.etag |
target.resource.attribute.labels[res_items_etag] |
|
protoPayload.response.code |
network.http.response_code |
|
protoPayload.response.reason |
additional.fields[res_reason] |
|
protoPayload.request.spec.template.spec.containers.securityContext.runAsUser |
target.resource.attribute.labels[req_spec_template_spec_containers_securitycontext_run_as_user] |
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。