Collect Google Chrome logs

Supported in:

Google secops SIEM

This document describes how you can collect Chrome Browser and ChromeOS security events logs by setting up a Chrome Enterprise reporting connector and how log fields map to Chrome Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google SecOps .

Overview

A typical deployment consists of Chrome Browser and ChromeOS security events configured to send logs to Google SecOps. Each customer deployment might differ and might be more complex. The deployment consists of the following components:

Chrome: The Chrome Browser and ChromeOS security events that you want to collect.
Chrome Enterprise reporting connector: The Chrome Enterprise reporting connector forwards Chrome logs to Google SecOps.
Google SecOps: Retains and analyzes Chrome logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CHROME_MANAGEMENT ingestion label.

Before you begin

Ensure that you have a Google Workspace Administrator account.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Ensure that you have a Chronicle Ingestion API key. If you don't have one, then contact Google SecOps Support or your Google SecOps customer point of contact to request your Chronicle Ingestion API key.
For more information, refer to the Chrome log events .

Set up Chrome Browser Cloud Management

The following are the high-level steps to setup Chrome browser Cloud Management:

Perform the following steps to setup Chrome browser Cloud Management.

In the Admin console, Click Menu> Devices> Chrome> Managed browsers.
Optional: Select the top-level organization or select the organizational unit where you want to generate a token that enrolls browsers directly to that specific organizational unit. For more information, see Add an organization unit .
Click Enroll. If this is your first browser enrollment, you are prompted to accept the Chrome Browser Cloud Management (CBCM) Terms of Service.
Click Copy enrollment token to clipboard.
To enroll cloud-managed Chrome browsers, click Done.
In the Admin console, go to Menu> Devices> Chrome> Settings> Users & browsers. Select your top-level organizational unit, so that all child organizations inherit the policy. Scroll down to Browser reporting.
Set Managed browser reportingto Enable managed browser cloud reporting.
To turn on Chrome browser reporting, click Save.
In the Admin console, go to Menu> Devices> Chrome> Connectors.
Optional: If you are configuring Chrome Enterprise connectors settings for the first time, follow the prompts to turn on Chrome Enterprise Connectors.
At the top, click + New provider configuration.
In the panel that appears on the right, find the Google SecOps setup and click Set up.
Enter the Configuration ID, API key, and Host Name:
- Configuration ID: The ID that is shown on the User & browsers settingspage and the Connectorspage.
- API key: The API key to specify when calling the Chronicle ingestion API to identify the customer.
- Host Name: The ingestion API endpoint. For US customers this will always be malachiteingestion-pa.googleapis.com; for other regions see regional endpoints documentation .
Click ADD CONFIGURATIONto add the new provider configuration.

Supported log types and data models

The following are the supported log types and events for Chrome Management. All the supported log types and events are in JSON format.

Log type	Event type
Malicious Activity	`badNavigationEvent` `dangerousDownloadEvent` `Malware transfer` `Extension install` `Password changed` `Password reuse` `Unsafe site visit` `Login events` `Password breach` `urlFilteringInterstitialEvent` `browserCrashEvent`
Audit Activity	`CHROME_OS_ADD_USER` `CHROME_OS_REMOVE_USER` `DEVICE_BOOT_STATE_CHANGE` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROME_OS_LOGIN_LOGOUT_EVENT` `CHROME_OS_LOGIN_EVENT` `CHROME_OS_LOGOUT_EVENT` `CHROME_OS_REPORTING_DATA_LOST` `PASSWORD_CHANGED` `PASSWORD_REUSE` `DLP_EVENT` `CONTENT_TRANSFER` `CONTENT_UNSCANNED` `EXTENSION_REQUEST` `LOGIN_EVENT` `MALWARE_TRANSFER` `PASSWORD_BREACH` `SENSITIVE_DATA_TRANSFER` `UNSAFE_SITE_VISIT` `extensionTelemetryEvent`
Data Protection	`Content transfer` `Content unscanned` `Sensitive data transfer`
Chrome OS	`ChromeOS login failure` `ChromeOS login success` `ChromeOS logout` `ChromeOS user added` `ChromeOS user removed` `ChromeOS lock success` `ChromeOS unlock success` `ChromeOS unlock failure` `ChromeOS device boot state change` `ChromeOS USB device added` `ChromeOS USB device removed` `ChromeOS USB status change` `ChromeOS CRD host started` `ChromeOS CRD client connected` `ChromeOS CRD client disconnected` `ChromeOS CRD host stopped`

Supported Google Chrome log formats

The Google Chrome parser supports logs in JSON format.

Supported Google Chrome sample logs

JSON:

 {
  "event": "badNavigationEvent",
  "time": "1622093983.104",
  "reason": "SOCIAL_ENGINEERING",
  "result": "EVENT_RESULT_WARNED",
  "device_name": "",
  "device_user": "",
  "profile_user": "sample@domain.io",
  "url": "https://test.domain.com/s/phishing.html",
  "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f",
  "os_platform": "",
  "os_version": "",
  "browser_version": "109.0.5414.120",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
  "client_type": "CHROME_BROWSER_PROFILE"
}

Field mapping reference

This section explains how the Google SecOps parser maps Chrome log fields to Google SecOps Unified Data Model (UDM) fields for the data sets.

Field mapping reference: Event Identifier to Event Type

The following table lists the CHROME_MANAGEMENT log types and their corresponding UDM event types.

Event Identifier

Event Type

Security Category

badNavigationEvent - SOCIAL_ENGINEERING

USER_RESOURCE_ACCESS

SOCIAL_ENGINEERING

badNavigationEvent - SSL_ERROR

USER_RESOURCE_ACCESS

NETWORK_SUSPICIOUS

badNavigationEvent - MALWARE

USER_RESOURCE_ACCESS

SOFTWARE_MALICIOUS

badNavigationEvent - UNWANTED_SOFTWARE

USER_RESOURCE_ACCESS

SOFTWARE_PUA

badNavigationEvent - THREAT_TYPE_UNSPECIFIED

USER_RESOURCE_ACCESS

SOFTWARE_MALICIOUS

browserCrashEvent

STATUS_UPDATE

browserExtensionInstallEvent

USER_RESOURCE_UPDATE_CONTENT

Extension install - BROWSER_EXTENSION_INSTALL

USER_RESOURCE_UPDATE_CONTENT

EXTENSION_REQUEST

USER_UNCATEGORIZED

CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED

USER_CREATION

CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED

USER_CREATION

ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED

USER_CREATION

ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED

USER_DELETION

CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED

USER_DELETION

CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED

USER_DELETION

Login events

USER_LOGIN

LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN

USER_LOGIN

loginEvent

USER_LOGIN

ChromeOS login success

USER_LOGIN

CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN

USER_LOGIN

CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN

USER_LOGIN

CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN

USER_LOGIN

CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN

USER_LOGIN

CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN

USER_LOGIN

CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN

USER_LOGIN

ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN

USER_LOGIN

CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN

USER_LOGIN

CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN

USER_LOGIN

CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN

USER_LOGIN

CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT

USER_LOGOUT

CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT

USER_LOGOUT

CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT

USER_LOGOUT

CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT

USER_LOGOUT

CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT

USER_LOGOUT

CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT

USER_LOGOUT

ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT

USER_LOGOUT

CHROME_OS_REPORTING_DATA_LOST

STATUS_UPDATE

ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED

USER_LOGIN

ChromeOS CRD client disconnected

USER_LOGOUT

CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED

STATUS_STARTUP

ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED

STATUS_STARTUP

ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED

STATUS_STARTUP

ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE

SETTING_MODIFICATION

ChromeOS device boot state change - CHROME_OS_DEV_MODE

SETTING_MODIFICATION

DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE

SETTING_MODIFICATION

ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS

USER_LOGOUT

ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS

USER_LOGIN

ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN

USER_LOGIN

ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED

USER_RESOURCE_ACCESS

ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED

USER_RESOURCE_DELETION

ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED

USER_RESOURCE_UPDATE_CONTENT

CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED

USER_RESOURCE_UPDATE_CONTENT

Client Side Detection

USER_UNCATEGORIZED

Content transfer

SCAN_FILE

CONTENT_TRANSFER

SCAN_FILE

contentTransferEvent

SCAN_FILE

Content unscanned

SCAN_UNCATEGORIZED

CONTENT_UNSCANNED

SCAN_UNCATEGORIZED

dataAccessControlEvent

USER_RESOURCE_ACCESS

dangerousDownloadEvent - Dangerous

SCAN_FILE

SOFTWARE_PUA

dangerousDownloadEvent - DANGEROUS_HOST

SCAN_HOST

dangerousDownloadEvent - UNCOMMON

SCAN_UNCATEGORIZED

dangerousDownloadEvent - POTENTIALLY_UNWANTED

SCAN_UNCATEGORIZED

SOFTWARE_PUA

dangerousDownloadEvent - UNKNOWN

SCAN_UNCATEGORIZED

dangerousDownloadEvent - DANGEROUS_URL

SCAN_UNCATEGORIZED

dangerousDownloadEvent - UNWANTED_SOFTWARE

SCAN_FILE

SOFTWARE_PUA

dangerousDownloadEvent - DANGEROUS_FILE_TYPE

SCAN_FILE

SOFTWARE_MALICIOUS

Desktop DLP Warnings

USER_UNCATEGORIZED

DLP_EVENT

USER_UNCATEGORIZED

interstitialEvent - Malware

NETWORK_HTTP

NETWORK_SUSPICIOUS

IOS/OSX Warnings

SCAN_UNCATEGORIZED

Malware transfer - MALWARE_TRANSFER_DANGEROUS

SCAN_FILE

SOFTWARE_MALICIOUS

MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON

SCAN_FILE

SOFTWARE_MALICIOUS

MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS

SCAN_FILE

SOFTWARE_MALICIOUS

MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE

SCAN_FILE

SOFTWARE_MALICIOUS

MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN

SCAN_FILE

SOFTWARE_MALICIOUS

MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST

SCAN_FILE

SOFTWARE_MALICIOUS

malwareTransferEvent - DANGEROUS

SCAN_FILE

SOFTWARE_MALICIOUS

malwareTransferEvent - UNSPECIFIED

SCAN_FILE

SOFTWARE_MALICIOUS

Password breach

USER_RESOURCE_ACCESS

PASSWORD_BREACH

USER_RESOURCE_ACCESS

passwordBreachEvent - PASSWORD_ENTRY

USER_RESOURCE_ACCESS

Password changed

USER_CHANGE_PASSWORD

PASSWORD_CHANGED

USER_CHANGE_PASSWORD

passwordChangedEvent

USER_CHANGE_PASSWORD

Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE

USER_RESOURCE_ACCESS

POLICY_VIOLATION, AUTH_VIOLATION

Password reuse - PASSWORD_REUSED_PHISHING_URL

USER_UNCATEGORIZED

PHISHING

PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE

USER_RESOURCE_ACCESS

POLICY_VIOLATION, AUTH_VIOLATION

passwordReuseEvent - Unauthorized site

USER_RESOURCE_ACCESS

POLICY_VIOLATION, AUTH_VIOLATION

passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL

USER_UNCATEGORIZED

PHISHING

passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE

USER_RESOURCE_ACCESS

POLICY_VIOLATION, AUTH_VIOLATION

Permissions Blacklisting

RESOURCE_PERMISSIONS_CHANGE

Sensitive data transfer

SCAN_FILE

DATA_EXFILTRATION

SENSITIVE_DATA_TRANSFER

SCAN_FILE

DATA_EXFILTRATION

sensitiveDataEvent - [test_user_5] warn

SCAN_FILE

DATA_EXFILTRATION

sensitiveDataTransferEvent

SCAN_FILE

DATA_EXFILTRATION

Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR

USER_RESOURCE_ACCESS

NETWORK_SUSPICIOUS

UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE

USER_RESOURCE_ACCESS

SOFTWARE_MALICIOUS

UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE

USER_RESOURCE_ACCESS

SOFTWARE_SUSPICIOUS

UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED

USER_RESOURCE_ACCESS

UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING

USER_RESOURCE_ACCESS

SOCIAL_ENGINEERING

UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR

USER_RESOURCE_ACCESS

NETWORK_SUSPICIOUS

unscannedFileEvent - FILE_PASSWORD_PROTECTED

SCAN_FILE

unscannedFileEvent - FILE_TOO_LARGE

SCAN_FILE

urlFilteringInterstitialEvent

USER_RESOURCE_ACCESS

POLICY_VIOLATION

extensionTelemetryEvent

If the telemetry_event_signals.signal_name log field value is equal to the COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO , then the event_type set to USER_RESOURCE_ACCESS .

Else, if the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO , then if the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS , then the event_type is set to NETWORK_HTTP .

Else, the event_type UDM field is set to NETWORK_UNCATEGORIZED .

If the telemetry_event_signals.signal_name log field value is equal to REMOTE_HOST_CONTACTED_INFO , then the security category is set to NETWORK_SUSPICIOUS .

Else, if the telemetry_event_signals.signal_name log field value contain one of the following values, then the security category UDM field is set to SOFTWARE_SUSPICIOUS .

COOKIES_GET_INFO
COOKIES_GET_ALL_INFO

Field mapping reference: CHROME_MANAGEMENT

The following table lists the log fields of the CHROME_MANAGEMENT log type and their corresponding UDM fields.

Log field

UDM mapping

Logic

id.customerId

about.resource.product_object_id

event_detail

metadata.description

time

metadata.event_timestamp

events.parameters.name [TIMESTAMP]

metadata.event_timestamp

event

metadata.product_event_type

events.name

metadata.product_event_type

id.uniqueQualifier

metadata.product_log_id

metadata.product_name

The metadata.product_name UDM field is set to Chrome Management .

id.applicationName

metadata.vendor_name

The metadata.vendor_name UDM field is set to GOOGLE .

user_agent

network.http.user_agent

userAgent

network.http.user_agent

events.parameters.name [USER_AGENT]

network.http.user_agent

events.parameters.name [SESSION_ID]

network.session_id

client_type

principal.application

clientType

principal.application

events.parameters.name [CLIENT_TYPE]

principal.application

device_id

principal.asset.product_object_id

deviceId

principal.asset.product_object_id

events.parameters.name [DEVICE_ID]

principal.asset.product_object_id

device_name

principal.hostname

deviceName

principal.hostname

events.parameters.name [DEVICE_NAME]

principal.hostname

os_plarform

principal.platform

The principal.platform UDM field is set to one of the following values:

LINUX if the os_plarform log field value is matched with regular expression pattern linux .
MAC if the os_plarform log field value is matched with regular expression pattern mac .
WINDOWS if the os_plarform log field value is matched with regular expression pattern windows .
CHROME_OS if the os_plarform log field value is matched with regular expression pattern chromeos .

Else, if the os_plarform log field value is not empty and osVersion log field value is not empty, then the os_plarform osVersion log field is mapped to the principal.platform_version UDM field.

os_plarform

principal.asset.platform_software.platform

The principal.asset.platform_software.platform UDM field is set to one of the following values:

LINUX if the os_plarform log field value is matched with regular expression pattern linux .
MAC if the os_plarform log field value is matched with regular expression pattern mac .
WINDOWS if the os_plarform log field value is matched with regular expression pattern windows .
CHROME_OS if the os_plarform log field value is matched with regular expression pattern chromeos .

os_platform

principal.platform

The principal.platform UDM field is set to one of the following values:

LINUX if the os_platform log field value is matched with regular expression pattern linux .
MAC if the os_platform log field value is matched with regular expression pattern mac .
WINDOWS if the os_platform log field value is matched with regular expression pattern windows .
CHROME_OS if the os_platform log field value is matched with regular expression pattern chromeos .

Else, if the os_platform log field value is not empty and osVersion log field value is not empty, then the os_platform osVersion log field is mapped to the principal.platform_version UDM field.

os_platform

principal.asset.platform_software.platform

The principal.asset.platform_software.platform UDM field is set to one of the following values:

LINUX if the os_platform log field value is matched with regular expression pattern linux .
MAC if the os_platform log field value is matched with regular expression pattern mac .
WINDOWS if the os_platform log field value is matched with regular expression pattern windows .
CHROME_OS if the os_platform log field value is matched with regular expression pattern chromeos .

osPlatform

principal.platform

The principal.platform UDM field is set to one of the following values:

LINUX if the osPlatform log field value is matched with regular expression pattern linux .
MAC if the osPlatform log field value is matched with regular expression pattern mac .
WINDOWS if the osPlatform log field value is matched with regular expression pattern windows .
CHROME_OS if the osPlatform log field value is matched with regular expression pattern chromeos .

Else, if the osPlatform log field value is not empty and osVersion log field value is not empty, then the osPlatform osVersion log field is mapped to the principal.platform_version UDM field.

osPlatform

principal.asset.platform_software.platform

The principal.asset.platform_software.platform UDM field is set to one of the following values:

LINUX if the osPlatform log field value is matched with regular expression pattern linux .
MAC if the osPlatform log field value is matched with regular expression pattern mac .
WINDOWS if the osPlatform log field value is matched with regular expression pattern windows .
CHROME_OS if the osPlatform log field value is matched with regular expression pattern chromeos .

events.parameters.name [DEVICE_PLATFORM]

principal.platform

The os_platform and os_version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.
The principal.platform UDM field is set to one of the following values:

LINUX if the os_platform log field value is matched with regular expression pattern linux .
MAC if the os_platform log field value is matched with regular expression pattern mac .
WINDOWS if the os_platform log field value is matched with regular expression pattern windows .
CHROME_OS if the os_platform log field value is matched with regular expression pattern chromeos .

events.parameters.name [DEVICE_PLATFORM]

principal.asset.platform_software.platform

The os_platform is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.
The principal.asset.platform_software.platform UDM field is set to one of the following values:

LINUX if the os_platform log field value is matched with regular expression pattern linux .
MAC if the os_platform log field value is matched with regular expression pattern mac .
WINDOWS if the os_platform log field value is matched with regular expression pattern windows .
CHROME_OS if the os_platform log field value is matched with regular expression pattern chromeos .

os_version

principal.platform_version

osVersion

principal.platform_version

events.parameters.name [DEVICE_PLATFORM]

principal.platform_version

The Version is extracted from the events.parameters.name [DEVICE_PLATFORM] log field using Grok pattern.

device_id

principal.resource.id

deviceId

principal.resource.id

events.parameters.name [DEVICE_ID]

principal.resource.id

directory_device_id

principal.resource.product_object_id

events.parameters.name [DIRECTORY_DEVICE_ID]

principal.resource.product_object_id

principal.resource.resource_subtype

If the event log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED , then the principal.resource.resource_subtype UDM field is set to USB .

Else, if the events.name log field value is equal to CHROMEOS_PERIPHERAL_STATUS_UPDATED , then the principal.resource.resource_subtype UDM field is set to USB .

principal.resource.resource_type

If the device_id log field value is not empty, then the principal.resource.resource_type UDM field is set to DEVICE .

actor.email

principal.user.email_addresses

actor.profileId

principal.user.userid

result

security_result.action_details

events.parameters.name [EVENT_RESULT]

security_result.action_details

event_result

security_result.action_details

security_result.action

The security_result.action UDM field is set to one of the following values:

ALLOW if the result or events.parameters.name [EVENT_RESULT] log field value is matched with regular expression pattern ALLOWED or EVENT_RESULT_ALLOWED .
BLOCK if the result or events.parameters.name [EVENT_RESULT] log field value is matched with regular expression pattern BLOCKED or EVENT_RESULT_BLOCKED .

reason

security_result.category_details

events.parameters.name [EVENT_REASON]

security_result.category_details

events.parameters.name [EVENT_REASON]

security_result.summary

events.parameters.name [LOGIN_FAILURE_REASON]

security_result.description

events.parameters.name [REMOVE_USER_REASON]

security_result.description

If the events.name log field value is equal to CHROME_OS_REMOVE_USER , then the

events.parameters.namethe REMOVE_USER_REASON 
log field value

log field is mapped to the security_result.description UDM field.

triggered_rules

security_result.rule_name

events.type

security_result.category_details

events.parameters.name [PRODUCT_NAME]

target.application

If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_NAME] log field is mapped to the target.resource.name UDM field:

ChromeOS USB device added
ChromeOS USB device removed
ChromeOS USB status change
CHROMEOS_PERIPHERAL_STATUS_UPDATED

content_name

target.file.full_path

contentName

target.file.full_path

events.parameters.name [CONTENT_NAME]

target.file.full_path

content_type

target.file.mime_type

contentType

target.file.mime_type

events.parameters.name [CONTENT_TYPE]

target.file.mime_type

content_hash

target.file.sha256

events.parameters.name [CONTENT_HASH]

target.file.sha256

content_size

target.file.size

contentSize

target.file.size

events.parameters.name [CONTENT_SIZE]

target.file.size

target.file.file_type

The fileType is extracted from the content_name log field usign Grok pattern, Then target.file.file_type UDM field is set to one of the following values:

FILE_TYPE_ZIP if the fileType value is equal to zip .
FILE_TYPE_DOS_EXE if the fileType value is equal to exe .
FILE_TYPE_PDF if the fileType value is equal to pdf .
FILE_TYPE_XLSX if the fileType value is equal to xlsx .

extension_id

target.resource.product_object_id

events.parameters.name [APP_ID]

target.resource.product_object_id

extension_name

target.resource.name

If the event log field value is equal to badNavigationEvent or the events.name log field value is equal to badNavigationEvent , then the extension_name log field is mapped to the target.resource.name UDM field.

telemetry_event_signals.signal_name

target.resource.name

If the event log field value is equal to extensionTelemetryEvent , then the telemetry_event_signals.signal_name log field is mapped to the target.resource.name UDM field.

events.parameters.name [APP_NAME]

target.resource.name

url

target.url

events.parameters.name [URL]

target.url

telemetry_event_signals.url

target.url

If the telemetry_event_signals.url log field value matches the regular expression pattern the [http:\/\/ or https:\/\/].* , then the telemetry_event_signals.url log field is mapped to the target.url UDM field.

device_user

target.user.userid

deviceUser

principal.user.userid

If the event log field value is equal to passwordChangedEvent , then the deviceUser log field is mapped to the principal.user.userid UDM field.

Else, the deviceUser log field is mapped to the principal.user.user_display_name UDM field.

events.parameters.name [DEVICE_USER]

If the event log field value is equal to passwordChangedEvent , then the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.userid UDM field.

Else, the events.parameters.name [DEVICE_USER] log field is mapped to the principal.user.user_display_name UDM field.

scan_id

about.labels [scan_id]

events.parameters.name [CONNECTION_TYPE]

about.labels [connection_type]

etag

about.labels [etag]

kind

about.labels [kind]

actor.key

principal.user.attribute.labels [actor_key]

actor.callerType

principal.user.attribute.labels [actor_callerType]

events.parameters.name [EVIDENCE_LOCKER_FILEPATH]

security_result.about.labels [evidence_locker_filepath]

federated_origin

security_result.about.labels [federated_origin]

is_federated

security_result.about.labels [is_federated]

destination

security_result.about.labels [trigger_destination]

events.parameters.name [TRIGGER_DESTINATION]

security_result.about.labels [trigger_destination]

source

security_result.about.labels [trigger_source]

events.parameters.name [TRIGGER_SOURCE]

security_result.about.labels [trigger_source]

trigger_type

security_result.about.labels [trigger_type]

trigger_type

additional.fields [trigger_type]

triggerType

security_result.about.labels [trigger_type]

triggerType

additional.fields [trigger_type]

events.parameters.name [TRIGGER_TYPE]

security_result.about.labels [trigger_type]

trigger_user

security_result.about.labels [trigger_user]

events.parameters.name [TRIGGER_USER]

security_result.about.labels [trigger_user]

events.parameters.name [MALWARE_CATEGORY]

security_result.threat_name

events.parameters.name [MALWARE_FAMILY]

security_result.detection_fields [malware_family]

events.parameters.name [VENDOR_ID]

src.labels [vendor_id]

events.parameters.name [VENDOR_NAME]

src.labels [vendor_name]

events.parameters.name [VIRTUAL_DEVICE_ID]

src.labels [virtual_device_id]

events.parameters.name [VIRTUAL_DEVICE_ID]

additional.fields [virtual_device_id]

events.parameters.name [NEW_BOOT_MODE]

target.asset.attribute.labels [new_boot_mode]

events.parameters.name [PREVIOUS_BOOT_MODE]

target.asset.attribute.labels [previous_boot_mode]

id.time

target.asset.attribute.labels [timestamp]

events.parameters.name [PRODUCT_ID]

target.labels [product_id]

If the events.name log field value contains one of the following values, then the events.parameters.name [PRODUCT_ID] log field is mapped to the target.resource.product_object_id UDM field:

CHROMEOS_PERIPHERAL_ADDED
CHROMEOS_PERIPHERAL_REMOVED
CHROMEOS_PERIPHERAL_STATUS_UPDATED

Else, the events.parameters.name [PRODUCT_ID] log field is mapped to the target.labels UDM field.

extensions.auth.mechanism

If the events.name log field value contains one of the following values, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD :

CHROME_OS_LOGIN_EVENT
loginEvent
CHROME_OS_LOGIN_FAILURE_EVENT
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
CHROME_OS_CRD_CLIENT_CONNECTED
CHROME_OS_LOGOUT_EVENT
CHROMEOS_AFFILIATED_LOCK_SUCCESS

events.parameters.name [UNLOCK_TYPE]

target.labels [unlock_type]

extension_description

target.resource.attribute.labels [extension_description]

extension_action

target.resource.attribute.labels [extension_action]

extension_version

target.resource.attribute.labels [extension_version]

If the event log field value is not equal to extensionTelemetryEvent , then the extension_version log field is mapped to the target.resource.attribute.labels[extension_version] UDM field.

extension_source

target.resource.attribute.labels[extension_source]

If the event log field value is not equal to extensionTelemetryEvent , then the extension_source log field is mapped to the target.resource.attribute.labels[extension_source] UDM field.

browser_version

target.resource.attributes.labels [browser_version]

browserVersion

target.resource.attributes.labels [browser_version]

events.parameters.name [BROWSER_VERSION]

target.resource.attributes.labels [browser_version]

profile_user

target.user.email_addresses

If the event log field value contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$ , then the profile_user log field is mapped to the target.user.email_addresses UDM field.

CHROME_OS_LOGIN_EVENT
loginEvent
CHROME_OS_LOGIN_FAILURE_EVENT
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
CHROME_OS_CRD_CLIENT_CONNECTED
CHROME_OS_LOGOUT_EVENT
CHROMEOS_AFFILIATED_LOCK_SUCCESS

profile_user

principal.user.email_addresses

If the event log field value does not contain one of the following values and the profile_user log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the profile_user , then the profile_user log field is mapped to the principal.user.email_addresses UDM field.

CHROME_OS_LOGIN_EVENT
loginEvent
CHROME_OS_LOGIN_FAILURE_EVENT
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
CHROME_OS_CRD_CLIENT_CONNECTED
CHROME_OS_LOGOUT_EVENT
CHROMEOS_AFFILIATED_LOCK_SUCCESS

profile_user

target.user.attribute.labels[profile_user_name]

If the event log field value contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$ , then the profile_user log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.

CHROME_OS_LOGIN_EVENT
loginEvent
CHROME_OS_LOGIN_FAILURE_EVENT
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
CHROME_OS_CRD_CLIENT_CONNECTED
CHROME_OS_LOGOUT_EVENT
CHROMEOS_AFFILIATED_LOCK_SUCCESS

profile_user

principal.user.attribute.labels[profile_user_name]

If the event log field value does not contain one of the following values and the profile_user log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the profile_user , then the profile_user log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.

CHROME_OS_LOGIN_EVENT
loginEvent
CHROME_OS_LOGIN_FAILURE_EVENT
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
CHROME_OS_CRD_CLIENT_CONNECTED
CHROME_OS_LOGOUT_EVENT
CHROMEOS_AFFILIATED_LOCK_SUCCESS

events.parameters.name [PROFILE_USER_NAME]

target.user.email_addresses

If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$ , then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.email_addresses UDM field.

CHROME_OS_LOGIN_EVENT
loginEvent
CHROME_OS_LOGIN_FAILURE_EVENT
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
CHROME_OS_CRD_CLIENT_CONNECTED
CHROME_OS_LOGOUT_EVENT
CHROMEOS_AFFILIATED_LOCK_SUCCESS

events.parameters.name [PROFILE_USER_NAME]

principal.user.email_addresses

If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value matches the regular expression pattern ^.+@.+$ and the actor.email log field value is not equal to the events.parameters.name [PROFILE_USER_NAME] , then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.email_addresses UDM field.

CHROME_OS_LOGIN_EVENT
loginEvent
CHROME_OS_LOGIN_FAILURE_EVENT
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
CHROME_OS_CRD_CLIENT_CONNECTED
CHROME_OS_LOGOUT_EVENT
CHROMEOS_AFFILIATED_LOCK_SUCCESS

events.parameters.name [PROFILE_USER_NAME]

target.user.attribute.labels[profile_user_name]

If the event log field value contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$ , then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the target.user.attribute.labels.profile_user_name UDM field.

CHROME_OS_LOGIN_EVENT
loginEvent
CHROME_OS_LOGIN_FAILURE_EVENT
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
CHROME_OS_CRD_CLIENT_CONNECTED
CHROME_OS_LOGOUT_EVENT
CHROMEOS_AFFILIATED_LOCK_SUCCESS

events.parameters.name [PROFILE_USER_NAME]

principal.user.attribute.labels[profile_user_name]

If the event log field value does not contain one of the following values and the events.parameters.name [PROFILE_USER_NAME] log field value does not match the regular expression pattern ^.+@.+$ or the actor.email log field value is equal to the events.parameters.name [PROFILE_USER_NAME] , then the events.parameters.name [PROFILE_USER_NAME] log field is mapped to the principal.user.attribute.labels.profile_user_name UDM field.

CHROME_OS_LOGIN_EVENT
loginEvent
CHROME_OS_LOGIN_FAILURE_EVENT
CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
CHROME_OS_CRD_CLIENT_CONNECTED
CHROME_OS_LOGOUT_EVENT
CHROMEOS_AFFILIATED_LOCK_SUCCESS

target.resource.resource_type

If the events.name log field value is equal to DEVICE_BOOT_STATE_CHANGE , then the target.resource.resource_type UDM field is set to SETTING .

url_category

target.labels [url_category]

browser_channel

target.resource.attribute.labels [browser_channel]

report_id

target.labels [report_id]

clickedThrough

target.labels [clickedThrough]

threat_type

security_result.detection_fields [threatType]

triggered_rule_info.action

security_result.action

If the triggered_rule_info.action log field value contains one of the following values, then the triggered_rule_info.action log field is mapped to the security_result.action UDM field:

ALLOW
ALLOW_WITH_MODIFICATION
BLOCK
CHALLENGE
FAIL
QUARANTINE
UNKNOWN_ACTION

Else, the triggered_rule_info.action log field is mapped to the security_result.rule_labels [triggeredRuleInfo_action] UDM field.

triggered_rule_info.rule_id

security_result.rule_id

triggered_rule_info.rule_name

security_result.rule_name

triggered_rule_info.url_category

security_result.category_details

transfer_method

additional.fields [transfer_method]

extension_name

target.resource_ancestors.name

If the event log field value is equal to extensionTelemetryEvent , then the extension_name log field is mapped to the target.resource_ancestors.name UDM field.

extension_id

target.resource_ancestors.product_object_id

If the event log field value is equal to extensionTelemetryEvent , then the extension_id log field is mapped to the target.resource_ancestors.product_object_id UDM field.

extension_version

target.resource_ancestors.attribute.labels[extension_version]

If the event log field value is equal to extensionTelemetryEvent , then the extension_version log field is mapped to the target.resource_ancestors.attribute.labels[extension_version] UDM field.

extension_source

target.resource_ancestors.attribute.labels[extension_source]

If the event log field value is equal to extensionTelemetryEvent , then the extension_source log field is mapped to the target.resource_ancestors.attribute.labels[extension_source] UDM field.

profile_identifier

additional.fields[profile_identifier]

extension_files_info.file_name

target.resource_ancestors.file.names

extension_files_info.file_hash.hash

target.resource_ancestors.attribute.labels[file_hash]

telemetry_event_signals.count

target.resource.attribute.labels[count]

telemetry_event_signals.tabs_api_method

target.resource.attribute.labels[tabs_api_method]

target.hostname

If the telemetry_event_signals.url log field value does not match the regular expression pattern the [http:\/\/ or https:\/\/].* , then the telemetry_event_signals.url log field is mapped to the target.hostname UDM field.

telemetry_event_signals.destination

target.resource.attribute.labels[destination]

telemetry_event_signals.source

target.resource.attribute.labels[source]

telemetry_event_signals.domain

target.domain.name

telemetry_event_signals.cookie_name

target.resource.attribute.labels[cookie_name]

telemetry_event_signals.cookie_path

target.resource.attribute.labels[cookie_path]

telemetry_event_signals.cookie_is_secure

target.resource.attribute.labels[cookie_is_secure]

telemetry_event_signals.cookie_store_id

target.resource.attribute.labels[cookie_store_id]

telemetry_event_signals.cookie_is_session

target.resource.attribute.labels[cookie_is_session]

telemetry_event_signals.connection_protocol

network.application_protocol

If the telemetry_event_signals.connection_protocol log field value is equal to HTTP_HTTPS , then the network.application_protocol UDM field is set to HTTP

Else, If the telemetry_event_signals.connection_protocol log field value is equal to UNSPECIFIED , then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL

Else, the telemetry_event_signals.connection_protocol log field is mapped to the target.resource.attribute.labels UDM field.

telemetry_event_signals.contacted_by

target.resource.attribute.labels[contacted_by]

What's next

Data ingestion to Google SecOps

For Community blogs on Chrome logs, see:

Integrating Chrome Enterprise Management with Google SecOps

Need more help? Get answers from Community members and Google SecOps professionals.