Collect Wiz logs
Supported in:
This document explains how to ingest Wiz logs into Google Security Operations. The parser transforms Wiz JSON formatted logs into a Unified Data Model (UDM). It first initializes default values for UDM fields, then parses the JSON message, extracts relevant fields like user information, location, device details, and security outcomes.
Wiz is a cloud security platform that delivers agentless, end-to-end visibility and risk prioritization across Google Cloud, AWS, Azure, OCI, and Kubernetes environments.
Before you begin
Make sure you have the following prerequisites:
- Google SecOps instance
- Privileged access to Wiz
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer IDfrom the Organization Detailssection.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication Fileand save the file in a secure location.
Configure the integration in Wiz
- Click the Google SecOps (Chronicle) integration
in your Wiz tenant.
- Alternatively, sign in to the Wizweb UI.
- Go to the Connect to Wizpage.
- Click Google SecOps (Chronicle).
- Enter a name for the Google SecOps integration.
- Select the Scope.
- Enter your Google SecOps Customer ID.
-
Enter your Google SecOps instance endpoint address, which are listed in Regional Endpoints .
-
Upload the Ingestion Authentication File.
-
Click Save.
Add an automation rule for Google Security Operations
Add an automation rule to push Wiz Issuesor Detectionsto Google SecOps when specified criteria are met.
To add an automation rule, do the following:
- On the Policies > Automation Rulespage, click Add Rule.
- Enter a short but meaningful Name.
- Optional: Enter a longer Description.
- Select a Scope.
-
Under Rule Conditions, select when the rule should be triggered:
- Issuestrigger
- Detectiontrigger
-
Choose the Nativedata format.
- Native: this is the option that Google recommends. The Nativedata format is a Wiz schema that includes fields like category, trigger source, projects.
- OCSF: output events in the Open Cybersecurity Schema Framework format.
-
We recommend that you select the Include the Issue's evidencecheckbox.
-
Optional: Under Labels, click Add.
-
IF: Click Add filter, then define the filter criteria. Repeat for each additional filter.
-
THEN: Do the following to trigger the Automated Platform Actionfor the automation rule:
- Click Add action.
- From the list of configured integrations, select the integrations that apply to the trigger you selected.
-
Optional: Modify the default Action Configuration. If the selected integration supports Action Configuration, you're able to:
- Usean existing Action templateby clicking Load from template, selecting an Action template, and then clicking Use template.
- Modifythe Action parameters.
-
Save your modifications by clicking Save as template, entering a Template name, selecting a Project Scope, and clicking Save.
-
Optional: Click Testto validate the Automation Ruleusing the selected integration and mock data.
-
Click Add Action.
-
Optional: Click Add Actionagain to add up to ten Actions.
-
We recommend that you go to the bottom of the page to preview past matches for the selected
IFfilters. Verify that the filter results match your expectations. -
Click Add Rule.
UDM mapping table
The following table applies to the WIZ_IO
log type. For the OCSF
log type, refer to Collect OCSF logs
.
| Log field | UDM mapping | Comment |
|---|---|---|
account.cloudPlatform
|
additional.fields
(key = "cloudAccount_cloudPlatform") |
Inside for account in cloudAccounts loop |
account.externalId
|
target.cloud.project.id
|
Inside for account in cloudAccounts loop |
account.id
|
target.resource.attribute.labels
(key = "cloudAccount_id") |
Inside for account in cloudAccounts loop |
account.name
|
target.cloud.project.name
|
Inside for account in cloudAccounts loop |
action
|
metadata.product_event_type
|
If has_user == "true" and action == "Login": metadata.event_type is set to USER_LOGIN, extensions.auth.type is set to AUTHTYPE_UNSPECIFIED |
actionParameters.clientID
|
additional.fields
(key = "client ID") |
|
actionParameters.clientID
|
principal.group.product_object_id
|
|
actionParameters.groups
|
security_result.detection_fields
(key = "service_account_group") |
Iterates through the array |
actionParameters.input.patch.portalVisitHistory.dateTime
|
additional.fields
(key = "dateTime {index}") |
Iterated within the array. |
actionParameters.input.patch.portalVisitHistory.id
|
principal.resource.attribute.labels
(key = "id {index}") |
Iterated within the array. |
actionParameters.input.patch.portalVisitHistory.name
|
principal.resource.attribute.labels
(key = "name {index}") |
Iterated within the array. |
actionParameters.input.patch.portalVisitHistory.resourceName
|
principal.resource.attribute.labels
(key = "resourceName {index}") |
Iterated within the array. |
actionParameters.input.patch.portalVisitHistory.resourceType
|
principal.resource.attribute.labels
(key = "resourceType {index}") |
Iterated within the array. |
actionParameters.input.patch.portalVisitHistory.ruleType
|
principal.resource.attribute.labels
(key = "ruleType {index}") |
Iterated within the array. |
actionParameters.input.patch.portalVisitHistory.type
|
additional.fields
(key = "type {index}") |
Iterated within the array. |
actionParameters.name
|
target.user.user_display_name
|
|
actionParameters.products
|
security_result.detection_fields
(key = "service_account_product") |
Iterates through the array, skipping empty or "*" values |
actionParameters.role
|
target.user.attribute.roles
|
|
actionParameters.scopes
|
security_result.detection_fields
(key = "service_account_scope") |
Iterated, each scope added as a separate key-value pair. |
actionParameters.selection.preferences
|
additional.fields
(key = "Preferences") |
Iterated, values are added as a list of strings. |
actionParameters.userEmail
|
target.user.email_addresses
|
|
actionParameters.userID
|
target.user.userid
|
|
actionParameters.userpoolID
|
additional.fields
(key = "UserPool ID") |
|
actionParameters.userPoolType
|
additional.fields
(key = "UserPool Type") |
|
actor.displayName
|
target.user.user_display_name
|
|
actor.id
|
target.user.userid
|
|
actors.externalId
|
intermediary.ip
, intermediary.asset.ip
|
Iterates through actors. |
actors.id
|
additional.fields
(key = "actor_id: %{index}") |
Iterates through actors. |
actors.name
|
target.ip
, target.asset.ip
|
Iterates through actors. |
actors.type
|
target.resource.attribute.labels
(key = "actor_type: %{index}") |
Iterates through actors. |
authenticationContext.authenticationProvider
|
security_result.detection_fields
(key = "authenticationProvider") |
Merged into security_result.detection_fields. |
authenticationContext.credentialProvider
|
security_result.detection_fields
(key = "credentialProvider") |
Merged into security_result.detection_fields. |
authenticationContext.credentialType
|
extensions.auth.mechanism
|
Logic: "OTP" for SMS/EMAIL, "USERNAME_PASSWORD" for PASSWORD. |
authenticationContext.externalSessionId
|
network.parent_session_id
|
|
client.device
|
principal.asset.type
|
Conditionally mapped based on regex. |
client.geographicalContext.city
|
principal.location.city
|
|
client.geographicalContext.country
|
principal.location.country_or_region
|
|
client.geographicalContext.geolocation.lat
|
principal.location.region_latitude
|
|
client.geographicalContext.geolocation.lon
|
principal.location.region_longitude
|
|
client.geographicalContext.postalCode
|
additional.fields
(key = "Postal code") |
|
client.geographicalContext.state
|
principal.location.state
|
|
client.ipAddress
|
principal.ip
, principal.asset.ip
|
|
client.userAgent.browser
|
target.resource.attribute.labels
(key = "Browser") |
|
client.userAgent.os
|
principal.platform
|
Mapped to LINUX, WINDOWS, or MAC. |
client.userAgent.rawUserAgent
|
network.http.user_agent
, network.http.parsed_user_agent
|
|
control.description
|
security_result.detection_fields
(key = "control_description") |
|
control.id
|
security_result.detection_fields
(key = "control_id") |
|
control.IssueURL
|
security_result.url_back_to_product
|
|
control.name
|
security_result.detection_fields
(key = "control_name") |
|
control.resolutionRecommendation
|
security_result.detection_fields
(key = "control_resolution") |
|
control.risks
|
security_result.detection_fields
(key = "risk {i}") |
Iterates through the array |
control.securitySubCategories.category.framework.name
|
security_result.detection_fields
(key = "framework_name") |
Loop processes subcategories array. |
control.securitySubCategories.category.name
|
security_result.category_details
|
Loop processes subcategories array. |
control.securitySubCategories.title
|
security_result.summary
|
Loop processes subcategories array. |
control.severity
|
security_result.severity
|
Conditionally sets HIGH, MEDIUM, or LOW. |
createdAt
|
metadata.event_timestamp
|
|
debugContext.debugData.behaviors
|
security_result.description
|
|
debugContext.debugData.deviceFingerprint
|
target.asset.asset_id
|
Prepended with "device_finger_print:" |
debugContext.debugData.dtHash
|
security_result.detection_fields
(key = "dtHash") |
|
debugContext.debugData.factor
|
security_result.detection_fields
(key = "factor") |
|
debugContext.debugData.promptingPolicyTypes
|
security_result.detection_fields
(key = "promptingPolicyTypes") |
|
debugContext.debugData.requestUri
|
extensions.auth.auth_details
|
|
description
|
security_result.description
|
|
detection.actors.externalId
|
principal.user.userid
|
iterating over detection.actors |
detection.actors.externalId
|
target.user.userid
|
iterating over detection.actors |
detection.actors.id
|
principal.user.product_object_id
|
iterating over detection.actors |
detection.actors.id
|
target.user.product_object_id
|
iterating over detection.actors |
detection.actors.name
|
principal.user.user_display_name
|
iterating over detection.actors |
detection.actors.name
|
target.user.user_display_name
|
iterating over detection.actors |
detection.actors.nativeType
|
principal.user.attribute.labels
(key = "actor_nativeType {index}") |
iterating over detection.actors |
detection.actors.nativeType
|
target.user.attribute.labels
(key = "primaryActor_nativeType {index}") |
iterating over detection.actors |
detection.actors.type
|
security_result.detection_fields
(key = "actor_type {index}") |
iterating over detection.actors |
detection.actors.type
|
security_result.detection_fields
(key = "primary_actor_type {index}") |
iterating over detection.actors |
detection.cloudAccounts.cloudPlatform
|
additional.fields
(key = "detection_cloudAccount_cloudPlatform {i}") |
Iterates through the array |
detection.cloudAccounts.externalId
|
additional.fields
(key = "detection_cloudAccount_externalId {i}") |
Iterates through the array |
detection.cloudAccounts.id
|
additional.fields
(key = "detection_cloudAccount_id {i}") |
Iterates through the array |
detection.cloudAccounts.name
|
additional.fields
(key = "detection_cloudAccount_name {i}") |
Iterates through the array |
detection.cloudOrganizations
|
principal.resource.attribute.labels
(key = "detection cloudOrganization
{index}") |
|
detection.createdAt
|
additional.fields
(key = "detection_createdAt") |
|
detection.description
|
security_result.description
|
|
detection.detectionURL
|
security_result.url_back_to_product
|
|
detection.id
|
metadata.product_log_id
|
|
detection.mitreTactics
|
additional.fields
(key = "mitre_tactic {i}") |
Iterates through the array |
detection.mitreTechniques
|
additional.fields
(key = "mitre_technique {i}") |
Iterates through the array |
detection.primaryActor.actingAs.externalId
|
principal.resource.attribute.labels
(key = "detection_primaryActor_actingAs_externalId") |
|
detection.primaryActor.actingAs.id
|
principal.resource.attribute.labels
(key = "detection_primaryActor_actingAs_id") |
|
detection.primaryActor.actingAs.name
|
principal.resource.attribute.labels
(key = "detection_primaryActor_actingAs_name") |
|
detection.primaryActor.actingAs.providerUniqueId
|
principal.resource.attribute.labels
(key = "detection_primaryActor_actingAs_providerUniqueId") |
|
detection.primaryActor.actingAs.type
|
principal.resource.attribute.labels
(key = "detection_primaryActor_actingAs_type") |
|
detection.primaryResource.externalId
|
target.resource.product_object_id
|
|
detection.primaryResource.id
|
additional.fields
(key = "detection_primaryResource_id") |
|
detection.primaryResource.name
|
target.hostname
, target.asset.hostname
|
|
detection.primaryResource.type
|
additional.fields
(key = "detection_primaryResource_type") |
|
detection.primaryResource.type
|
target.resource.resource_type
|
Set to VIRTUAL_MACHINE if type matches criteria. |
detection.resources.cloudProviderURL
|
target.resource.attribute.labels
(key = "detection_resource_cloudProviderURL {i}") |
Iterates through detection.resources array |
detection.resources.externalId
|
security_result.about.resource.attribute.labels
(key = "detection_resource_externalId {i}") |
Iterates through detection.resources array |
detection.resources.id
|
security_result.about.resource.attribute.labels
(key = "detection_resource_id {i}") |
Iterates through detection.resources array |
detection.resources.kubernetesCluster.externalId
|
target.resource.attribute.labels
(key = "kubernetesCluster externalId
{i}") |
Iterates through detection.resources array |
detection.resources.kubernetesCluster.id
|
target.resource.attribute.labels
(key = "kubernetesCluster id
{i}") |
Iterates through detection.resources array |
detection.resources.kubernetesnamespace.id
|
additional.fields
(key = "kubernetesnamespace id
{i}") |
Iterates through detection.resources array |
detection.resources.name
|
security_result.about.resource.attribute.labels
(key = "detection_resource_name {i}") |
Iterates through detection.resources array |
detection.resources.nativeType
|
security_result.about.resource.attribute.labels
(key = "detection_resource_nativeType {i}") |
Iterates through detection.resources array |
detection.resources.region
|
security_result.about.resource.attribute.labels
(key = "detection_resource_region {i}") |
Iterates through detection.resources array |
detection.resources.status
|
target.resource.attribute.labels
(key = "detection_resource_status {i}") |
Iterates through detection.resources array |
detection.resources.type
|
security_result.about.resource.attribute.labels
(key = "detection_resource_type {i}") |
Iterates through detection.resources array |
detection.tdrId
|
additional.fields
(key = "detection_tdr_id") |
|
detection.tdrSource
|
additional.fields
(key = "detection_tdr_source") |
|
detection.threatId
|
security_result.threat_id
|
|
detection.threatURL
|
security_result.detection_fields
(key = "threatURL") |
|
detection.timeframe.end
|
metadata.collected_timestamp
|
|
detection.timeframe.start
|
metadata.event_timestamp
|
|
detection.title
|
security_result.rule_name
|
|
detection.triggeringEvents.actor.externalId
|
security_result.detection_fields
(key = "detection_triggeringEvent_actor_externalId {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.actor.id
|
security_result.detection_fields
(key = "detection_triggeringEvent_actor_id {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.actor.name
|
security_result.detection_fields
(key = "detection_triggeringEvent_actor_name {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.actor.type
|
security_result.detection_fields
(key = "detection_triggeringEvent_actor_type {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.actorIP
|
principal.ip
& principal.asset.ip
|
Iterates through triggeringEvents. |
detection.triggeringEvents.actorIP
|
principal.resource.attribute.labels
(key = "detection_triggeringEvent_actorIP {index}") |
Iterates through triggeringEvents. |
detection.triggeringEvents.actorIPMeta.autonomousSystemNumber
|
additional.fields
(key = "detection_triggeringEvent_actorIPMeta_autonomousSystemNumber {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.actorIPMeta.autonomousSystemOrganization
|
additional.fields
(key = "detection_triggeringEvent_actorIPMeta_autonomousSystemOrganization {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.actorIPMeta.country
|
additional.fields
(key = "detection_triggeringEvent_actorIPMeta_country {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.actorIPMeta.isForeign
|
additional.fields
(key = "detection_triggeringEvent_actorIPMeta_isForeign {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.actorIPMeta.reputation
|
security_result.about.resource.attribute.labels
(key = "detection_triggeringEvent_actorIPMeta_reputation {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.actorIPMeta.reputationSource
|
additional.fields
(key = "detection_triggeringEvent_actorIPMeta_reputationSource {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.category
|
additional.fields
(key = "detection_triggeringEvent_category {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.cloudPlatform
|
additional.fields
(key = "detection_triggeringEvent_cloudPlatform {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.cloudProviderUrl
|
target.url
|
Iterates through triggeringEvents |
detection.triggeringEvents.description
|
metadata.description
|
Iterates through triggeringEvents |
detection.triggeringEvents.eventTime
|
additional.fields
(key = "detection_triggeringEvent_eventTime {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.externalId
|
additional.fields
(key = "detection_triggeringEvent_externalId {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.id
|
additional.fields
(key = "detection_triggeringEvent_id {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.name
|
additional.fields
(key = "detection_triggeringEvent_name {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.origin
|
additional.fields
(key = "detection_triggeringEvent_origin {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.runtimeDetails.currentWorkingDirectory
|
additional.fields
(key = "detection_triggeringEvent_runtimeDetails_currentWorkingDirectory {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.runtimeDetails.processTree[0].path
|
principal.process.file.full_path
|
Iterates through triggeringEvents. Overwrites index 0/1 logic. |
detection.triggeringEvents.runtimeDetails.processTree[0].username
|
additional.fields
(key = "detection_triggeringEvent_runtimeDetails_username {index}") |
Iterates through triggeringEvents. |
detection.triggeringEvents.runtimeDetails.processTree[1].hash
|
additional.fields
(key = "detection_triggeringEvent_runtimeDetails_hash {index}") |
Iterates through triggeringEvents. |
detection.triggeringEvents.runtimeDetails.processTree[2].path
|
principal.process.parent_process.file.full_path
|
Iterates through triggeringEvents |
detection.triggeringEvents.source
|
additional.fields
(key = "detection_triggeringEvent_source {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents.status
|
additional.fields
(key = "detection_triggeringEvent_status {index}") |
Iterates through triggeringEvents |
detection.triggeringEvents[0].runtimeDetails.processTree[0].command
|
target.process.command_line
|
Only for first triggeringEvent and first processTree element |
detection.triggeringEvents[0].runtimeDetails.processTree[0].hash
|
target.process.file.sha1
|
Only for first triggeringEvent and first processTree element |
detection.triggeringEvents[0].runtimeDetails.processTree[0].path
|
target.process.file.full_path
|
Only for first triggeringEvent and first processTree element |
detection.triggeringEvents[0].runtimeDetails.processTree[0].size
|
target.process.file.size
|
Only for first triggeringEvent and first processTree element |
detection.triggeringEvents[0].runtimeDetails.processTree[0].username
|
principal.user.userid
|
Only for first triggeringEvent and first processTree element |
detection.triggeringEvents[0].runtimeDetails.processTree[1].command
|
principal.process.command_line
|
Only for first triggeringEvent and second processTree element. |
detection.triggeringEvents[0].runtimeDetails.processTree[1].hash
|
principal.process.file.sha1
|
Only for first triggeringEvent and second processTree element. |
detection.triggeringEvents[0].runtimeDetails.processTree[1].path
|
principal.process.file.full_path
|
Only for first triggeringEvent and second processTree element. |
detection.triggeringEvents[0].runtimeDetails.processTree[1].size
|
principal.process.file.size
|
Only for first triggeringEvent and second processTree element. |
detection.triggeringEventsCount
|
additional.fields
(key = "triggering_events_count") |
|
DetectionURL
|
security_result.url_back_to_product
|
|
dueAt
|
additional.fields
(key = "due_at") |
|
entitySnapshot.cloudPlatform
|
principal.cloud.vpc.name
|
|
entitySnapshot.externalId
|
principal.group.product_object_id
|
|
entitySnapshot.id
|
principal.asset_id
|
|
entitySnapshot.name
|
principal.cloud.project.name
|
|
entitySnapshot.nativeType
|
principal.cloud.project.resource_subtype
|
|
entitySnapshot.providerId
|
principal.cloud.vpc.id
|
|
entitySnapshot.status
|
security_result.action_details
|
|
entitySnapshot.tags.io.cri-containerd.kind
|
target.resource.attribute.labels
(key = "Containerd Kind") |
|
entitySnapshot.tags.io.kubernetes.container.name
|
target.resource.attribute.labels
(key = "Container Name") |
|
entitySnapshot.tags.io.kubernetes.pod.name
|
target.resource.attribute.labels
(key = "Pod Name") |
|
entitySnapshot.tags.io.kubernetes.pod.namespace
|
principal.namespace
|
|
entitySnapshot.tags.io.kubernetes.pod.namespace
|
target.resource.attribute.labels
(key = "Pod Namespace") |
|
entitySnapshot.tags.io.kubernetes.pod.uid
|
target.resource.attribute.labels
(key = "Pod Id") |
|
entitySnapshot.tags.maintainer
|
target.resource.attribute.labels
(key = "Maintainer") |
|
entitySnapshot.type
|
principal.cloud.project.id
|
|
eventType
|
metadata.product_event_type
|
|
eventType
(specific values) |
extensions.auth.mechanism
|
Merged with auth_type for login types. |
Hardcoded to "WIZ_IO"
|
metadata.product_name
|
|
Hardcoded to "WIZ_IO"
|
metadata.vendor_name
|
|
id
|
metadata.product_log_id
|
|
issue.created
|
metadata.event_timestamp
|
|
issue.id
|
metadata.product_log_id
|
|
issue.projects
|
additional.fields
(key = "issue_projects") |
|
issue.severity
|
Sets intermediate variable severity
|
Sets to INFORMATIONAL if condition matches. |
issue.status
|
security_result.action_details
|
|
issue.status
|
security_result.action_details
|
Mapped only if status is "OPEN" |
metadata_data.version
|
metadata.product_version
|
|
mitreTactics
(array element) |
additional.fields
(key = "mitre_tactic %{i}") |
Iterates through the array. |
mitreTechniques
(array element) |
additional.fields
(key = "mitre_technique %{i}") |
Iterates through the array. |
outcome.reason
|
security_result.category_details
|
|
outcome.result
|
security_result.action
|
Indirect mapping to ALLOW, CHALLENGE, or BLOCK. |
primaryActor.actingAs
|
additional.fields
(key = "primaryActor_actingAs") |
|
primaryActor.email
|
additional.fields
(key = "primaryActor_email") |
|
primaryActor.externalId
|
principal.ip
, principal.asset.ip
|
|
primaryActor.id
|
additional.fields
(key = "primaryActor_id") |
|
primaryActor.name
|
target.ip
, target.asset.ip
|
|
primaryActor.nativeType
|
additional.fields
(key = "primaryActor_nativeType") |
|
primaryActor.providerUniqueId
|
additional.fields
(key = "primaryActor_providerUniqueId") |
|
primaryActor.type
|
principal.resource.type
|
|
primaryResource.cloudAccount.cloudPlatform
|
additional.fields
(key = "primaryResourceCloudPlatform") |
|
primaryResource.cloudAccount.externalId
|
target.cloud.project.id
|
|
primaryResource.cloudAccount.id
|
additional.fields
(key = "primaryResourceCloudAccountId") |
|
primaryResource.cloudAccount.name
|
target.cloud.project.name
|
|
primaryResource.cloudProviderURL
|
target.url
|
|
primaryResource.externalId
|
additional.fields
(key = "primaryResourceExternalId") |
|
primaryResource.id
|
target.resource.id
|
|
primaryResource.name
|
target.resource.name
|
|
primaryResource.nativeType
|
additional.fields
(key = "primaryResourceNativeType") |
|
primaryResource.region
|
target.asset.location.country_or_region
|
|
primaryResource.type
|
target.resource.type
|
|
process.command
|
target.resource.attribute.labels
(key = "process command
{process_index}") |
|
process.container.externalId
|
target.resource.attribute.labels
(key = "container externalId
{process_index}") |
|
process.container.id
|
target.resource.attribute.labels
(key = "process_container id
{process_index}") |
|
process.container.imageExternalId
|
target.resource.attribute.labels
(key = "container imageExternalId
{process_index}") |
|
process.container.imageId
|
target.resource.attribute.labels
(key = "container imageId
{process_index}") |
|
process.container.name
|
target.resource.attribute.labels
(key = "process_container name
{process_index}") |
|
process.currentWorkingDirectory
|
target.resource.attribute.labels
(key = "currentWorkingDirectory_{process_index}") |
|
process.hash
|
target.resource.attribute.labels
(key = "process hash
{process_index}") |
|
process.id
|
target.resource.attribute.labels
(key = "process id
{process_index}") |
|
process.path
|
target.resource.attribute.labels
(key = "process path
{process_index}") |
|
process.size
|
target.process.file.size
|
|
process.userId
|
target.resource.attribute.labels
(key = "process userId
{process_index}") |
|
process.username
|
target.resource.attribute.labels
(key = "process username
{process_index}") |
|
requestId
|
metadata.product_log_id
|
|
resource.cloudAccount.cloudPlatform
|
additional.fields
(key = "cloudPlatform") |
Part of object merged into repeated about field. |
resource.cloudAccount.externalId
|
additional.fields
(key = "cloudAccountExternalId") |
Part of object merged into repeated about field. |
resource.cloudAccount.id
|
additional.fields
(key = "cloudAccountId") |
Part of object merged into repeated about field. |
resource.cloudAccount.name
|
cloudAccountName
|
|
resource.cloudPlatform
|
additional.fields
(key = "resource_cloudPlatform") |
|
resource.cloudProviderURL
|
about.url
|
Part of object merged into repeated about field. |
resource.cloudProviderURL
|
target.url
|
|
resource.externalId
|
additional.fields
(key = "externalId") |
Part of object merged into repeated about field. |
resource.id
|
about.resource.product_object_id
|
Part of object merged into repeated about field. |
resource.id
|
target.resource.id
|
|
resource.name
|
about.resource.name
|
Part of object merged into repeated about field. |
resource.name
|
target.resource.name
|
|
resource.nativeType
|
about.resource.resource_subtype
|
Part of object merged into repeated about field. |
resource.region
|
about.location.country_or_region
|
Part of object merged into repeated about field. |
resource.region
|
target.asset.location.country_or_region
|
|
resource.region
|
target.location.country_or_region
|
|
resource.status
|
about.resource.attribute.labels
(key = "status") |
Part of object merged into repeated about field. |
resource.status
|
target.resource.attribute.labels
(key = "status") |
|
resource.subscriptionId
|
target.cloud.project.id
|
|
resource.subscriptionName
|
target.cloud.project.name
|
|
resource.type
|
about.resource.type
|
Part of object merged into repeated about field. |
resource.type
|
target.resource.type
|
|
serviceAccount.name
|
principal.application
|
Only if action is "Report" |
sourceIP
|
principal.ip
, principal.asset.ip
|
|
sourceRule.id
|
principal.user.userid
|
|
status
|
security_result.summary
|
|
statusChangedAt
|
additional.fields
(key = "status_changed_at") |
|
tdrId
|
security_result.detection_fields
(key = "tdrId") |
|
tdrSource
|
security_result.detection_fields
(key = "tdrSource") |
|
The detection.severity variable
|
security_result.severity
|
Normalized (e.g., INFO -> LOW) then mapped. |
threat.actors.externalId
|
principal.user.email_addresses
|
Iterates through threat.actors. |
threat.actors.id
|
principal.resource.attribute.labels
(key = "actor_id:%{index}") |
Mapped for elements after first (index > 0). |
threat.actors.id
|
principal.resource.product_object_id
|
Mapped for the first element (index 0). |
threat.actors.name
|
principal.user.email_addresses
|
Iterates through threat.actors. |
threat.actors.nativeType
|
principal.resource.attribute.labels
(key = "actor_nativeType:%{index}") |
Mapped for elements after first (index > 0). |
threat.actors.nativeType
|
principal.resource.resource_subtype
|
Mapped for the first element (index 0). |
threat.actors.type
|
additional.fields
(key = "actor_type") |
Iterates through threat.actors. |
threat.cloudAccounts
|
target.resource.attribute.labels
(key = "threat_cloudAccounts") |
|
threat.cloudOrganizations.cloudProvider
|
target.resource.attribute.labels
(key = "org_cloudProvider:%{index}") |
Iterates through threat.cloudOrganizations. |
threat.cloudOrganizations.externalId
|
target.resource.attribute.labels
(key = "org_externalId:%{index}") |
Iterates through threat.cloudOrganizations. |
threat.cloudOrganizations.id
|
target.resource.attribute.labels
(key = "org_id:%{index}") |
Iterates through threat.cloudOrganizations. |
threat.cloudOrganizations.name
|
target.resource.attribute.labels
(key = "org_name:%{index}") |
Iterates through threat.cloudOrganizations. |
threat.cloudPlatform
|
additional.fields
(key = "threat_cloudPlatform") |
|
threat.created
|
metadata.event_timestamp
|
|
threat.description
|
security_result.description
|
|
threat.detectionIds
|
additional.fields
(key = "detectionId") |
Comma-separated string split into list. |
threat.id
|
metadata.product_log_id
|
|
threat.mitreTactics
|
additional.fields
(key = "tactic_val label
{index}") |
Iterates through the array. |
threat.mitreTechniques
|
additional.fields
(key = "technique_val label
{i}") |
Iterates through the array |
threat.notes
|
additional.fields
(key = "threat_notes") |
|
threat.projects
|
additional.fields
(key = "threat_projects") |
|
threat.resolutionNote
|
additional.fields
(key = "threat_resolutionNote") |
|
threat.resolvedAt
|
additional.fields
(key = "threat_resolvedAt") |
|
threat.resources.externalId
|
target.resource.attribute.labels
(key = "resource_externalId:%{index}") |
Mapped for elements after first (index > 0). |
threat.resources.externalId
|
target.resource.product_object_id
|
Mapped for the first element (index 0). |
threat.resources.id
|
target.resource.attribute.labels
(key = "resource_id:%{index}") |
Iterates through threat.resources. |
threat.resources.name
|
target.resource.attribute.labels
(key = "resource_name:%{index}") |
Mapped for elements after first (index > 0). |
threat.resources.name
|
target.resource.name
|
Mapped for the first element (index 0). |
threat.resources.nativeType
|
target.resource.attribute.labels
(key = "resource_nativeType:%{index}") |
Mapped for elements after first (index > 0). |
threat.resources.nativeType
|
target.resource.resource_subtype
|
Mapped for the first element (index 0). |
threat.resources.type
|
additional.fields
(key = "resource_type") |
Iterates through threat.resources. |
threat.severity
|
security_result.severity
|
Indirectly normalized (e.g., INFO -> LOW). |
threat.status
|
security_result.action_details
|
|
threat.tdrNames
|
additional.fields
(key = "tdrName") |
Comma-separated string split into list. |
threat.threatURL
|
security_result.url_back_to_product
|
|
threat.title
|
metadata.description
|
|
threat.updatedAt
|
additional.fields
(key = "threat_updatedAt") |
|
threatId
|
security_result.threat_id
|
|
threatURL
|
security_result.detection_fields
(key = "threatURL") |
|
timeframe.end
|
additional.fields
(key = "timeframe_end") |
|
timeframe.start
|
metadata.collected_timestamp
|
|
timestamp
|
metadata.event_timestamp
|
|
title
|
security_result.summary
|
|
trigger.changedBy
|
principal.user.product_object_id
|
|
trigger.ruleId
|
security_result.rule_id
|
|
trigger.ruleName
|
additional.fields
(key = "rule_name") |
|
trigger.source
|
metadata.product_event_type
|
|
trigger.type
|
additional.fields
(key = "trigger_type") |
|
trigger.updatedFields
|
additional.fields
(key = "updated_fields") |
|
triggeringEvents.actor.id
|
principal.user.userid
|
Mapped within the triggeringEvents loop. |
triggeringEvents.actor.name
|
about.user.user_display_name
|
Mapped within triggeringEvents loop; merged. |
triggeringEvents.actor.type
|
about.resource.type
|
Mapped within triggeringEvents loop; merged. |
triggeringEvents.actorIP
|
observer.ip
|
Mapped within the triggeringEvents loop. |
triggeringEvents.actorIPMeta.autonomousSystemNumber
|
principal.labels
(key = "actorIP_autonomousSystemNumber") |
Mapped within the triggeringEvents loop. |
triggeringEvents.actorIPMeta.autonomousSystemOrganization
|
principal.labels
(key = "actorIP_autonomousSystemOrganization") |
Mapped within the triggeringEvents loop. |
triggeringEvents.actorIPMeta.country
|
principal.asset.location.country_or_region
|
Mapped within the triggeringEvents loop. |
triggeringEvents.actorIPMeta.isForeign
|
principal.labels
(key = "actorIP_isForeign") |
Mapped within the triggeringEvents loop. |
triggeringEvents.actorIPMeta.reputation
|
principal.labels
(key = "actorIP_reputation") |
Mapped within the triggeringEvents loop. |
triggeringEvents.actorIPMeta.reputationSource
|
principal.labels
(key = "actorIP_reputationSource") |
Mapped within the triggeringEvents loop. |
triggeringEvents.category
|
about.resource.attribute.labels
(key = "triggeringEvent_category") |
Mapped within triggeringEvents loop; merged. |
triggeringEvents.cloudPlatform
|
security_result.detection_fields
(key = "triggeringEvent_cloudPlatform") |
Mapped within the triggeringEvents loop. |
triggeringEvents.cloudProviderUrltarget.url
|
Mapped within the triggeringEvents loop.
|
|
triggeringEvents.description
|
metadata.description
|
Mapped within the triggeringEvents loop. |
triggeringEvents.eventTime
|
about.resource.attribute.labels
(key = "triggeringEvent_eventTime") |
Mapped within triggeringEvents loop; merged. |
triggeringEvents.externalId
|
principal.resource.product_object_id
|
Mapped within the triggeringEvents loop. |
triggeringEvents.id
|
metadata.product_log_id
|
Mapped within the triggeringEvents loop. |
triggeringEvents.name
|
security_result.summary
|
Mapped within the triggeringEvents loop. |
triggeringEvents.origin
|
about.resource.attribute.labels
(key = "triggeringEvent_origin") |
Mapped within triggeringEvents loop; merged. |
triggeringEvents.resources.externalId
|
about.resource.attribute.labels
(key = "externalId") |
Mapped within loops; merged into about array. |
triggeringEvents.resources.id
|
about.resource.product_object_id
|
Mapped within loops; merged into about array. |
triggeringEvents.resources.name
|
about.resource.name
|
Mapped within loops; merged into about array. |
triggeringEvents.resources.nativeType
|
about.resource.resource_subtype
|
Mapped within loops; merged into about array. |
triggeringEvents.resources.region
|
about.location.country_or_region
|
Mapped within loops; merged into about array. |
triggeringEvents.resources.type
|
about.resource.type
|
Mapped within loops; merged into about array. |
triggeringEvents.source
|
additional.fields
(key = "triggeringEvent_source") |
Mapped within the triggeringEvents loop. |
triggeringEvents.status
|
security_result.action_details
|
Mapped within the triggeringEvents loop. |
triggeringEventsCount
|
additional.fields
(key = "triggeringEventsCount") |
|
type
|
metadata.product_event_type
|
|
updatedAt
|
additional.fields
(key = "updated_at") |
|
version
|
security_result.detection_fields
(key = "version") |
Event mapping table
| eventType from log | Old event_type | Current event_type |
|---|---|---|
if [eventType] == "user.session.end"
|
metadata.event_type
|
"USER_LOGOUT"
|
if [eventType] in ["user.authentication.auth_via_AD_agent" , "user.authentication.auth_via_LDAP_agent"]
|
metadata.event_type
|
STATUS_UPDATE
|
if [eventType] in ["user.authentication.auth_via_mfa", "user.authentication.sso", "user.session.start","user.session.access_admin_app"]
|
metadata.event_type
|
USER_LOGIN
|
if [has_principal] == "true"
|
metadata.event_type
|
"STATUS_UPDATE"
|
if [has_resource] == "true"
|
metadata.event_type
|
USER_RESOURCE_ACCESS
|
if [has_user] == "true"
|
metadata.event_type
|
USER_UNCATEGORIZED
|
if [has_user] == "true" and [action] == "Login"
|
metadata.event_type
|
"USER_LOGIN"
|
if [has_user] == "true" and [action] == "Login"
|
event.idm.read_only_udm.extensions.auth.type
|
"AUTHTYPE_UNSPECIFIED"
|
if [has_user] == "true" and [event][idm][read_only_udm][metadata][event_type] == "GENERIC_EVENT"
|
metadata.event_type
|
USER_UNCATEGORIZED
|
else
|
metadata.event_type
|
GENERIC_EVENT
|
Need more help? Get answers from Community members and Google SecOps professionals.
