收集 Google Cloud Cloud SQL 記錄
本文說明如何啟用遙測資料擷取功能,將 Cloud SQL 記錄匯出至 Google Security Operations,以及 Cloud SQL 記錄欄位如何對應至 Google Security Operations 統一資料模型 (UDM) 欄位。 Google Cloud
詳情請參閱「將資料擷取至 Google Security Operations 總覽」。
一般部署作業會啟用 Cloud SQL 記錄,以便擷取至 Google Security Operations。每個客戶的部署作業可能與此表示法不同,且可能更為複雜。
部署作業包含下列元件:
Google Cloud:您要收集記錄的 Google Cloud 服務和產品
Cloud SQL 記錄:已啟用擷取至 Google Security Operations 的 Cloud SQL 記錄
Google Security Operations:保留及分析 Cloud SQL 記錄和 Google Workspace 稽核記錄
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 GCP_CLOUDSQL 攝取標籤的剖析器。
事前準備
請確認您已使用 Identity and Access Management (IAM),為機構和資源設定存取權控管。如要進一步瞭解存取權控管,請參閱「使用 IAM 對機構進行存取權控管」一文。
請確保部署架構中的所有系統都以世界標準時間設定。
確認 Cloud SQL 剖析器支援的方法。下表列出 Cloud SQL 剖析器支援的資源和方法:
資源 方法 backupRun - get
- insert
- 刪除
- list
個資料庫 - get
- 刪除
- insert
- list
- patch
- update
執行個體 - get
- list
- create
- clone
- 刪除
- addServerCa
- demoteMaster
- 匯出
- 容錯移轉
- import
- insert
- listServerCas
- patch
- promoteReplica
- resetSslConfig
- 重新啟動
- restoreBackup
- rotateServerCa
- startReplica
- stopReplica
- truncateLog
- update
作業 - get
- list
projects.instances - rescheduleMaintenance
- startExternalSync
- verifyExternalSyncSettings
sslCerts - createEphemeral
- 刪除
- get
- insert
- list
輪胎 - list
使用者 - 刪除
- get
- insert
- list
- update
flags - list
設定 Cloud SQL 記錄檔的擷取作業
如要將 Cloud SQL 記錄擷取至 Google Security Operations,請按照「將記錄擷取至 Google Security Operations Google Cloud 」頁面的步驟操作。
如果擷取 Cloud SQL 記錄時發生問題,請與 Google Security Operations 支援團隊聯絡。
支援的 Cloud SQL 記錄格式
Cloud SQL 剖析器支援 JSON 格式的記錄。
支援的 Cloud SQL 範例記錄
JSON
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "status": {}, "authenticationInfo": { "principalEmail": "test.user@example.com" }, "requestMetadata": { "callerIp": "198.51.100.0", "requestAttributes": { "time": "2023-05-18T06:16:08.481272Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.backupRuns.list", "authorizationInfo": [ { "resource": "projects/test-project/instances/test-instance", "permission": "cloudsql.backupRuns.list", "granted": true, "resourceAttributes": { "service": "sqladmin.googleapis.com", "name": "projects/test-project/instances/test-instance", "type": "sqladmin.googleapis.com/Instance" } } ], "resourceName": "projects/test-project/instances/test-instance", "request": { "instance": "test-instance", "maxResults": 1000, "project": "dummy-project", "@type": "type.googleapis.com/google.cloud.sql.v1beta4.SqlBackupRunsListRequest" } }, "insertId": "9fsk13e6h22g", "resource": { "type": "cloudsql_database", "labels": { "database_id": "test-project:test-instance", "region": "us-central1", "project_id": "dummy-project" } }, "timestamp": "2023-05-18T06:16:08.383405Z", "severity": "INFO", "logName": "projects/test-project/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2023-05-18T06:16:08.563749821Z" }
欄位對應參考資料
本節說明 Google Security Operations 剖析器如何將 Cloud SQL 記錄欄位對應至 Google Security Operations 統合式資料模型 (UDM) 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
protoPayload.request.spec.containers.0.args |
about.file.capabilities_tags |
|
protoPayload.metadata.backupCompletionTime |
about.labels[backup_completion_time] (deprecated) |
|
protoPayload.metadata.backupCompletionTime |
additional.fields[backup_completion_time] |
|
protoPayload.metadata.backupStartTime |
about.labels[backup_start_time] (deprecated) |
|
protoPayload.metadata.backupStartTime |
additional.fields[backup_start_time] |
|
protoPayload.request.objects.db |
about.labels[database_name] |
|
jsonPayload.executionState |
target.resource.attribute.labels[execution_state] |
|
protoPayload.request.body.failoverContext.kind |
about.labels[fail_over_context_kind] (deprecated) |
|
protoPayload.request.body.failoverContext.kind |
additional.fields[fail_over_context_kind] |
|
protoPayload.request.body.failoverContext.settingsVersion |
about.labels[fail_over_context_settings_version] (deprecated) |
|
protoPayload.request.body.failoverContext.settingsVersion |
additional.fields[fail_over_context_settings_version] |
|
protoPayload.request.filter |
about.labels[filter] (deprecated) |
|
protoPayload.request.filter |
additional.fields[filter] |
|
labels.instance_id |
about.labels[instance_id] (deprecated) |
|
labels.instance_id |
additional.fields[instance_id] |
|
labels.INSTANCE_UID |
about.labels[instance_uid] (deprecated) |
|
labels.INSTANCE_UID |
additional.fields[instance_uid] |
|
protoPayload.metadata.intents.intent |
about.labels[intent] |
|
resource.labels.job_id |
target.resource.product_object_id |
|
jsonPayload.jobName |
target.resource.name |
|
jsonPayload.@type |
about.labels[jsonPayload_at_type] (deprecated) |
|
jsonPayload.@type |
additional.fields[jsonPayload_at_type] |
|
labels.LOG_BUCKET_NUM |
about.labels[log_bucket_num] (deprecated) |
|
labels.LOG_BUCKET_NUM |
additional.fields[log_bucket_num] |
|
protoPayload.metadata.@type |
about.labels[metadata_at_type] (deprecated) |
|
protoPayload.metadata.@type |
additional.fields[metadata_at_type] |
|
resource.labels.method |
about.labels[method] (deprecated) |
|
resource.labels.method |
additional.fields[method] |
|
protoPayload.request.objects.name |
about.labels[objects_name] |
|
operation.first |
about.labels[operation_first] (deprecated) |
|
operation.first |
additional.fields[operation_first] |
|
operation.id |
about.labels[operation_id] (deprecated) |
|
operation.id |
additional.fields[operation_id] |
|
operation.last |
about.labels[operation_last] (deprecated) |
|
operation.last |
additional.fields[operation_last] |
|
operation.producer |
about.labels[operation_producer] (deprecated) |
|
operation.producer |
additional.fields[operation_producer] |
|
protoPayload.@type |
about.labels[protopayload_at_type] (deprecated) |
|
protoPayload.@type |
additional.fields[protopayload_at_type] |
|
protoPayload.metadata.intents.diffs.newValue |
about.labels[protoPayload.metadata.intents.diffs.property] |
|
protoPayload.response.kind |
about.labels[res_kind] (deprecated) |
|
protoPayload.response.kind |
additional.fields[res_kind] |
|
protoPayload.response.operationType |
about.labels[res_operation_type] (deprecated) |
|
protoPayload.response.operationType |
additional.fields[res_operation_type] |
|
protoPayload.response.@type |
about.labels[response_type] (deprecated) |
|
protoPayload.response.@type |
additional.fields[response_type] |
|
jsonPayload.resultState |
target.resource.attribute.labels[result_state] |
|
jsonPayload.scheduledTime |
target.resource.attribute.labels[scheduled_time] |
|
jsonPayload.status |
target.resource.attribute.labels[status] |
|
jsonPayload.targetType |
target.resource.attribute.labels[target_type] |
|
jsonPayload.trace_id |
about.labels[trace_id] (deprecated) |
|
jsonPayload.trace_id |
additional.fields[trace_id] |
|
trace |
about.labels[trace] (deprecated) |
|
trace |
additional.fields[trace] |
|
jsonPayload.urlsCrawledCount |
target.resource.attribute.labels[urls_crwaled_count] |
|
protoPayload.metadata.windowEndTime |
about.labels[window_end_time] (deprecated) |
|
protoPayload.metadata.windowEndTime |
additional.fields[window_end_time] |
|
protoPayload.metadata.windowStartTime |
about.labels[window_start_time] (deprecated) |
|
protoPayload.metadata.windowStartTime |
additional.fields[window_start_time] |
|
protoPayload.metadata.windowStatus |
about.labels[window_status] (deprecated) |
|
protoPayload.metadata.windowStatus |
additional.fields[window_status] |
|
protoPayload.response.selfLink |
about.url |
|
receiveTimestamp |
metadata.collected_timestamp |
|
protoPayload.response.operationType |
metadata.description |
|
protoPayload.response.kind |
metadata.description |
|
protoPayload.metadata.message |
metadata.description |
|
|
metadata.description |
Extracted log_message from textPayload log field using the Grok pattern, and the log_message extracted field is mapped to the metadata.descriptiom UDM field. |
timestamp |
metadata.event_timestamp |
|
jsonPayload.event_timestamp_us |
metadata.event_timestamp |
|
protoPayload.metadata.projectMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels[project_metadata_keys_added] |
|
protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels[project_metadata_keys_deleted] |
|
protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys |
metadata.ingestion_labels[instance_metadata_key_added] |
|
protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys |
metadata.ingestion_labels[instance_metadata_key_deleted] |
|
protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels[instance_metadata_key_modified] |
|
protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys |
metadata.ingestion_labels[project_metadata_keys_modified] |
|
protoPayload.methodName |
metadata.product_event_type |
|
jsonPayload.event_subtype |
metadata.product_event_type |
|
jsonPayload._AUDIT_TYPE_NAME |
metadata.product_event_type |
|
insertId |
metadata.product_log_id |
|
|
metadata.product_name |
If the protoPayload.serviceName log field value matches the regular expression (compute.googleapis.com), then the metadata.product_name UDM field is set to Google Compute Engine.Else, if the protoPayload.serviceName log field value matches the regular expression (bigquery.googleapis.com), then the metadata.product_name UDM field is set to BigQuery.Else, if the protoPayload.serviceName log field value matches the regular expression (admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com), then the metadata.product_name UDM field is set to G Suite.Else, if the protoPayload.serviceName log field value matches the regular expression (k8s.io), then the metadata.product_name UDM field is set to Google Kubernetes Engine.Else, if the protoPayload.serviceName log field value matches the regular expression (servicemanagement.googleapis.com), then the metadata.product_name UDM field is set to Google Service Management.Else, if the protoPayload.serviceName log field value matches the regular expression (storage.googleapis.com), then the metadata.product_name UDM field is set to Google Cloud Storage.Else, if the protoPayload.serviceName log field value matches the regular expression (cloudsql.googleapis.com), then the metadata.product_name UDM field is set to Google Cloud SQL.Else, if the protoPayload.serviceName log field value matches the regular expression (dataproc.googleapis.com), then the metadata.product_name UDM field is set to Google Dataproc.Else, if the protoPayload.serviceName log field value matches the regular expression (iam.googleapis.com), then the metadata.product_name UDM field is set to Google Cloud IAM.Else, if the protoPayload.serviceName log field value matches the regular expression (accesscontextmanager.googleapis.com), then the metadata.product_name UDM field is set to Context Manager API.Else, if the protoPayload.serviceName log field value matches the regular expression (storage.googleapis.com), then if the message log field value matches the regular expression dns.googleapis.com then the metadata.product_name UDM field is set to Google Cloud DNS.Else the metadata.product_name UDM field is set to Google Cloud Platform.If the resource.type log field value matches the regular expression gce_instance, then the metadata.product_name UDM field is set to GCP Compute Engine. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
protoPayload.metadata.request_id |
network.community_id |
|
protoPayload.request.direction |
network.direction |
If the protoPayload.request.direction log field value is equal to INGRESS, then the network.direction UDM field is set to INBOUND.Else, if the protoPayload.request.direction log field value is equal to EGRESS, then the network.direction UDM field is set to OUTBOUND. |
protoPayload.resourceOriginalState.direction |
network.direction |
If the protoPayload.resourceOriginalState.direction log field value is equal to INGRESS, then the network.direction UDM field is set to INBOUND.Else, if the protoPayload.resourceOriginalState.direction log field value is equal to EGRESS, then the network.direction UDM field is set to OUTBOUND. |
httpRequest.requestMethod |
network.http.method |
|
httpRequest.requestUrl |
network.http.referral_url |
|
protoPayload.resourceOriginalState.network |
network.http.referral_url |
|
httpRequest.status |
network.http.response_code |
|
protoPayload.response.code |
network.http.response_code |
|
protoPayload.status.code |
network.http.response_code |
If the protoPayload.status.code log field value is equal to 0, then the network.http.response_code UDM field is set to 200.Else, if the protoPayload.status.code log field value is equal to 1, then the network.http.response_code UDM field is set to 499.Else, if the protoPayload.status.code log field value contains one of the following values, then the network.http.response_code UDM field is set to 500.
protoPayload.status.code log field value contains one of the following values, then the network.http.response_code UDM field is set to 400.
protoPayload.status.code log field value is equal to 4, then the network.http.response_code UDM field is set to 504.Else, if the protoPayload.status.code log field value is equal to 5, then the network.http.response_code UDM field is set to 404.Else, if the protoPayload.status.code log field value contains one of the following values, then the network.http.response_code UDM field is set to 409.
protoPayload.status.code log field value is equal to 7, then the network.http.response_code UDM field is set to 403.Else, if the protoPayload.status.code log field value is equal to 8, then the network.http.response_code UDM field is set to 429.Else, if the protoPayload.status.code log field value is equal to 12, then the network.http.response_code UDM field is set to 501.Else, if the protoPayload.status.code log field value is equal to 14, then the network.http.response_code UDM field is set to 503.Else, if the protoPayload.status.code log field value is equal to 16, then the network.http.response_code UDM field is set to 401. |
httpRequest.userAgent |
network.http.user_agent |
|
protoPayload.requestMetadata.callerSuppliedUserAgent |
network.http.user_agent |
|
jsonPayload.connection.protocol |
network.ip_protocol |
|
jsonPayload.current.ports.0.protocol |
network.ip_protocol |
|
httpRequest.responseSize |
network.received_bytes |
|
httpRequest.requestSize |
network.sent_bytes |
|
|
network.session_duration |
The log_message field is extracted from textPayload log field using Grok pattern,
|
protoPayload.response.clientCert.certInfo.expirationTime |
network.tls.client.certificate.not_after |
|
protoPayload.response.clientCert.certInfo.createTime |
network.tls.client.certificate.not_before |
|
protoPayload.response.clientCert.certInfo.certSerialNumber |
network.tls.client.certificate.serial |
|
protoPayload.request.sha1Fingerprint |
network.tls.client.certificate.sha1 |
|
protoPayload.response.clientCert.certInfo.sha1Fingerprint |
network.tls.client.certificate.sha1 |
|
protoPayload.response.clientCert.certInfo.commonName |
network.tls.client.certificate.subject |
|
protoPayload.response.serverCaCert.expirationTime |
network.tls.server.certificate.not_after |
|
protoPayload.response.serverCaCert.createTime |
network.tls.server.certificate.not_before |
|
protoPayload.response.serverCaCert.certSerialNumber |
network.tls.server.certificate.serial |
|
protoPayload.response.serverCaCert.sha1Fingerprint |
network.tls.server.certificate.sha1 |
|
protoPayload.response.serverCaCert.commonName |
network.tls.server.certificate.subject |
|
jsonPayload.queryName |
principal.domain.name |
|
jsonPayload._HOSTNAME |
principal.hostname |
|
|
principal.ip |
If the logName log field value matches the regular expression pattern mysql-general, then the src_ip field is extracted from textPayload log field using Grok pattern, and the src_ip field is mapped to the principal.ip UDM field. |
protoPayload.requestMetadata.callerIp |
principal.ip |
|
httpRequest.serverIp |
principal.ip |
|
jsonPayload.current.clusterIPs |
principal.ip |
|
protoPayload.requestMetadata.requestAttributes.reason |
principal.labels[request_attributes_reason] (deprecated) |
|
protoPayload.requestMetadata.requestAttributes.reason |
additional.fields[request_attributes_reason] |
|
|
|
principal.labels[protoPayload.redactions.field] |
The value of the UDM field principal.labels.value is determined by combining the values of the log fields protoPayload.redactions.reason and protoPayload.redactions.type, which are separated by a : delimiter. |
protoPayload.request.policy.bindings.members |
principal.labels[req_bindings_members] |
|
protoPayload.request.requestId |
principal.labels[request_id] (deprecated) |
|
protoPayload.request.requestId |
additional.fields[request_id] |
|
protoPayload.requestMetadata.requestAttributes.time |
principal.labels[request_attributes_time] (deprecated) |
|
protoPayload.requestMetadata.requestAttributes.time |
additional.fields[request_attributes_time] |
|
jsonPayload.sourceNetwork |
principal.labels[source_network] (deprecated) |
|
jsonPayload.sourceNetwork |
additional.fields[source_network] |
|
protoPayload.request.metadata.namespace |
principal.namespace |
|
jsonPayload.connection.nat_port |
principal.nat_port |
|
jsonPayload.connection.src_port |
principal.port |
|
jsonPayload.current.ports.0.port |
principal.port |
|
|
principal.process.command_line |
If the logName log field value matches the regular expression pattern mysql-general, then the command field is extracted from textPayload log field using Grok pattern, and the command field is mapped to the principal.process.command_line UDM field. |
|
principal.process.pid |
The process_id field is extracted from textPayload log field using Grok pattern, and the process_id field is mapped to the principal.process.pid UDM field. |
protoPayload.request.properties.disks.0.type |
principal.resource.attribute.labels[disks_type] |
|
protoPayload.request.properties.disks.0.initializeParams.diskSizeGb |
principal.resource.attribute.labels[disk_size_gb] |
|
protoPayload.request.properties.disks.0.initializeParams.diskType |
principal.resource.attribute.labels[disk_type] |
|
protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type |
principal.resource.attribute.labels[guest_os_features_type] |
|
protoPayload.request.properties.disks.0.initializeParams.labels.0.key |
principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key] |
|
protoPayload.request.properties.disks.0.initializeParams.labels.0.value |
principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key] |
|
protoPayload.request.properties.disks.0.initializeParams.sourceImage |
principal.resource.attribute.labels[source_image] |
|
protoPayload.resourceName |
principal.resource.name |
If the protoPayload.methodName log field value is equal to cloudsql.instances.clone, then the protoPayload.resourceName log field is mapped to the principal.resource.name UDM field. |
protoPayload.resourceOriginalState.name |
principal.resource.name |
|
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType |
principal.user.attribute.permissions.type |
|
protoPayload.metadata.membershipDelta.roleDeltas.action |
principal.user.attribute.roles.description |
|
protoPayload.serviceData.policyDelta.bindingDeltas.action |
principal.user.attribute.roles.description |
|
protoPayload.metadata.event.eventType |
principal.user.attribute.roles.description |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern ASSIGN_ROLE, then the protoPayload.metadata.event.eventType log field is mapped to the principal.user.attribute.roles.description UDM field. |
protoPayload.metadata.event.parameter.2.name |
principal.user.attribute.roles.description |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern UPDATE_GROUP_MEMBER, then the protoPayload.metadata.event.parameter.2.name log field is mapped to the principal.user.attribute.roles.description UDM field. |
protoPayload.metadata.event.parameter.3.name |
principal.user.attribute.roles.description |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern UPDATE_GROUP_MEMBER, then the protoPayload.metadata.event.parameter.3.name log field is mapped to the principal.user.attribute.roles.description UDM field. |
protoPayload.metadata.membershipDelta.roleDeltas.role |
principal.user.attribute.roles.name |
|
protoPayload.serviceData.policyDelta.bindingDeltas.role |
principal.user.attribute.roles.name |
|
protoPayload.metadata.event.parameter.0.value |
principal.user.attribute.roles.name |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern ASSIGN_ROLE, then the protoPayload.metadata.event.parameter.0.value log field is mapped to the principal.user.attribute.roles.name UDM field. |
protoPayload.metadata.event.parameter.2.value |
principal.user.attribute.roles.name |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern UPDATE_GROUP_MEMBER, then the protoPayload.metadata.event.parameter.2.value log field is mapped to the principal.user.attribute.roles.name UDM field. |
protoPayload.metadata.event.parameter.3.value |
principal.user.attribute.roles.name |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern UPDATE_GROUP_MEMBER, then the protoPayload.metadata.event.parameter.3.value log field is mapped to the principal.user.attribute.roles.name UDM field. |
jsonPayload.actor.user |
principal.user.email_addresses |
|
protoPayload.authenticationInfo.principalEmail |
principal.user.email_addresses |
|
protoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail |
principal.user.email_addresses |
|
protoPayload.authenticationInfo.principalEmail |
principal.user.userid |
If the protoPayload.authenticationInfo.principalEmail log field value matches the regular expression pattern .*@.*, then the user_id field is extracted from protoPayload.authenticationInfo.principalEmail log field using Grok pattern, and the user_id field is mapped to the principal.user.userid UDM field.Else, if the protoPayload.authenticationInfo.principalSubject log field value is not empty, then the userid field is extracted from protoPayload.authenticationInfo.principalSubject log field using Grok pattern, and the userid field is mapped to the principal.user.userid UDM field.Else, the protoPayload.authenticationInfo.principalEmail log field is mapped to the principal.user.userid UDM field. |
jsonPayload.actor.user |
principal.user.userid |
If the jsonPayload.actor.user log field value matches the regular expression pattern .*@.*, then the user_id field is extracted from jsonPayload.actor.user log field using Grok pattern, and the user_id field is mapped to the principal.user.userid UDM field.Else, the jsonPayload.actor.user log field is mapped to the principal.user.userid UDM field. |
protoPayload.authenticationInfo.principalSubject |
principal.user.userid |
|
principal.user.userid |
If the logName log field value matches the regular expression pattern postgres.log, then the userid field is extracted from textPayload log field using Grok pattern, and the userid log field is mapped to the principal.user.userid UDM field.If the logName log field value matches the regular expression pattern mysql-general, then the user_id field is extracted from textPayload log field using Grok pattern, and the user_id field is mapped to the principal.user.userid UDM field. |
|
labels.pod-security.kubernetes.io/enforce-policy |
security_result.about.resource.attribute.labels[labels_enforce_policy] |
|
labels.mutation.webhook.admission.k8s.io/round_0_index_0 |
security_result.about.resource.attribute.labels[labels_round_0_index_0] |
|
labels.authorization.k8s.io/decision |
security_result.action |
|
logName |
security_result.category_details |
|
protoPayload.request.status |
security_result.description |
|
protoPayload.status.message |
security_result.description |
|
labels.authorization.k8s.io/reason |
security_result.description |
|
textPayload |
security_result.description |
If the resource.type log field value is equal to cloud_function, then the textPayload log field is mapped to the security_result.description UDM field. |
security_result.description |
If the logName log field value matches the regular expression pattern mysql.err, then the error_description field is extracted from textPayload log field using Grok pattern, and the error_description field is mapped to the security_result.description UDM field. |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.action |
security_result.detection_fields[action] |
|
protoPayload.request.cryptoKey.versionTemplate.algorithm |
security_result.detection_fields[algorithm] |
|
protoPayload.request.alloweds.IPProtocol |
security_result.detection_fields[allowed_ipprotocol] |
|
protoPayload.request.alloweds.ports |
security_result.detection_fields[allowed_ports] |
|
protoPayload.response.details.0.@type |
security_result.detection_fields[details_type] |
|
protoPayload.request.cryptoKey.nextRotationTime |
security_result.detection_fields[next_rotation_time] |
|
protoPayload.request.cryptoKey.versionTemplate.protectionLevel |
security_result.detection_fields[protection_level] |
|
protoPayload.request.cryptoKey.purpose |
security_result.detection_fields[purpose] |
|
protoPayload.authorizationInfo.resource |
security_result.detection_fields[resource] |
|
protoPayload.resourceOriginalState.direction |
security_result.detection_fields[resource_original_state_direction] |
|
protoPayload.resourceOriginalState.logConfig.enable |
security_result.detection_fields[resource_original_state_log_config_enable] |
|
protoPayload.request.cryptoKey.rotationPeriod |
security_result.detection_fields[rotation_period] |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.service |
security_result.detection_fields[service] |
|
protoPayload.response.details.0.violations.0.subject |
security_result.detection_fields[violation_subject] |
|
protoPayload.response.details.0.violations.0.type |
security_result.detection_fields[violation_type] |
|
protoPayload.metadata.dryRun |
security_result.rule_type |
|
severity |
security_result.severity |
If the severity log field value is equal to CRITICAL, then the security_result.severity UDM field is set to CRITICAL.Else, if the severity log field value is equal to ERROR, then the security_result.severity UDM field is set to ERROR.Else, if the severity log field value contains one of the following values, then the security_result.severity UDM field is set to HIGH.
severity log field value contains one of the following values, then the security_result.severity UDM field is set to INFORMATIONAL.
severity log field value is equal to DEBUG, then the security_result.severity UDM field is set to LOW.Else, if the severity log field value is equal to WARNING, then the security_result.severity UDM field is set to MEDIUM. |
protoPayload.request.description |
security_result.summary |
|
protoPayload.response.message |
security_result.summary |
|
jsonPayload.summary |
security_result.summary |
|
protoPayload.serviceName |
target.application |
If the logName log field value matches the regular expression pattern postgres.log, then the log_message field is extracted from textPayload log field using Grok pattern, and if the log_message field value matches the regular expression pattern connection authorized, then the app_name field is extracted from log_message log field using Grok pattern, and the app_name log field is mapped to the target.application UDM field.Else, the protoPayload.serviceName log field is mapped to the target.application UDM field. |
protoPayload.metadata.device_id |
target.asset.asset_id |
|
jsonPayload._MACHINE_ID |
target.asset.asset_id |
|
protoPayload.request.instances.instance |
target.asset.product_object_id |
|
resource.labels.project_id |
target.cloud.project.name |
|
protoPayload.request.spec.containers.0.image |
target.file.full_path |
|
sourceLocation.function |
target.file.full_path |
|
protoPayload.metadata.event.parameter.1.value |
target.group.email_addresses |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern ADD_GROUP_MEMBER or UPDATE_GROUP_MEMBER, then if the protoPayload.metadata.event.parameter.1 log field value is equal to GROUP_EMAIL, then the protoPayload.metadata.event.parameter.1.value log field is mapped to the target.group.email_addresses UDM field.Else, the protoPayload.metadata.event.parameter.1.value log field is mapped to the target.group.product_object_id UDM field. |
protoPayload.metadata.group |
target.group.email_addresses |
|
protoPayload.metadata.event.parameter.1.name |
target.group.group_display_name |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern ADD_GROUP_MEMBER or UPDATE_GROUP_MEMBER, then the protoPayload.metadata.event.parameter.1.name log field is mapped to the target.group.group_display_name UDM field. |
protoPayload.metadata.event.parameter.1.value |
target.group.product_object_id |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern ADD_GROUP_MEMBER or UPDATE_GROUP_MEMBER, then if the protoPayload.metadata.event.parameter.1 log field valuename log field value is equal to GROUP_EMAIL, then the protoPayload.metadata.event.parameter.1.value log field is mapped to the target.group.email_addresses UDM field.Else, the protoPayload.metadata.event.parameter.1.value log field is mapped to the target.group.product_object_id UDM field. |
protoPayload.requestMetadata.requestAttributes.host |
target.hostname |
The log_message field is extracted from textPayload log field using Grok pattern, if the log_message field value matches the regular expression pattern disconnection, then the host field is extracted from log_message log field using Grok pattern, and the host log field is mapped to the target.hostname UDM field. |
httpRequest.remoteIp |
target.ip |
|
protoPayload.request.ip |
target.ip |
|
protoPayload.response.targetId |
target.labels[target_id] (deprecated) |
|
protoPayload.response.targetId |
additional.fields[target_id] |
|
|
|
target.location.country_or_region |
If the protoPayload.request.body.region log field value is not empty, then the protoPayload.request.body.region log field is mapped to the target.location.country_or_region UDM field.Else, if the resource.labels.region log field value is not empty, then the resource.labels.region log field is mapped to the target.location.country_or_region UDM field.Else, if the protoPayload.resourceLocation.currentLocations.0 log field value is not empty, then the protoPayload.resourceLocation.currentLocations.0 log field is mapped to the target.location.country_or_region UDM field. |
resource.labels.location |
target.location.name |
|
jsonPayload.connection.dest_port |
target.port |
The log_message field is extracted from textPayload log field using Grok pattern. If the log_message field value matches the regular expression pattern disconnection, then the port field is extracted from log_message log field using Grok pattern, and the port field is mapped to the target.port UDM field. |
protoPayload.request.query |
target.process.command_line |
|
protoPayload.request.spec.containers.0.command.0 |
target.process.command_line |
|
resource.labels.project_id |
target.resource_ancestors.name |
|
protoPayload.response.targetProject |
target.resource_ancestors.name |
|
protoPayload.request.parent |
target.resource_ancestors.name |
|
protoPayload.authorizationInfo.resourceAttributes.name |
target.resource_ancestors.name |
|
protoPayload.response.instanceUid |
target.resource_ancestors.product_object_id |
|
protoPayload.authorizationInfo.0.resourceAttributes.type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the resource.labels.project_id log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.resource.zone |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.zone |
target.resource.attribute.cloud.availability_zone |
|
protoPayload.response.insertTime |
target.resource.attribute.creation_time |
|
protoPayload.requestMetadata.requestAttributes.auth.accessLevels |
target.resource.attribute.labels[access_level] |
|
labels.agent_version |
target.resource.attribute.labels[agent_version] |
|
protoPayload.request.date |
target.resource.attribute.labels[audit_event_occurred] |
|
protoPayload.request.auditId |
target.resource.attribute.labels[audit_id] |
|
protoPayload.authorizationInfo.granted |
target.resource.attribute.labels[authorization_granted] |
|
protoPayload.authorizationInfo.resourceAttributes.service |
target.resource.attribute.labels[authorization_info_resource_service] |
|
protoPayload.request.autoscalingPolicy.mode |
target.resource.attribute.labels[autoscaling_policy_mode] |
|
resource.labels.backend_service_id |
target.resource.attribute.labels[backend_service_id] |
|
resource.labels.backend_service_name |
target.resource.attribute.labels[backend_service_name] |
|
protoPayload.request.body.backendType |
target.resource.attribute.labels[backend_type] |
|
protoPayload.response.backupContext.kind |
target.resource.attribute.labels[backup_context_kind] |
|
protoPayload.response.backupContext.backupId |
target.resource.attribute.labels[backup_id] |
|
resource.labels.bucket_name |
target.resource.attribute.labels[bucket_name] |
|
protoPayload.response.clientCert.certInfo.instance |
target.resource.attribute.labels[client_cert_instance] |
|
protoPayload.response.clientCert.certInfo.kind |
target.resource.attribute.labels[client_cert_kind] |
|
protoPayload.response.clientCert.certInfo.selfLink |
target.resource.attribute.labels[client_cert_self_link] |
|
resource.labels.cluster_name |
target.resource.attribute.labels[cluster_name] |
|
protoPayload.request.body.commonName |
target.resource.attribute.labels[common_name] |
|
protoPayload.request.autoscalingPolicy.coolDownPeriodSec |
target.resource.attribute.labels[cool_down_period] |
|
protoPayload.request.body.databaseVersion |
target.resource.attribute.labels[database_version] |
|
protoPayload.request.database |
target.resource.attribute.labels[database] |
|
protoPayload.request.denieds.0.IPProtocol |
target.resource.attribute.labels[Denied Protocol] |
|
protoPayload.request.destinationRanges |
target.resource.attribute.labels[destination_ranges] |
|
protoPayload.request.direction |
target.resource.attribute.labels[direction] |
|
protoPayload.request.spec.dnsPolicy |
target.resource.attribute.labels[dns_policy] |
|
resource.labels.email_id |
target.resource.attribute.labels[email_id] |
|
protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute |
target.resource.attribute.labels[enable_confidential_compute] |
|
labels.execution_id |
target.resource.attribute.labels[execution_id] |
|
protoPayload.request.body.exportContext.databases |
target.resource.attribute.labels[export_context_databases] |
|
protoPayload.request.body.exportContext.fileType |
target.resource.attribute.labels[export_context_file_type] |
|
protoPayload.request.body.exportContext.kind |
target.resource.attribute.labels[export_context_kind] |
|
protoPayload.request.body.exportContext.offload |
target.resource.attribute.labels[export_context_offload] |
|
resource.labels.forwarding_rule_name |
target.resource.attribute.labels[forwarding_rule_name] |
|
protoPayload.request.function.entryPoint |
target.resource.attribute.labels[function_entry_point] |
|
protoPayload.request.function.httpsTrigger.securityLevel |
target.resource.attribute.labels[function_httptrigger_security_level] |
|
protoPayload.request.function.runtime |
target.resource.attribute.labels[function_runtime] |
|
protoPayload.request.function.serviceAccountEmail |
target.resource.attribute.labels[function_service_account_email] |
|
protoPayload.request.function.sourceUploadUrl |
target.resource.attribute.labels[function_source_upload_url] |
|
protoPayload.request.function.timeout |
target.resource.attribute.labels[function_time_out] |
|
protoPayload.metadata.iapEnabled |
target.resource.attribute.labels[iapEnabled] |
|
protoPayload.request.spec.containers.0.imagePullPolicy |
target.resource.attribute.labels[imagePullPolicy] |
|
resource.labels.instance_group_manager_id |
target.resource.attribute.labels[instance_group_manager_id] |
|
resource.labels.instance_group_manager_name |
target.resource.attribute.labels[instance_group_manager_name] |
|
labels.instance_name |
target.resource.attribute.labels[instance_name] |
|
protoPayload.request.listManagedInstancesResults |
target.resource.attribute.labels[managed_instances_result] |
|
protoPayload.request.autoscalingPolicy.maxNumReplicas |
target.resource.attribute.labels[max_replicas] |
|
protoPayload.request.autoscalingPolicy.minNumReplicas |
target.resource.attribute.labels[min_replicas] |
|
protoPayload.request.msgType |
target.resource.attribute.labels[msg_type] |
|
protoPayload.request.spec.containers.0.name |
target.resource.attribute.labels[name] |
|
protoPayload.metadata.oauth_client_id |
target.resource.attribute.labels[oauth_client_id] |
|
protoPayload.response.operation.insertTime |
target.resource.attribute.labels[operation_insert_time] |
|
protoPayload.response.operation.instanceUid |
target.resource.attribute.labels[operation_instance_uid] |
|
protoPayload.response.operation.kind |
target.resource.attribute.labels[operation_kind] |
|
protoPayload.response.operation.name |
target.resource.attribute.labels[operation_name] |
|
protoPayload.response.operation.operationType |
target.resource.attribute.labels[operation_operation_type] |
|
protoPayload.response.operation.selfLink |
target.resource.attribute.labels[operation_self_link] |
|
protoPayload.response.operation.status |
target.resource.attribute.labels[operation_status] |
|
protoPayload.response.operation.targetId |
target.resource.attribute.labels[operation_target_id] |
|
protoPayload.response.operation.targetLink |
target.resource.attribute.labels[operation_target_link] |
|
protoPayload.response.operation.targetProject |
target.resource.attribute.labels[operation_target_project] |
|
protoPayload.response.operation.user |
target.resource.attribute.labels[operation_user] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod |
target.resource.attribute.labels[predictive_method] |
|
protoPayload.request.labels.key |
target.resource.attribute.labels[protoPayload.request.labels.key] |
|
protoPayload.request.labels.value |
target.resource.attribute.labels[protoPayload.request.labels.value] |
|
protoPayload.request.queryId |
target.resource.attribute.labels[query_id] |
|
protoPayload.request.instance |
target.resource.attribute.labels[req_body_instance] |
|
protoPayload.request.maxResults |
target.resource.attribute.labels[req_body_max_results] |
|
protoPayload.request.body.name |
target.resource.attribute.labels[req_body_name] |
|
protoPayload.request.operation |
target.resource.attribute.labels[req_body_operation] |
|
protoPayload.request.body.project |
target.resource.attribute.labels[req_body_project] |
|
protoPayload.request.disabled |
target.resource.attribute.labels[req_disabled] |
|
protoPayload.request.logConfig.enable |
target.resource.attribute.labels[req_logconfig_enable] |
|
protoPayload.request.metadata.name |
target.resource.attribute.labels[req_metadata_name] |
|
protoPayload.request.name |
target.resource.attribute.labels[req_name] |
|
protoPayload.request.network |
target.resource.attribute.labels[req_network] |
|
protoPayload.request.apiVersion |
target.resource.attribute.labels[req_api_version] |
|
protoPayload.request.priority |
target.resource.attribute.labels[Request Priority] |
|
protoPayload.request.constraint |
target.resource.attribute.labels[request_constraint] |
|
protoPayload.request.policy.constraint |
target.resource.attribute.labels[request_policy_constraint] |
|
protoPayload.request.dataAccessed |
target.resource.attribute.labels[request_data_accessed] |
|
protoPayload.request.function.labels.deployment-tool |
target.resource.attribute.labels[request_deployment_tool] |
|
protoPayload.request.properties.description |
target.resource.attribute.labels[request_description] |
|
protoPayload.request.endTime |
target.resource.attribute.labels[request_end_time] |
|
protoPayload.request.policy.booleanPolicy.enforced |
target.resource.attribute.labels[request_enforce_policy] |
|
protoPayload.request.function.name |
target.resource.attribute.labels[request_function_name] |
|
protoPayload.request.kind |
target.resource.attribute.labels[request_kind] |
|
protoPayload.request.project |
target.resource.attribute.labels[request_project] |
|
protoPayload.request.location |
target.resource.attribute.labels[request_location] |
|
protoPayload.request.pageToken |
target.resource.attribute.labels[request_page_token] |
|
protoPayload.request.projectId |
target.resource.attribute.labels[request_projectid] |
|
protoPayload.request.startTime |
target.resource.attribute.labels[request_start_time] |
|
protoPayload.request.@type |
target.resource.attribute.labels[request_type] |
|
protoPayload.response.name |
target.resource.attribute.labels[res_name] |
|
protoPayload.response.status.conditions.message |
target.resource.attribute.labels[res_status_conditions_message] |
|
protoPayload.response.zone |
target.resource.attribute.labels[res_zone] |
|
resource.labels.service |
target.resource.attribute.labels[resource_service] |
|
protoPayload.response.booleanPolicy.enforced |
target.resource.attribute.labels[response_enforce_policy] |
|
resource.labels.scan_config |
target.resource.attribute.labels[scan_config] |
|
protoPayload.response.serverCaCert.instance |
target.resource.attribute.labels[server_ca_cert_instance] |
|
protoPayload.response.serverCaCert.kind |
target.resource.attribute.labels[server_ca_cert_kind] |
|
protoPayload.response.serverCaCert.selfLink |
target.resource.attribute.labels[server_ca_cert_self_link] |
|
protoPayload.request.properties.serviceAccounts.scopes |
security_result.detection_fields[service_account_scope] |
|
protoPayload.request.serviceAccounts.scopes |
security_result.detection_fields[service_account_scope] |
|
protoPayload.request.body.settings.activationPolicy |
target.resource.attribute.labels[settings_activation_policy] |
|
protoPayload.request.body.settings.activeDirectoryConfig.domain |
target.resource.attribute.labels[settings_active_directory_config_domain] |
|
protoPayload.request.body.settings.activeDirectoryConfig.kind |
target.resource.attribute.labels[settings_active_directory_config_kind] |
|
protoPayload.request.body.settings.authorizedGaeApplications |
target.resource.attribute.labels[settings_authorized_gae_applications] |
|
protoPayload.request.body.settings.availabilityType |
target.resource.attribute.labels[settings_availability_type] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups |
target.resource.attribute.labels[settings_backup_conf_backup_retention_settings_retained_backups] |
|
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit |
target.resource.attribute.labels[settings_backup_conf_backup_retention_settings_retention_unit] |
|
protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled |
target.resource.attribute.labels[settings_backup_conf_binary_log_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.enabled |
target.resource.attribute.labels[settings_backup_conf_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.kind |
target.resource.attribute.labels[settings_backup_conf_kind] |
|
protoPayload.request.body.settings.backupConfiguration.location |
target.resource.attribute.labels[settings_backup_conf_location] |
|
protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled |
target.resource.attribute.labels[settings_backup_conf_point_in_time_recovery_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.replicationLogArchivingEnabled |
target.resource.attribute.labels[settings_backup_conf_replication_log_archiving_enabled] |
|
protoPayload.request.body.settings.backupConfiguration.startTime |
target.resource.attribute.labels[settings_backup_conf_start_time] |
|
protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays |
target.resource.attribute.labels[settings_backup_conf_transaction_log_retention_days] |
|
protoPayload.request.body.settings.collation |
target.resource.attribute.labels[settings_collation] |
|
protoPayload.request.body.settings.connectorEnforcement |
target.resource.attribute.labels[settings_connector_enforcement] |
|
protoPayload.request.body.settings.crashSafeReplicationEnabled |
target.resource.attribute.labels[settings_crash_safe_replication_enabled] |
|
protoPayload.request.body.settings.dataDiskSizeGb |
target.resource.attribute.labels[settings_data_disk_size_gb] |
|
protoPayload.request.body.settings.dataDiskType |
target.resource.attribute.labels[settings_data_disk_type] |
|
protoPayload.request.body.settings.databaseFlags.name |
target.resource.attribute.labels[settings_database_flags_name] |
|
protoPayload.request.body.settings.databaseFlags.value |
target.resource.attribute.labels[settings_database_flags_value] |
|
protoPayload.request.body.settings.databaseReplicationEnabled |
target.resource.attribute.labels[settings_database_replication_enabled] |
|
protoPayload.request.body.settings.deletionProtectionEnabled |
target.resource.attribute.labels[settings_deletion_protection_enabled] |
|
protoPayload.request.body.settings.denyMaintenancePeriods.endDate |
target.resource.attribute.labels[settings_deny_maintenance_periods_end_date] |
|
protoPayload.request.body.settings.denyMaintenancePeriods.startDate |
target.resource.attribute.labels[settings_deny_maintenance_periods_start_date] |
|
protoPayload.request.body.settings.denyMaintenancePeriods.time |
target.resource.attribute.labels[settings_deny_maintenance_periods_time] |
|
protoPayload.request.body.settings.insightsConfig.queryInsightsEnabled |
target.resource.attribute.labels[settings_insights_config_query_insights_enabled] |
|
protoPayload.request.body.settings.insightsConfig.queryPlansPerMinute |
target.resource.attribute.labels[settings_insights_config_query_plans_per_minute] |
|
protoPayload.request.body.settings.insightsConfig.queryStringLength |
target.resource.attribute.labels[settings_insights_config_query_string_length] |
|
protoPayload.request.body.settings.insightsConfig.recordApplicationTags |
target.resource.attribute.labels[settings_insights_config_record_application_tags] |
|
protoPayload.request.body.settings.insightsConfig.recordClientAddress |
target.resource.attribute.labels[settings_insights_config_record_client_address] |
|
protoPayload.request.body.settings.ipConfiguration.allocatedIpRange |
target.resource.attribute.labels[settings_ip_configuration_allocated_ip_range] |
|
protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.expirationTime |
target.resource.attribute.labels[settings_ip_configuration_authorized_networks_expiration_time] |
|
protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind |
target.resource.attribute.labels[settings_ip_configuration_authorized_networks_kind] |
|
protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.name |
target.resource.attribute.labels[settings_ip_configuration_authorized_networks_name] |
|
protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value |
target.resource.attribute.labels[settings_ip_configuration_authorized_networks_value] |
|
protoPayload.request.body.settings.ipConfiguration.ipv4Enabled |
target.resource.attribute.labels[settings_ip_configuration_ipv4_enabled] |
|
protoPayload.request.body.settings.ipConfiguration.privateNetwork |
target.resource.attribute.labels[settings_ip_configuration_private_network] |
|
protoPayload.request.body.settings.ipConfiguration.requireSsl |
target.resource.attribute.labels[settings_ip_configuration_require_ssl] |
|
protoPayload.request.body.settings.kind |
target.resource.attribute.labels[settings_kind] |
|
protoPayload.request.body.settings.locationPreference.followGaeApplication |
target.resource.attribute.labels[settings_location_preference_follow_gae_application] |
|
protoPayload.request.body.settings.locationPreference.kind |
target.resource.attribute.labels[settings_location_preference_kind] |
|
protoPayload.request.body.settings.locationPreference.secondaryZone |
target.resource.attribute.labels[settings_location_preference_secondary_zone] |
|
protoPayload.request.body.settings.locationPreference.zone |
target.resource.attribute.labels[settings_location_preference_zone] |
|
protoPayload.request.body.settings.maintenanceWindow.day |
target.resource.attribute.labels[settings_maintenance_window_day] |
|
protoPayload.request.body.settings.maintenanceWindow.hour |
target.resource.attribute.labels[settings_maintenance_window_hour] |
|
protoPayload.request.body.settings.maintenanceWindow.kind |
target.resource.attribute.labels[settings_maintenance_window_kind] |
|
protoPayload.request.body.settings.maintenanceWindow.updateTrack |
target.resource.attribute.labels[settings_maintenance_window_update_track] |
|
protoPayload.request.body.settings.passwordValidationPolicy.complexity |
target.resource.attribute.labels[settings_password_validation_policy_complexity] |
|
protoPayload.request.body.settings.passwordValidationPolicy.disallowUsernameSubstring |
target.resource.attribute.labels[settings_password_validation_policy_disallow_username_substring] |
|
protoPayload.request.body.settings.passwordValidationPolicy.enablePasswordPolicy |
target.resource.attribute.labels[settings_password_validation_policy_enable_password_policy] |
|
protoPayload.request.body.settings.passwordValidationPolicy.minLength |
target.resource.attribute.labels[settings_password_validation_policy_min_length] |
|
protoPayload.request.body.settings.passwordValidationPolicy.passwordChangeInterval |
target.resource.attribute.labels[settings_password_validation_policy_password_change_interval] |
|
protoPayload.request.body.settings.passwordValidationPolicy.reuseInterval |
target.resource.attribute.labels[settings_password_validation_policy_reuse_interval] |
|
protoPayload.request.body.settings.pricingPlan |
target.resource.attribute.labels[settings_pricing_plan] |
|
protoPayload.request.body.settings.replicationType |
target.resource.attribute.labels[settings_replication_type] |
|
protoPayload.request.body.settings.sqlServerAuditConfig.bucket |
target.resource.attribute.labels[settings_sql_server_audit_config_bucket] |
|
protoPayload.request.body.settings.sqlServerAuditConfig.kind |
target.resource.attribute.labels[settings_sql_server_audit_config_kind] |
|
protoPayload.request.body.settings.sqlServerAuditConfig.retentionInterval |
target.resource.attribute.labels[settings_sql_server_audit_config_retention_interval] |
|
protoPayload.request.body.settings.sqlServerAuditConfig.uploadInterval |
target.resource.attribute.labels[settings_sql_server_audit_config_upload_interval] |
|
protoPayload.request.body.settings.settingsVersion |
target.resource.attribute.labels[settings_version] |
|
protoPayload.request.sourceRanges |
target.resource.attribute.labels[source_ranges] |
|
protoPayload.request.cmd |
target.resource.attribute.labels[sql_operation_type ] |
|
protoPayload.request.body.settings.storageAutoResizeLimit |
target.resource.attribute.labels[storage_auto_resize_limit] |
|
protoPayload.request.body.settings.storageAutoResize |
target.resource.attribute.labels[storage_auto_resize] |
|
resource.labels.target_proxy_name |
target.resource.attribute.labels[target_proxy_name] |
|
protoPayload.request.spec.containers.0.terminationMessagePath |
target.resource.attribute.labels[terminationMessagePath] |
|
protoPayload.request.spec.containers.0.terminationMessagePolicy |
target.resource.attribute.labels[terminationMessagePolicy] |
|
protoPayload.request.threadId |
target.resource.attribute.labels[thread_id] |
|
protoPayload.request.body.settings.tier |
target.resource.attribute.labels[tier] |
|
protoPayload.request.body.settings.timeZone |
target.resource.attribute.labels[time_zone] |
|
protoPayload.request.body.truncateLogContext.kind |
target.resource.attribute.labels[truncate_log_context_kind] |
|
protoPayload.request.body.truncateLogContext.logType |
target.resource.attribute.labels[truncate_log_context_log_type] |
|
protoPayload.metadata.unsatisfied_access_levels |
target.resource.attribute.labels[unsatisfied_access_levels] |
|
resource.labels.url_map_name |
target.resource.attribute.labels[url_map_name] |
|
protoPayload.request.body.settings.userLabels |
target.resource.attribute.labels[user_labels] |
|
protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget |
target.resource.attribute.labels[utilization_target] |
|
protoPayload.authorizationInfo.permission |
principal.user.attribute.permissions.name |
|
protoPayload.serviceData.policyDelta.auditConfigDeltas.logType |
target.resource.attribute.permissions.type |
The target.resource.attribute.permissions.name UDM field is set to logType. |
|
|
target.resource.name |
Extracted database_name from textPayload log field using Grok pattern, and the database_name field is mapped to the target.resource.name UDM field.If the protoPayload.methodName log field value is equal to cloudsql.instances.clone, then the protoPayload.request.body.cloneContext.destinationInstanceName log field is mapped to the target.resource.name UDM field.Else, if the logName log field value matches the regular expression pattern postgres.log, then the database_name log field is mapped to the target.resource.name UDM field.Else, if the logName log field value matches the regular expression pattern mysql-general, then the resource.labels.database_id log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to cloud_function and the target.resource.name log field value is empty, then the resource.labels.function_name log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to security_scanner_scan_config, then the jsonPayload.name log field is mapped to the target.resource.name UDM field.Else, if the resource_type log field value matches the regular expression pattern (project or organization) and the jsonPayload.@type log field value is equal to type.googleapis.com/google.cloud.audit.TransparencyLog, then the jsonPayload.accessApprovals.0 log field is mapped to the target.resource.name UDM field.Else, the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.If the protoPayload.resourceName log field value matches the regular expression pattern snapshots, then the protoPayload.requestMetadata.callerNetwork log field is mapped to the target.resource.name UDM field.If the resource.type log field value matches the regular expression pattern gce_instance, then the //compute.googleapis.com/protoPayload.resourceName log field is mapped to the target.resource.name UDM field. |
|
|
target.resource.product_object_id |
If the resource.labels.unique_id log field value is not empty, then the resource.labels.unique_id log field is mapped to the target.resource.product_object_id UDM field.Else, if the resource.labels.unique_id log field value is empty, then the resource.labels.instance_id log field is mapped to the target.resource.product_object_id UDM field.If the request.@type log field value matches the regular expression pattern RetrieveSqlEventGroupsRequest, then the protoPayload.request.resourceId log field is mapped to the target.resource.product_object_id UDM field.If the resouce.type log field value matches the regular expression pattern cloud_scheduler_job, then the resource.labels.job_id log field is mapped to the target.resource.product_object_id UDM field.If the resouce.type log field value matches the regular expression pattern gce_instance, then the resource.labels.instance_id log field is mapped to the target.resource.product_object_id UDM field. |
protoPayload.request.body.instanceUid |
target.resource.product_object_id |
|
protoPayload.request.id |
target.resource.product_object_id |
|
|
|
target.resource.resource_subtype |
If the resource.type log field value is empty, then the protoPayload.request.body.instanceType log field is mapped to the target.resource.resource_subtype UDM field.Else, the resource.type log field is mapped to the target.resource.resource_subtype UDM field. |
jsonPayload.resource.type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
If the resource.type log field value matches the regular expression pattern gce_(firewall or forwarding_rule), then the target.resource.resource_type UDM field is set to FIREWALL_RULE.Else, if the resource.type log field value matches the regular expression pattern gce_(subnetwork or network), then the target.resource.resource_type UDM field is set to VPC_NETWORK.Else, if the resource.type log field value matches the regular expression pattern dataproc, then the target.resource.resource_type UDM field is set to CLUSTER.Else, if the resource.type log field value matches the regular expression pattern k8s or gke_, then the target.resource.resource_type UDM field is set to CLUSTER.Else, if the resource.type log field value is equal to gce_backend_service, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.Else, if the resource.type log field value matches the regular expression pattern (gce_ or dns_query), then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.Else, if the resource.type log field value matches the regular expression pattern gcs_bucket, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.Else, if the resource.type log field value matches the regular expression pattern bigquery, then the target.resource.resource_type UDM field is set to DATABASE.Else, if the resource.type log field value matches the regular expression pattern cloudsql, then the target.resource.resource_type UDM field is set to DATABASE.Else, if the resource.type log field value matches the regular expression pattern service_account, then the target.resource.resource_type UDM field is set to SERVICE_ACCOUNT.Else, if the resource.type log field value matches the regular expression pattern project, then the target.resource.resource_type UDM field is set to CLOUD_PROJECT.Else, if the resource.type log field value matches the regular expression pattern organization, then the target.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.Else, if the resource.type log field value matches the regular expression pattern cloud_function, then the target.resource.resource_type UDM field is set to FUNCTION. |
protoPayload.response.targetLink |
target.url |
|
protoPayload.request.httpRequest.url |
target.url |
|
protoPayload.request.body.exportContext.uri |
target.url |
|
jsonPayload.url |
target.url |
|
protoPayload.request.subjects.kind |
target.user.attribute.labels[subject_kind] |
|
protoPayload.request.subjects.name |
target.user.attribute.labels[subject_name] |
|
protoPayload.request.role.included_permissions |
target.user.attribute.permissions.name |
|
protoPayload.request.roleRef.kind |
target.user.attribute.roles.description |
|
protoPayload.request.policy.bindings.role |
target.user.attribute.roles.name |
|
protoPayload.request.roleRef.name |
target.user.attribute.roles.name |
|
|
target.user.attribute.roles.type |
If the protoPayload.request.roleRef.name log field value matches the regular expression pattern (?i)admin, then the target.user.attribute.roles.type UDM field is set to ADMINISTRATOR. |
protoPayload.request.properties.serviceAccounts.email |
target.user.email_addresses |
|
protoPayload.request.serviceAccounts.email |
target.user.email_addresses |
|
protoPayload.serviceData.policyDelta.bindingDeltas.member |
target.user.email_addresses |
|
protoPayload.serviceData.policyDelta.bindingDeltas.member |
target.user.userid |
|
protoPayload.response.user |
target.user.userid |
|
protoPayload.request.user |
target.user.userid |
|
|
|
target.user.userid |
If the protoPayload.methodName log field value matches the regular expression pattern adminservice.(addgroupmember or updategroupmember or suspenduser or assignrole or unassignrole), then if the protoPayload.metadata.event.eventName log field value matches the regular expression pattern ASSIGN_ROLE, then the protoPayload.metadata.event.parameter.1.value log field is mapped to the target.user.userid UDM field.Else, the protoPayload.metadata.event.parameter.0.value log field is mapped to the target.user.userid UDM field. |
protoPayload.metadata.membershipDelta.member |
target.user.userid |
|
protoPayload.request.spec.enableServiceLinks |
target.resource.attribute.labels[enableServiceLinks] |
|
protoPayload.request.spec.terminationGracePeriodSeconds |
target.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds] |
|
protoPayload.request.spec.restartPolicy |
target.resource.attribute.labels[restartPolicy] |
|
resource.labels.database_id |
target.resource.attribute.labels[database_id] |
If the logName log field value does not matches the regular expression pattern mysql-general, then the resource.labels.database_id log field is mapped to the target.resource.attribute.labels UDM field. |
protoPayload.request.spec.schedulerName |
target.resource.attribute.labels[schedulerName] |
|
protoPayload.request.body.instanceType |
target.resource.attribute.labels[instance_type] |
|
protoPayload.response.status |
|
|
jsonPayload.operation |
|
|
jsonPayload.MESSAGE |
|
The following fields have been extracted from the jsonPayload.MESSAGE log field using a KV filter and then associated with their respective UDM fields.
|
|
metadata.event_type |
If the protoPayload.methodName log field value matches the regular expression pattern loginservice.(login or govattackwarning or accountdisabled or accountdisabledspammingthroughrelay or suspiciouslogin or suspiciousloginlesssecureapp or suspiciousprogrammaticlogin) or the protoPayload.methodName log field value is equal to AuthorizeUser, then the metadata.event_type UDM field is set to USER_LOGIN.If the resource.type log field value contain one of the following values
textPayload log field value matches the regular expression pattern connection authorized|Logon , then the metadata.event_type UDM field is set to USER_LOGIN.Else, if the protoPayload.methodName log field value matches the regular expression pattern loginservice.logout, then the metadata.event_type UDM field is set to USER_LOGOUT.Else, if the protoPayload.methodName log field value matches the regular expression pattern adminservice.(changepassword), then the metadata.event_type UDM field is set to USER_CHANGE_PASSWORD.Else, if the protoPayload.methodName log field value matches the regular expression pattern adminservice.(create or add) or the protoPayload.methodName log field value matches the regular expression pattern accesscontextmanager.(create), the metadata.event_type UDM field is set to USER_RESOURCE_CREATION.Else, if the protoPayload.methodName log field value matches the regular expression pattern adminservice.(createaccess or enforce or systemdefinedruleupdated or changetwostepverificationfrequency or suspenduser or assignrole or unassignrole) or the protoPayload.methodName log field value matches the regular expression pattern (setiampolicy or checkinvitationrequired or setiampermissions or setorgpolicy), then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_PERMISSIONS.Else, if the protoPayload.methodName log field value matches the regular expression pattern clustermanager.*.(setnodepoolmanagement or updatecomponentconfig) or the protoPayload.methodName log field value matches the regular expression pattern (instance.*).(set or reset or resize) or the protoPayload.methodName log field value matches the regular expression pattern attachcloudlink, then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT.Else, if the protoPayload.methodName log field value matches the regular expression pattern iam.admin.*(create or delete) or the protoPayload.methodName log field value matches the regular expression pattern jobservice.(cancel), then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.Else, if the protoPayload.methodName log field value matches the regular expression pattern (adminservice or membershipsservice or accesscontextmanager or servicemanager or serviceusage or services or projects or clustermanager.*).(update or change or activate or deactivate or enable or disable or replace or set) or the protoPayload.methodName log field value matches the regular expression pattern update(brand or client) or the protoPayload.methodName log field value matches the regular expression pattern assignprojecttobillingaccount, then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT.Else, if the protoPayload.methodName log field value matches the regular expression pattern .*(delete or remove).* or the protoPayload.methodName log field value matches the regular expression pattern .*(compute.disks.delete.*), then the metadata.event_type UDM field is set to RESOURCE_DELETION.Else, if the protoPayload.methodName log field value matches the regular expression pattern .*(submit or update or patch or ingest).* or the protoPayload.methodName log field value matches the regular expression pattern jobservice.(insert or jobcompleted) or the protoPayload.methodName log field value matches the regular expression pattern imageannotator.(batch).* or the protoPayload.methodName log field value matches the regular expression pattern .*(scheduledsnapshots or compute.disks.insert.* or compute.disks.add.* or compute.disks.setlabels.*), then the metadata.event_type UDM field is set to RESOURCE_WRITTEN.Else, if the protoPayload.methodName log field value matches the regular expression pattern .*(insert or create or recreate or add).* or the protoPayload.methodName log field value matches the regular expression pattern compute..*.(migrate), then the metadata.event_type UDM field is set to RESOURCE_CREATION.Else, if the protoPayload.methodName log field value matches the regular expression pattern .*(get or list or watch).* or the protoPayload.methodName log field value matches the regular expression pattern cloudsql..*.(connect), then
principal.user.userid log field value is not empty or the principal.user.email_addresses log field value is not empty, then the metadata.event_type UDM field is set to RESOURCE_READ.Else, if the principal.ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UPDATE.Else, if the protoPayload.methodName log field value matches the regular expression pattern (agents).(import), then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED.Else, if the protoPayload.methodName log field value matches the regular expression pattern status.update and the principal.ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UPDATE.Else, if the principal.ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UPDATE.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
labels._HOSTNAME |
principal.hostname |
If the logName log field value matches the regular expression pattern sqlserver\.err, the labels._HOSTNAME field is mapped to the principal.hostname UDM field. |
labels._HOSTNAME |
principal.asset.hostname |
If the logName log field value matches the regular expression pattern sqlserver\.err, the labels._HOSTNAME field is mapped to the principal.asset.hostname UDM field. |
textPayload |
metadata.description |
If the logName log field value matches the regular expression pattern sqlserver\.err, the textPayload field is mapped to the metadata.description UDM field. |
|
target.user.userid |
If the logName log field value matches the regular expression pattern sqlserver\.err, the user_id field is extracted from textPayload log field using Grok pattern, and the user_id field is mapped to the target.user.userid UDM field. |