Console
    Start free

    Collect Cloud SQL context logs

    This document describes how fields of Cloud SQL context logs map to Google Security Operations Unified Data Model (UDM) fields.

    An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the GCP_SQL_CONTEXT ingestion label.

    For information about other context parsers that Google SecOps supports, see Google SecOps context parsers .

    Supported Cloud SQL log formats

    The Cloud SQL parser supports logs in JSON format.

    Supported Cloud SQL sample logs

    • JSON:

       {
  "name": "//cloudsql.googleapis.com/projects/cloudsql-experiment-target/instances/target-exfil-mysql/backupRuns/1684933200000",
  "assetType": "dummy.googleapis.com/BackupRun",
  "resource": {
    "version": "v1beta4",
    "discoveryDocumentUri": "https://www.googleapis.com/discovery/v1/apis/sqladmin/v1beta4/rest",
    "discoveryName": "BackupRun",
    "parent": "//cloudsql.googleapis.com/projects/cloudsql-experiment-target/instances/target-exfil-mysql",
    "data": {
      "backupKind": "SNAPSHOT",
      "endTime": "2023-05-24T13:14:54.196Z",
      "enqueuedTime": "2023-05-24T13:13:32.856Z",
      "id": "1684933200000",
      "instance": "target-exfil-mysql",
      "kind": "sql#backupRun",
      "location": "us",
      "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/cloudsql-experiment-target/instances/target-exfil-mysql/backupRuns/1684933200000",
      "startTime": "2023-05-24T13:13:32.913Z",
      "status": "SUCCESSFUL",
      "type": "AUTOMATED",
      "windowStartTime": "2023-05-24T13:00:00Z"
    }
  },
  "ancestors": [
    "projects/687904117202",
    "organizations/299419016487"
  ]
}

    Field mapping reference

    This section explains how the Google SecOps parser maps fields of Cloud SQL context logs to Google SecOps Unified Data Model (UDM) fields.

    Log field UDM mapping Logic
    ancestors
    		relations.entity.resource_ancestors.name If the resource.parent log field value is not matched with the value of ancestors log field, then the ancestors log field is mapped to the relations.entity.resource_ancestors.name UDM field.
    assetType
    		entity.resource.resource_subtype
    name
    		entity.resource.name
    resource.data.availableMaintenanceVersions
    		entity.resource.attribute.labels[available_maintenance_versions]
    resource.data.backendType
    		entity.resource.attribute.labels[backend_type]
    resource.data.backupKind
    		entity.resource.attribute.labels[backup_kind]
    resource.data.connectionName
    		entity.resource.attribute.labels[connection_name]
    resource.data.createTime
    		entity.resource.attribute.creation_time
    resource.data.currentDiskSize
    		entity.resource.attribute.labels[current_disk_size]
    resource.data.databaseInstalledVersion
    		entity.resource.attribute.labels[database_installed_version]
    resource.data.databaseVersion
    		entity.resource.attribute.labels[database_version]
    resource.data.description
    		metadata.description
    resource.data.diskEncryptionConfiguration.kind
    		entity.resource.attribute.labels[disk_encryption_configuration_kind]
    resource.data.diskEncryptionConfiguration.kmsKeyName
    		entity.resource.attribute.labels[disk_encryption_configuration_kms_key_name]
    resource.data.diskEncryptionStatus.kind
    		entity.resource.attribute.labels[disk_encryption_status_kind]
    resource.data.diskEncryptionStatus.kmsKeyVersionName
    		entity.resource.attribute.labels[disk_encryption_configuration_kms_key_version_name
    resource.data.endTime
    		entity.resource.attribute.labels[end_time]
    resource.data.enqueuedTime
    		metadata.creation_timestamp
    resource.data.error.code
    		entity.resource.attribute.labels[error_code]
    resource.data.error.kind
    		entity.resource.attribute.labels[error_kind]
    resource.data.error.message
    		entity.resource.attribute.labels[error_message]
    resource.data.etag
    		entity.resource.attribute.labels[etag]
    resource.data.failoverReplica.available
    		entity.resource.attribute.labels[failover_replica_available]
    resource.data.failoverReplica.name
    		entity.resource.attribute.labels[failover_replica_name]
    resource.data.gceZone
    		entity.resource.attribute.cloud.availability_zone
    resource.data.id
    		metadata.product_entity_id
    resource.data.instance
    		entity.resource.attribute.labels[instance]
    resource.data.instanceType
    		entity.resource.attribute.labels[instance_type]
    resource.data.ipAddresses.ipAddress
    		entity.ip
    resource.data.ipAddresses.timeToRetire
    		entity.labels[ip_addresses_time_to_retire]
    resource.data.ipAddresses.type
    		entity.labels[ip_addresses_type]
    resource.data.ipv6Address
    		entity.ip
    resource.data.kind
    		entity.resource.attribute.labels[kind]
    resource.data.location
    		entity.location.name
    resource.data.maintenanceVersion
    		entity.resource.attribute.labels[maintenance_version]
    resource.data.masterInstanceName
    		entity.resource.attribute.labels[master_instance_name]
    resource.data.maxDiskSize
    		entity.resource.attribute.labels[max_disk_size]
    resource.data.name
    		entity.resource.attribute.labels[resource_name]
    resource.data.onPremisesConfiguration.caCertificate
    		entity.resource.attribute.labels[on_pem_conf_ca_certificate]
    resource.data.onPremisesConfiguration.clientCertificate
    		entity.resource.attribute.labels[on_pem_conf_client_certificate]
    resource.data.onPremisesConfiguration.clientKey
    		entity.resource.attribute.labels[on_pem_conf_client_key]
    resource.data.onPremisesConfiguration.dumpFilePath
    		entity.resource.attribute.labels[on_pem_conf_dump_file_path]
    resource.data.onPremisesConfiguration.hostPort
    		entity.resource.attribute.labels[on_pem_conf_host_port]
    resource.data.onPremisesConfiguration.kind
    		entity.resource.attribute.labels[on_pem_conf_kind]
    resource.data.onPremisesConfiguration.password
    		entity.resource.attribute.labels[on_pem_conf_password]
    resource.data.onPremisesConfiguration.sourceInstance.name
    		relations.entity.resource.name
    resource.data.onPremisesConfiguration.sourceInstance.project
    		relations.entity.resource.product_object_id
    resource.data.onPremisesConfiguration.sourceInstance.region
    		relations.entity.location.country_or_region
    resource.data.onPremisesConfiguration.username
    		entity.resource.attribute.labels[on_pem_conf_username]
    resource.data.outOfDiskReport.sqlMinRecommendedIncreaseSizeGb
    		entity.resource.attribute.labels[out_of_disk_report_sql_min_recommended_increase_size_gb]
    resource.data.outOfDiskReport.sqlOutOfDiskState
    		entity.resource.attribute.labels[out_of_disk_report_sql_out_of_disk_state]
    resource.data.project
    		entity.resource.product_object_id
    resource.data.region
    		entity.location.country_or_region
    resource.data.replicaConfiguration.failoverTarget
    		entity.resource.attribute.labels[replica_conf_fail_over_target]
    resource.data.replicaConfiguration.kind
    		entity.resource.attribute.labels[replica_conf_kind]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.caCertificate
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_ca_certificate]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.clientCertificate
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_client_certificate]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.clientKey
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_client_key]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.connectRetryInterval
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_connect_retry_interval]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.dumpFilePath
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_dump_file_path]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.kind
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_kind]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.masterHeartbeatPeriod
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_master_heart_beat_period]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.password
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_password]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.sslCipher
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_ssl_cipher]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.username
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_username]
    resource.data.replicaConfiguration.mysqlReplicaConfiguration.verifyServerCertificate
    		entity.resource.attribute.labels[replica_conf_my_sql_replica_conf_verify_server_certificate]
    resource.data.replicaNames
    		entity.resource.attribute.labels[replica_names]
    resource.data.rootPassword
    		entity.resource.attribute.labels[root_password]
    resource.data.satisfiesPzs
    		entity.resource.attribute.labels[satisfies_pzs]
    resource.data.scheduledMaintenance.canDefer
    		entity.resource.attribute.labels[schedule_maintenance_can_defer]
    resource.data.scheduledMaintenance.canReschedule
    		entity.resource.attribute.labels[schedule_maintenance_can_reschedule]
    resource.data.scheduledMaintenance.scheduleDeadlineTime
    		entity.resource.attribute.labels[schedule_maintenance_deadline_time]
    resource.data.scheduledMaintenance.startTime
    		entity.resource.attribute.labels[schedule_maintenance_start_time]
    resource.data.secondaryGceZone
    		entity.resource.attribute.labels[secondary_gce_zone]
    resource.data.selfLink
    		entity.url
    resource.data.serverCaCert.cert
    		entity.resource.attribute.labels[server_ca_cert_cert]
    resource.data.serverCaCert.certSerialNumber
    		entity.network.tls.server.certificate.serial
    resource.data.serverCaCert.commonName
    		entity.network.tls.server.certificate.subject
    resource.data.serverCaCert.createTime
    		entity.network.tls.server.certificate.not_before
    resource.data.serverCaCert.expirationTime
    		entity.network.tls.server.certificate.not_after
    resource.data.serverCaCert.instance
    		entity.resource.attribute.labels[server_ca_cert_instance]
    resource.data.serverCaCert.kind
    		entity.resource.attribute.labels[server_ca_cert_kind]
    resource.data.serverCaCert.selfLink
    		entity.resource.attribute.labels[server_ca_cert_self_link]
    resource.data.serverCaCert.sha1Fingerprint
    		entity.network.tls.server.certificate.sha1
    resource.data.serviceAccountEmailAddress
    		entity.user.email_addresses
    resource.data.settings.activationPolicy
    		entity.resource.attribute.labels[settings_activation_policy]
    resource.data.settings.activeDirectoryConfig.domain
    		entity.resource.attribute.labels[settings_active_directory_config_domain]
    resource.data.settings.activeDirectoryConfig.kind
    		entity.resource.attribute.labels[settings_active_directory_config_kind]
    resource.data.settings.authorizedGaeApplications
    		entity.resource.attribute.labels[settings_authorized_gae_applications]
    resource.data.settings.availabilityType
    		entity.resource.attribute.labels[settings_availability_type]
    resource.data.settings.backupConfiguration.backupRetentionSettings.retainedBackups
    		entity.resource.attribute.labels[settings_backup_conf_backup_retention_settings_retained_backups]
    resource.data.settings.backupConfiguration.backupRetentionSettings.retentionUnit
    		entity.resource.attribute.labels[settings_backup_conf_backup_retention_settings_retention_unit]
    resource.data.settings.backupConfiguration.binaryLogEnabled
    		entity.resource.attribute.labels[settings_backup_conf_binary_log_enabled]
    resource.data.settings.backupConfiguration.enabled
    		entity.resource.attribute.labels[settings_backup_conf_enabled]
    resource.data.settings.backupConfiguration.kind
    		entity.resource.attribute.labels[settings_backup_conf_kind]
    resource.data.settings.backupConfiguration.location
    		entity.resource.attribute.labels[settings_backup_conf_location]
    resource.data.settings.backupConfiguration.pointInTimeRecoveryEnabled
    		entity.resource.attribute.labels[settings_backup_conf_point_in_time_recovery_enabled]
    resource.data.settings.backupConfiguration.replicationLogArchivingEnabled
    		entity.resource.attribute.labels[settings_backup_conf_replication_log_archiving_enabled]
    resource.data.settings.backupConfiguration.startTime
    		entity.resource.attribute.labels[settings_backup_conf_start_time]
    resource.data.settings.backupConfiguration.transactionLogRetentionDays
    		entity.resource.attribute.labels[settings_backup_conf_transaction_log_retention_days]
    resource.data.settings.collation
    		entity.resource.attribute.labels[settings_collation]
    resource.data.settings.connectorEnforcement
    		entity.resource.attribute.labels[settings_connector_enforcement]
    resource.data.settings.crashSafeReplicationEnabled
    		entity.resource.attribute.labels[settings_crash_safe_replication_enabled]
    resource.data.settings.databaseFlags.name
    		entity.resource.attribute.labels[settings_database_flags_name]
    resource.data.settings.databaseFlags.value
    		entity.resource.attribute.labels[settings_database_flags_value]
    resource.data.settings.databaseReplicationEnabled
    		entity.resource.attribute.labels[settings_database_replication_enabled]
    resource.data.settings.dataDiskSizeGb
    		entity.resource.attribute.labels[settings_data_disk_size_gb]
    resource.data.settings.dataDiskType
    		entity.resource.attribute.labels[settings_data_disk_type]
    resource.data.settings.deletionProtectionEnabled
    		entity.resource.attribute.labels[settings_deletion_protection_enabled]
    resource.data.settings.denyMaintenancePeriods.endDate
    		entity.resource.attribute.labels[settings_deny_maintenance_periods_end_date]
    resource.data.settings.denyMaintenancePeriods.startDate
    		entity.resource.attribute.labels[settings_deny_maintenance_periods_start_date]
    resource.data.settings.denyMaintenancePeriods.time
    		entity.resource.attribute.labels[settings_deny_maintenance_periods_time]
    resource.data.settings.insightsConfig.queryInsightsEnabled
    		entity.resource.attribute.labels[settings_insights_config_query_insights_enabled]
    resource.data.settings.insightsConfig.queryPlansPerMinute
    		entity.resource.attribute.labels[settings_insights_config_query_plans_per_minute]
    resource.data.settings.insightsConfig.queryStringLength
    		entity.resource.attribute.labels[settings_insights_config_query_string_length]
    resource.data.settings.insightsConfig.recordApplicationTags
    		entity.resource.attribute.labels[settings_insights_config_record_application_tags]
    resource.data.settings.insightsConfig.recordClientAddress
    		entity.resource.attribute.labels[settings_insights_config_record_client_address]
    resource.data.settings.ipConfiguration.allocatedIpRange
    		entity.resource.attribute.labels[settings_ip_configuration_allocated_ip_range]
    resource.data.settings.ipConfiguration.authorizedNetworks.expirationTime
    		entity.resource.attribute.labels[settings_ip_configuration_authorized_networks_expiration_time]
    resource.data.settings.ipConfiguration.authorizedNetworks.kind
    		entity.resource.attribute.labels[settings_ip_configuration_authorized_networks_kind]
    resource.data.settings.ipConfiguration.authorizedNetworks.name
    		entity.resource.attribute.labels[settings_ip_configuration_authorized_networks_name]
    resource.data.settings.ipConfiguration.authorizedNetworks.value
    		entity.resource.attribute.labels[settings_ip_configuration_authorized_networks_value]
    resource.data.settings.ipConfiguration.ipv4Enabled
    		entity.resource.attribute.labels[settings_ip_configuration_ipv4_enabled]
    resource.data.settings.ipConfiguration.privateNetwork
    		entity.resource.attribute.labels[settings_ip_configuration_private_network]
    resource.data.settings.ipConfiguration.requireSsl
    		entity.resource.attribute.labels[settings_ip_configuration_require_ssl]
    resource.data.settings.kind
    		entity.resource.attribute.labels[settings_kind]
    resource.data.settings.locationPreference.followGaeApplication
    		entity.resource.attribute.labels[settings_location_preference_follow_gae_application]
    resource.data.settings.locationPreference.kind
    		entity.resource.attribute.labels[settings_location_preference_kind]
    resource.data.settings.locationPreference.secondaryZone
    		entity.resource.attribute.labels[settings_location_preference_secondary_zone]
    resource.data.settings.locationPreference.zone
    		entity.resource.attribute.labels[settings_location_preference_zone]
    resource.data.settings.maintenanceWindow.day
    		entity.resource.attribute.labels[settings_maintenance_window_day]
    resource.data.settings.maintenanceWindow.hour
    		entity.resource.attribute.labels[settings_maintenance_window_hour]
    resource.data.settings.maintenanceWindow.kind
    		entity.resource.attribute.labels[settings_maintenance_window_kind]
    resource.data.settings.maintenanceWindow.updateTrack
    		entity.resource.attribute.labels[settings_maintenance_window_update_track]
    resource.data.settings.passwordValidationPolicy.complexity
    		entity.resource.attribute.labels[settings_password_validation_policy_complexity]
    resource.data.settings.passwordValidationPolicy.disallowUsernameSubstring
    		entity.resource.attribute.labels[settings_password_validation_policy_disallow_username_substring]
    resource.data.settings.passwordValidationPolicy.enablePasswordPolicy
    		entity.resource.attribute.labels[settings_password_validation_policy_enable_password_policy]
    resource.data.settings.passwordValidationPolicy.minLength
    		entity.resource.attribute.labels[settings_password_validation_policy_min_length]
    resource.data.settings.passwordValidationPolicy.passwordChangeInterval
    		entity.resource.attribute.labels[settings_password_validation_policy_password_change_interval]
    resource.data.settings.passwordValidationPolicy.reuseInterval
    		entity.resource.attribute.labels[settings_password_validation_policy_reuse_interval]
    resource.data.settings.pricingPlan
    		entity.resource.attribute.labels[settings_pricing_plan]
    resource.data.settings.replicationType
    		entity.resource.attribute.labels[settings_replication_type]
    resource.data.settings.settingsVersion
    		entity.resource.attribute.labels[settings_version]
    resource.data.settings.sqlServerAuditConfig.bucket
    		entity.resource.attribute.labels[settings_sql_server_audit_config_bucket]
    resource.data.settings.sqlServerAuditConfig.kind
    		entity.resource.attribute.labels[settings_sql_server_audit_config_kind]
    resource.data.settings.sqlServerAuditConfig.retentionInterval
    		entity.resource.attribute.labels[settings_sql_server_audit_config_retention_interval]
    resource.data.settings.sqlServerAuditConfig.uploadInterval
    		entity.resource.attribute.labels[settings_sql_server_audit_config_upload_interval]
    resource.data.settings.storageAutoResize
    		entity.resource.attribute.labels[storage_auto_resize]
    resource.data.settings.storageAutoResizeLimit
    		entity.resource.attribute.labels[storage_auto_resize_limit]
    resource.data.settings.tier
    		entity.resource.attribute.labels[tier]
    resource.data.settings.timeZone
    		entity.resource.attribute.labels[time_zone]
    resource.data.settings.userLabels
    		entity.resource.attribute.labels[user_labels]
    resource.data.startTime
    		entity.resource.attribute.labels[start_time]
    resource.data.state
    		entity.resource.attribute.labels[state]
    resource.data.status
    		entity.resource.attribute.labels[status]
    resource.data.suspensionReason
    		entity.resource.attribute.labels[suspension_reason]
    resource.data.timeZone
    		entity.resource.attribute.labels[time_zone]
    resource.data.type
    		entity.resource.attribute.labels[type]
    resource.data.windowStartTime
    		entity.resource.attribute.labels[window_start_time]
    resource.discoveryDocumentUri
    		entity.resource.attribute.labels[discovery_document]
    resource.discoveryName
    		entity.resource.attribute.labels[discovery_name]
    resource.parent, ancestors[]
    		relations.entity.resource.name If the resource.parent log field value is empty, then the ancestors.0 log field is mapped to the relations.entity.resource.name UDM field.
    resource.version
    		metadata.product_version
    		entity.resource.resource_type The entity.resource.resource_type UDM field is set to DATABASE .
    		metadata.entity_type If the assetType log field value matches the regular expression pattern (BackupRun or instances) , then the metadata.entity_type UDM field is set to RESOURCE .
    		metadata.product_name The metadata.product_name UDM field is set to GCP SQL .
    		metadata.vendor_name The metadata.vendor_name UDM field is set to Google Cloud Platform .
    		relations.entity_type If the resource.data.onPremisesConfiguration.sourceInstance.name log field value is not empty, then the relations.entity_type UDM field is set to RESOURCE .
    		relations.relationship If the resource.data.onPremisesConfiguration.sourceInstance.name , resource.data.onPremisesConfiguration.sourceInstance.region , or resource.data.onPremisesConfiguration.sourceInstance.project value is not empty, then the relations.entity.relationship UDM field is set to MEMBER .

    If the ancestor log field value matches the regular expression pattern organizations or the ancestor log field value matches the regular expression pattern folders , then the relations.relationship UDM field is set to MEMBER .
    		relations.entity.resource_ancestors.resource_subtype If the ancestors log field value matches the regular expression pattern organizations , then the relations.entity.resource_ancestors.resource_subtype UDM field is set to organizations .

    Else, if the ancestors log field value matches the regular expression pattern folders , then the relations.entity.resource_ancestors.resource_subtype UDM field is set to folders .
    		relations.entity.resource_ancestors.resource_type The relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION .
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: