Collect Google Cloud Audit Logs
Supported in:
This document describes how you can export Cloud Audit Logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how Cloud Audit Logs fields map to Google Security Operations Unified Data Model (UDM) fields.
For more information, see Data ingestion to Google Security Operations overview .
A typical deployment consists of Cloud Audit Logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.
The deployment contains the following components:
-
Google Cloud: The Google Cloud services and products from which you collect logs
-
Cloud Audit Logs: The Cloud Audit Logs that are enabled for ingestion to Google Security Operations
-
Google Workspace audit logs: The Google Workspace audit logs that are enabled for ingestion to Google Security Operations
-
Google Security Operations: Retains and analyzes Cloud Audit Logs and Google Workspace audit logs
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with GCP_CLOUDAUDIT
ingestion label.
Before you begin
- Ensure that you have set up a Google Cloud .
-
Ensure that you have set up access control for your organization and resources using Identity and Access Management (IAM). For more information about access control, see Access control for organizations with IAM .
-
Configure data access audit logs for your Google Cloud resources and services.
-
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
-
Verify the log types that the Cloud Audit Logs parser supports. The following table lists the log sources and types supported by the Cloud Audit Logs parser:
| Log sources | Log source type |
|---|---|
| Cloud DNS | N/A |
| syslog | N/A |
| Google Workspace audit logs | Login Audit |
| Google Workspace audit logs | Admin Audit |
| Cloud Audit Logs | Admin Activity |
| Cloud Audit Logs | VPC Service Controls Audit |
| Cloud Audit Logs | Google Kubernetes Engine Data Access |
| Cloud Audit Logs | Resource Manager Data Access |
| Cloud Audit Logs | BigQuery Audit Metadata data access |
| Cloud Audit Logs | MySQL data access, admin activity |
| Cloud Audit Logs | PostgreSQL data access, admin activity |
| Cloud Audit Logs | SQL Server data access, admin activity |
| Cloud Load Balancing | Cloud HTTP Load Balancer |
| Cloud DNS | Admin Activity |
| Virtual Private Cloud Flow | Virtual Private Cloud Flow |
| Firewall Rules | Firewall Rules |
| Cloud NAT | Cloud NAT |
Configure ingestion of Cloud Audit Logs
To ingest Cloud Audit Logs to Google Security Operations, follow the steps on the Ingest Google Cloud logs to Google Security Operations page.
If you encounter issues when you ingest Cloud Audit Logs, contact Google Security Operations support .
Supported Cloud Audit Logs log formats
The Cloud Audit Logs parser supports logs in JSON format.
Supported Cloud Audit Logs sample logs
-
JSON:
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "dummyuser@mail.com" }, "requestMetadata": { "callerIp": "198.51.10.0", "callerSuppliedUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)", "requestAttributes": { "time": "2025-02-26T16:35:37.410328Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "compute.googleapis.com", "methodName": "beta.compute.securityPolicies.patchRule", "authorizationInfo": [ { "resource": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext", "permission": "compute.securityPolicies.update", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext", "type": "compute.securityPolicies" }, "permissionType": "ADMIN_WRITE" } ], "resourceName": "projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext", "request": { "description": "SQL injection", "priority": "10100", "match": { "expr": { "expression": "evaluatePreconfiguredExpr(\\u0027sqli-v33-stable\\u0027)" } }, "action": "deny(403)", "preview": false, "validateOnly": true, "@type": "type.googleapis.com/compute.securityPolicies.patchRule" }, "response": { "id": "4332115325946625078", "name": "operation-1740587736928-62f0e29c291e2-b0056719-3023c13f", "operationType": "PatchRule", "targetLink": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/securityPolicies/hashtag-ext", "targetId": "6935975992577010740", "status": "DONE", "user": "dummyuser@domain.com", "progress": "100", "insertTime": "2025-02-26T08:35:37.278-08:00", "startTime": "2025-02-26T08:35:37.279-08:00", "endTime": "2025-02-26T08:35:37.279-08:00", "selfLink": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/operations/operation-1740587736928-62f0e29c291e2-b0056719-3023c13f", "selfLinkWithId": "https://www.googleapis.com/compute/beta/projects/icd-gcp-prod-net-landing-0/global/operations/4332115325946625078", "@type": "type.googleapis.com/operation" }, "resourceLocation": { "currentLocations": [ "global" ] } }, "insertId": "-5srtt8e1oe7o", "resource": { "type": "network_security_policy", "labels": { "policy_name": "hashtag-ext", "project_id": "icd-gcp-prod-net-landing-0", "location": "global" } }, "timestamp": "2025-02-26T16:35:36.961863Z", "severity": "NOTICE", "labels": { "compute.googleapis.com/root_trigger_id": "f0fe0460-63df-4978-8256-e70ce093effa" }, "logName": "projects/icd-gcp-prod-net-landing-0/logs/cloudaudit.googleapis.com%2Factivity", "operation": { "id": "operation-1740587736928-62f0e29c291e2-b0056719-3023c13f", "producer": "compute.googleapis.com", "first": true, "last": true }, "receiveTimestamp": "2025-02-26T16:35:38.342438110Z" }
Field mapping reference
This section explains how the Google Security Operations parser maps Cloud Audit Logs fields to Google Security Operations Unified Data Model (UDM) fields.
GCP_CLOUDAUDIT log types to UDM event type
The following table lists the GCP_CLOUDAUDIT event identifiers and their corresponding event types.| Event identifier | Event type |
|---|---|
dns.managedZones.get
|
USER_RESOURCE_ACCESS
|
dns.managedZones.list
|
USER_RESOURCE_ACCESS
|
dns.changes.get
|
USER_RESOURCE_ACCESS
|
dns.changes.list
|
USER_RESOURCE_ACCESS
|
dns.activePeeringZones.list
|
USER_RESOURCE_ACCESS
|
dns.activePeeringZones.getpeeringzoneinfo
|
USER_RESOURCE_ACCESS
|
dns.resourceRecordSets.get
|
USER_RESOURCE_ACCESS
|
dns.resourceRecordSets.list
|
USER_RESOURCE_ACCESS
|
dns.responsePolicies.get
|
USER_RESOURCE_ACCESS
|
dns.responsePolicies.list
|
USER_RESOURCE_ACCESS
|
dns.responsePolicyRules.get
|
USER_RESOURCE_ACCESS
|
dns.responsePolicyRules.list
|
USER_RESOURCE_ACCESS
|
dns.policies.get
|
USER_RESOURCE_ACCESS
|
dns.policies.list
|
USER_RESOURCE_ACCESS
|
dns.projects.get
|
USER_RESOURCE_ACCESS
|
dns.managedZones.create
|
USER_RESOURCE_CREATION
|
dns.managedZones.delete
|
RESOURCE_DELETION
|
dns.managedZones.update
|
RESOURCE_WRITTEN
|
dns.managedZones.patch
|
USER_RESOURCE_UPDATE_CONTENT
|
dns.changes.create
|
USER_RESOURCE_CREATION
|
dns.changes.delete
|
RESOURCE_DELETION
|
dns.activePeeringZones.deactivate
|
USER_RESOURCE_UPDATE_CONTENT
|
dns.resourceRecordSets.create
|
USER_RESOURCE_CREATION
|
dns.resourceRecordSets.delete
|
RESOURCE_DELETION
|
dns.resourceRecordSets.update
|
RESOURCE_WRITTEN
|
dns.resourceRecordSets.patch
|
USER_RESOURCE_UPDATE_CONTENT
|
dns.responsePolicies.create
|
USER_RESOURCE_CREATION
|
dns.responsePolicies.delete
|
RESOURCE_DELETION
|
dns.responsePolicies.update
|
RESOURCE_WRITTEN
|
dns.responsePolicies.patch
|
USER_RESOURCE_UPDATE_CONTENT
|
dns.responsePolicyRules.create
|
USER_RESOURCE_CREATION
|
dns.responsePolicyRules.delete
|
RESOURCE_DELETION
|
dns.responsePolicyRules.update
|
RESOURCE_WRITTEN
|
dns.responsePolicyRules.patch
|
USER_RESOURCE_UPDATE_CONTENT
|
dns.policies.create
|
USER_RESOURCE_CREATION
|
dns.policies.delete
|
RESOURCE_DELETION
|
dns.policies.update
|
RESOURCE_WRITTEN
|
dns.policies.patch
|
USER_RESOURCE_UPDATE_CONTENT
|
CreateRole
|
USER_RESOURCE_CREATION
|
DeleteRole
|
RESOURCE_DELETION
|
UndeleteRole
|
RESOURCE_CREATION
|
UpdateRole
|
RESOURCE_WRITTEN
|
google.iam.v2beta.Policies.CreatePolicy
|
USER_RESOURCE_CREATION
|
google.iam.v2beta.Policies.DeletePolicy
|
RESOURCE_DELETION
|
google.iam.v2beta.Policies.UpdatePolicy
|
RESOURCE_WRITTEN
|
CreateServiceAccount
|
USER_CREATION
|
DeleteServiceAccount
|
RESOURCE_DELETION
|
DisableServiceAccount
|
USER_CHANGE_PERMISSIONS
|
EnableServiceAccount
|
USER_CHANGE_PERMISSIONS
|
GetServiceAccount
|
USER_RESOURCE_ACCESS
|
PatchServiceAccount
|
USER_RESOURCE_UPDATE_CONTENT
|
SetIAMPolicy
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
UndeleteServiceAccount
|
USER_CREATION
|
UpdateServiceAccount
|
RESOURCE_WRITTEN
|
CreateServiceAccountKey
|
USER_CHANGE_PASSWORD
|
DeleteServiceAccountKey
|
USER_DELETION
|
UploadServiceAccountKey
|
USER_CHANGE_PASSWORD
|
CreateWorkloadIdentityPool
|
USER_RESOURCE_CREATION
|
DeleteWorkloadIdentityPool
|
RESOURCE_DELETION
|
UndeleteWorkloadIdentityPool
|
RESOURCE_CREATION
|
UpdateWorkloadIdentityPool
|
RESOURCE_WRITTEN
|
CreateWorkloadIdentityPoolProvider
|
USER_RESOURCE_CREATION
|
DeleteWorkloadIdentityPoolProvider
|
RESOURCE_DELETION
|
UndeleteWorkloadIdentityPoolProvider
|
RESOURCE_DELETION
|
UpdateWorkloadIdentityPoolProvider
|
RESOURCE_WRITTEN
|
CreateWorkforcePool
|
USER_RESOURCE_CREATION
|
DeleteWorkforcePool
|
RESOURCE_DELETION
|
UndeleteWorkforcePool
|
RESOURCE_DELETION
|
UpdateWorkforcePool
|
RESOURCE_WRITTEN
|
CreateWorkforcePoolProvider
|
USER_RESOURCE_CREATION
|
DeleteWorkforcePoolProvider
|
RESOURCE_DELETION
|
UndeleteWorkforcePoolProvider
|
RESOURCE_DELETION
|
UpdateWorkforcePoolProvider
|
RESOURCE_WRITTEN
|
GetEffectivePolicy1
|
USER_RESOURCE_ACCESS
|
google.iam.admin.v1.GetPolicyDetails2
|
USER_RESOURCE_ACCESS
|
ExchangeToken
|
USER_RESOURCE_ACCESS
|
Google Cloud console (federated) sign in
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
GetRole
|
USER_RESOURCE_ACCESS
|
ListRoles
|
USER_RESOURCE_ACCESS
|
google.iam.v2beta.Policies.GetPolicy
|
USER_RESOURCE_ACCESS
|
google.iam.v2beta.Policies.ListPolicies
|
USER_RESOURCE_ACCESS
|
QueryGrantableRoles
|
USER_RESOURCE_ACCESS
|
GenerateAccessToken
|
USER_RESOURCE_UPDATE_CONTENT
|
GenerateIdToken
|
USER_RESOURCE_UPDATE_CONTENT
|
ListServiceAccounts
|
USER_RESOURCE_ACCESS
|
SignBlob
|
USER_RESOURCE_UPDATE_CONTENT
|
SignJwt
|
USER_RESOURCE_UPDATE_CONTENT
|
GetServiceAccountKey
|
USER_RESOURCE_ACCESS
|
ListServiceAccountKeys
|
USER_RESOURCE_ACCESS
|
GetWorkloadIdentityPool
|
USER_RESOURCE_ACCESS
|
ListWorkloadIdentityPools
|
USER_RESOURCE_ACCESS
|
GetWorkloadIdentityPoolProvider
|
USER_RESOURCE_ACCESS
|
ListWorkloadIdentityPoolProviders
|
USER_RESOURCE_ACCESS
|
GetWorkforcePool
|
USER_RESOURCE_ACCESS
|
ListWorkforcePools
|
USER_RESOURCE_ACCESS
|
GetWorkforcePoolProvider
|
USER_RESOURCE_ACCESS
|
ListWorkforcePoolProviders
|
USER_RESOURCE_ACCESS
|
io.k8s.authorization.rbac.v1
|
STATUS_UPDATE
|
io.k8s.authorization.rbac.v1.roles
|
STATUS_UPDATE
|
io.k8s.batch.v1.jobs.create
|
RESOURCE_CREATION
|
io.k8s.authorization.rbac.v1.clusterroles.create
|
RESOURCE_CREATION
|
io.k8s.apps.v1.daemonsets.create
|
RESOURCE_CREATION
|
io.k8s.authorization.v1.selfsubjectaccessreviews.create
|
RESOURCE_CREATION
|
google.container.v1.ClusterManager.CreateCluster
|
USER_RESOURCE_CREATION
|
google.cloud.bigquery.v2.TableService.InsertTable
|
USER_RESOURCE_CREATION
|
google.cloud.bigquery.v2.TableService.UpdateTable
|
RESOURCE_WRITTEN
|
google.cloud.bigquery.v2.TableService.PatchTable
|
USER_RESOURCE_UPDATE_CONTENT
|
google.cloud.bigquery.v2.TableService.DeleteTable
|
RESOURCE_DELETION
|
google.cloud.bigquery.v2.DatasetService.InsertDataset
|
USER_RESOURCE_CREATION
|
google.cloud.bigquery.v2.DatasetService.UpdateDataset
|
RESOURCE_WRITTEN
|
google.cloud.bigquery.v2.DatasetService.PatchDataset
|
USER_RESOURCE_UPDATE_CONTENT
|
google.cloud.bigquery.v2.DatasetService.DeleteDataset
|
USER_RESOURCE_DELETION
|
google.cloud.bigquery.v2.TableDataService.List
|
USER_RESOURCE_ACCESS
|
google.cloud.bigquery.v2.JobService.InsertJob
|
USER_RESOURCE_CREATION
|
google.cloud.bigquery.v2.JobService.Query
|
USER_RESOURCE_ACCESS
|
google.cloud.bigquery.v2.JobService.GetQueryResults
|
USER_RESOURCE_ACCESS
|
InternalTableExpired
|
USER_RESOURCE_DELETION
|
google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection
|
USER_RESOURCE_CREATION
|
google.cloud.bigquery.connection.v1.ConnectionService.DeleteConnection
|
RESOURCE_DELETION
|
google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection
|
RESOURCE_WRITTEN
|
google.cloud.bigquery.connection.v1.ConnectionService.SetIamPolicy
|
RESOURCE_PERMISSIONS_CHANGE
|
google.cloud.bigquery.reservation.v1.ReservationService.CreateReservation
|
USER_RESOURCE_CREATION
|
google.cloud.bigquery.reservation.v1.ReservationService.DeleteReservation
|
RESOURCE_DELETION
|
google.cloud.bigquery.reservation.v1.ReservationService.UpdateReservation
|
RESOURCE_WRITTEN
|
google.cloud.bigquery.reservation.v1.ReservationService.CreateCapacityCommitment
|
USER_RESOURCE_CREATION
|
google.cloud.bigquery.reservation.v1.ReservationService.DeleteCapacityCommitment
|
RESOURCE_DELETION
|
google.cloud.bigquery.reservation.v1.ReservationService.CreateAssignment
|
USER_RESOURCE_CREATION
|
google.cloud.bigquery.reservation.v1.ReservationService.DeleteAssignment
|
RESOURCE_DELETION
|
google.cloud.bigquery.reservation.v1.ReservationService.MoveAssignment
|
STATUS_UPDATE
|
cloudsql.backupRuns.get
|
USER_RESOURCE_ACCESS
|
cloudsql.backupRuns.list
|
USER_RESOURCE_ACCESS
|
cloudsql.databases.create
|
USER_RESOURCE_CREATION
|
cloudsql.databases.delete
|
RESOURCE_DELETION
|
cloudsql.databases.get
|
USER_RESOURCE_ACCESS
|
cloudsql.databases.list
|
USER_RESOURCE_ACCESS
|
cloudsql.databases.update
|
RESOURCE_WRITTEN
|
cloudsql.instances.export
|
USER_RESOURCE_ACCESS
|
cloudsql.instances.get
|
USER_RESOURCE_ACCESS
|
cloudsql.instances.import
|
STATUS_UNCATEGORIZED
|
cloudsql.instances.list
|
USER_RESOURCE_ACCESS
|
cloudsql.instances.listEffectiveTags
|
USER_RESOURCE_ACCESS
|
cloudsql.instances.listServerCas
|
USER_RESOURCE_ACCESS
|
cloudsql.instances.listTagBindings
|
USER_RESOURCE_ACCESS
|
cloudsql.instances.login
|
USER_LOGIN
|
cloudsql.sslCerts.get
|
USER_RESOURCE_ACCESS
|
cloudsql.sslCerts.list
|
USER_RESOURCE_ACCESS
|
cloudsql.users.create
|
USER_RESOURCE_CREATION
|
cloudsql.users.delete
|
RESOURCE_DELETION
|
cloudsql.users.get
|
USER_RESOURCE_ACCESS
|
cloudsql.users.list
|
USER_RESOURCE_ACCESS
|
cloudsql.users.update
|
RESOURCE_WRITTEN
|
cloudsql.backupRuns.create
|
USER_RESOURCE_CREATION
|
cloudsql.backupRuns.delete
|
RESOURCE_DELETION
|
cloudsql.instances.addServerCa
|
USER_RESOURCE_CREATION
|
cloudsql.instances.clone
|
USER_RESOURCE_CREATION
|
cloudsql.instances.connect
|
USER_LOGIN
|
cloudsql.instances.create
|
USER_RESOURCE_CREATION
|
cloudsql.instances.createTagBinding
|
USER_RESOURCE_CREATION
|
cloudsql.instances.delete
|
RESOURCE_DELETION
|
cloudsql.instances.deleteTagBinding
|
RESOURCE_DELETION
|
cloudsql.instances.demoteMaster
|
STATUS_UPDATE
|
cloudsql.instances.failover
|
STATUS_UPDATE
|
cloudsql.instances.promoteReplica
|
STATUS_UPDATE
|
cloudsql.instances.resetSslConfig
|
USER_RESOURCE_UPDATE_CONTENT
|
cloudsql.instances.restart
|
STATUS_STARTUP
|
cloudsql.instances.restoreBackup
|
STATUS_UPDATE
|
cloudsql.instances.rotateServerCa
|
STATUS_UPDATE
|
cloudsql.instances.startReplica
|
STATUS_STARTUP
|
cloudsql.instances.stopReplica
|
STATUS_UPDATE
|
cloudsql.instances.truncateLog
|
STATUS_UPDATE
|
cloudsql.instances.update
|
RESOURCE_WRITTEN
|
cloudsql.sslCerts.create
|
USER_RESOURCE_CREATION
|
cloudsql.sslCerts.createEphemeral
|
USER_RESOURCE_CREATION
|
cloudsql.sslCerts.delete
|
RESOURCE_DELETION
|
compute.instances.insert
|
RESOURCE_CREATION
|
compute.instanceGroups.removeInstances
|
RESOURCE_DELETION
|
compute.instances.setMetadata
|
USER_RESOURCE_UPDATE_CONTENT
|
compute.instances.setLabels
|
USER_RESOURCE_CREATION
|
compute.instances.setTags
|
USER_RESOURCE_CREATION
|
compute.instances.setIamPolicy
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
compute.instances.list
|
USER_RESOURCE_ACCESS
|
compute.images.get
|
USER_RESOURCE_ACCESS
|
compute.interconnectAttachments.aggregatedList
|
USER_RESOURCE_ACCESS
|
compute.instance.getSerialPortOutput
|
USER_RESOURCE_ACCESS
|
compute.instances.migrateOnHostMaintenance
|
RESOURCE_CREATION
|
compute.instances.automaticRestart
|
USER_RESOURCE_UPDATE_CONTENT
|
compute.instanceGroupManagers.resizeAdvanced
|
USER_RESOURCE_UPDATE_CONTENT
|
google.ssh-serialport.v1.connect
|
NETWORK_CONNECTION
|
firewalls.delete
|
RESOURCE_DELETION
|
firewalls.insert
|
RESOURCE_CREATION
|
firewalls.patch
|
USER_RESOURCE_UPDATE_CONTENT
|
firewalls.update
|
RESOURCE_WRITTEN
|
forwardingRules.delete
|
RESOURCE_DELETION
|
forwardingRules.insert
|
RESOURCE_CREATION
|
forwardingRules.patch
|
USER_RESOURCE_UPDATE_CONTENT
|
forwardingRules.setTarget
|
STATUS_UPDATE
|
networks.addPeering
|
STATUS_UPDATE
|
networks.delete
|
RESOURCE_DELETION
|
networks.insert
|
RESOURCE_CREATION
|
networks.patch
|
USER_RESOURCE_UPDATE_CONTENT
|
networks.removePeering
|
RESOURCE_DELETION
|
networks.switchToCustomMode
|
STATUS_UPDATE
|
networks.updatePeering
|
RESOURCE_WRITTEN
|
routes.delete
|
RESOURCE_DELETION
|
routes.insert
|
USER_RESOURCE_CREATION
|
subnetworks.delete
|
RESOURCE_DELETION
|
subnetworks.expandIpCidrRange
|
STATUS_UPDATE
|
subnetworks.insert
|
RESOURCE_CREATION
|
subnetworks.patch
|
USER_RESOURCE_UPDATE_CONTENT
|
subnetworks.setIamPolicy
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
subnetworks.setPrivateIpGoogleAccess
|
STATUS_UPDATE
|
subnetworks.testIamPermissions
|
USER_RESOURCE_ACCESS
|
firewalls.get
|
USER_RESOURCE_ACCESS
|
firewalls.list
|
USER_RESOURCE_ACCESS
|
forwardingRules.aggregatedList
|
USER_RESOURCE_ACCESS
|
forwardingRules.get
|
USER_RESOURCE_ACCESS
|
forwardingRules.list
|
USER_RESOURCE_ACCESS
|
networks.get
|
USER_RESOURCE_ACCESS
|
networks.list
|
USER_RESOURCE_ACCESS
|
networks.listPeeringRoutes
|
USER_RESOURCE_ACCESS
|
routes.get
|
USER_RESOURCE_ACCESS
|
routes.list
|
USER_RESOURCE_ACCESS
|
subnetworks.aggregatedList
|
USER_RESOURCE_ACCESS
|
subnetworks.get
|
USER_RESOURCE_ACCESS
|
subnetworks.getIamPolicy
|
USER_RESOURCE_ACCESS
|
subnetworks.list
|
USER_RESOURCE_ACCESS
|
subnetworks.listUsable
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.alertCenterBatchDeleteAlerts
|
RESOURCE_DELETION
|
google.admin.AdminService.alertCenterBatchUndeleteAlerts
|
RESOURCE_DELETION
|
google.admin.AdminService.alertCenterCreateAlert
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.alertCenterCreateFeedback
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.alertCenterDeleteAlert
|
RESOURCE_DELETION
|
google.admin.AdminService.alertCenterGetAlertMetadata
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.alertCenterGetCustomerSettings
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.alertCenterGetSitLink
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.alertCenterListChange
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.alertCenterListFeedback
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.alertCenterListRelatedAlerts
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.alertCenterUndeleteAlert
|
RESOURCE_DELETION
|
google.admin.AdminService.alertCenterUpdateAlert
|
RESOURCE_WRITTEN
|
google.admin.AdminService.alertCenterUpdateAlertMetadata
|
RESOURCE_WRITTEN
|
google.admin.AdminService.alertCenterUpdateCustomerSettings
|
RESOURCE_WRITTEN
|
google.admin.AdminService.alertCenterView
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeApplicationSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.createApplicationSetting
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.deleteApplicationSetting
|
RESOURCE_DELETION
|
google.admin.AdminService.reorderGroupBasedPoliciesEvent
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.gplusPremiumFeatures
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.createManagedConfiguration
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.deleteManagedConfiguration
|
RESOURCE_DELETION
|
google.admin.AdminService.updateManagedConfiguration
|
RESOURCE_WRITTEN
|
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.createBuilding
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.deleteBuilding
|
RESOURCE_DELETION
|
google.admin.AdminService.updateBuilding
|
RESOURCE_WRITTEN
|
google.admin.AdminService.createCalendarResource
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.deleteCalendarResource
|
RESOURCE_DELETION
|
google.admin.AdminService.createCalendarResourceFeature
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.deleteCalendarResourceFeature
|
RESOURCE_DELETION
|
google.admin.AdminService.updateCalendarResourceFeature
|
RESOURCE_WRITTEN
|
google.admin.AdminService.renameCalendarResource
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.updateCalendarResource
|
RESOURCE_WRITTEN
|
google.admin.AdminService.changeCalendarSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.cancelCalendarEvents
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.releaseCalendarResources
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.meetInteropCreateGateway
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.meetInteropDeleteGateway
|
RESOURCE_DELETION
|
google.admin.AdminService.meetInteropModifyGateway
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeChatSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeChromeOsAndroidApplicationSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeChromeOsApplicationSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.sendChromeOsDeviceCommand
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeChromeOsDeviceAnnotation
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeChromeOsDeviceSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeChromeOsDeviceState
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeChromeOsPublicSessionSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.insertChromeOsPrinter
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.deleteChromeOsPrinter
|
RESOURCE_DELETION
|
google.admin.AdminService.updateChromeOsPrinter
|
RESOURCE_WRITTEN
|
google.admin.AdminService.changeChromeOsSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeChromeOsUserSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.removeChromeOsApplicationSettings
|
RESOURCE_DELETION
|
google.admin.AdminService.changeContactsSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.assignRole
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
google.admin.AdminService.createRole
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.deleteRole
|
RESOURCE_DELETION
|
google.admin.AdminService.addPrivilege
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.removePrivilege
|
RESOURCE_DELETION
|
google.admin.AdminService.renameRole
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.updateRole
|
RESOURCE_WRITTEN
|
google.admin.AdminService.unassignRole
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
google.admin.AdminService.deleteDevice
|
RESOURCE_DELETION
|
google.admin.AdminService.moveDeviceToOrgUnit
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.transferDocumentOwnership
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.driveDataRestore
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeDocsSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeAccountAutoRenewal
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.addApplication
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.addApplicationToWhitelist
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.changeAdvertisementOption
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.createAlert
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.changeAlertCriteria
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.deleteAlert
|
RESOURCE_DELETION
|
google.admin.AdminService.alertReceiversChanged
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.renameAlert
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.alertStatusChanged
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.addDomainAlias
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.removeDomainAlias
|
RESOURCE_DELETION
|
google.admin.AdminService.skipDomainAliasMx
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.verifyDomainAliasMx
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.verifyDomainAlias
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleOauthAccessToAllApis
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleAllowAdminPasswordReset
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.enableApiAccess
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.authorizeApiClientAccess
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.removeApiClientAccess
|
RESOURCE_DELETION
|
google.admin.AdminService.chromeLicensesRedeemed
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleAutoAddNewService
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.changePrimaryDomain
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeWhitelistSetting
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.communicationPreferencesSettingChange
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeConflictAccountAction
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.enableFeedbackSolicitation
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleContactSharing
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.createPlayForWorkToken
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.toggleUseCustomLogo
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeCustomLogo
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeDataLocalizationForRussia
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeDataLocalizationSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeDataProtectionOfficerContactInfo
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.deletePlayForWorkToken
|
RESOURCE_DELETION
|
google.admin.AdminService.viewDnsLoginDetails
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeDomainDefaultLocale
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeDomainDefaultTimezone
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeDomainName
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleEnablePreReleaseFeatures
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeDomainSupportMessage
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.addTrustedDomains
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.removeTrustedDomains
|
RESOURCE_DELETION
|
google.admin.AdminService.changeEduType
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleEnableOauthConsumerKey
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleSsoEnabled
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleSsl
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeEuRepresentativeContactInfo
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.generateTransferToken
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeLoginBackgroundColor
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeLoginBorderColor
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeLoginActivityTrace
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.playForWorkEnroll
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.playForWorkUnenroll
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.mxRecordVerificationClaim
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleNewAppFeatures
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleUseNextGenControlPanel
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.uploadOauthCertificate
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.regenerateOauthConsumerSecret
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleOpenIdEnabled
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeOrganizationName
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleOutboundRelay
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changePasswordMaxLength
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changePasswordMinLength
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.updateDomainPrimaryAdminEmail
|
RESOURCE_WRITTEN
|
google.admin.AdminService.enableServiceOrFeatureNotifications
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.removeApplication
|
RESOURCE_DELETION
|
google.admin.AdminService.removeApplicationFromWhitelist
|
RESOURCE_DELETION
|
google.admin.AdminService.changeRenewDomainRegistration
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeResellerAccess
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.ruleActionsChanged
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.createRule
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.changeRuleCriteria
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.deleteRule
|
RESOURCE_DELETION
|
google.admin.AdminService.renameRule
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.ruleStatusChanged
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.addSecondaryDomain
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.removeSecondaryDomain
|
RESOURCE_DELETION
|
google.admin.AdminService.skipSecondaryDomainMx
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.verifySecondaryDomainMx
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.verifySecondaryDomain
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.updateDomainSecondaryEmail
|
RESOURCE_WRITTEN
|
google.admin.AdminService.changeSsoSettings
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.generatePin
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.updateRule
|
RESOURCE_WRITTEN
|
google.admin.AdminService.dropFromQuarantine
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.emailLogSearch
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.emailUndelete
|
RESOURCE_DELETION
|
google.admin.AdminService.changeEmailSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeGmailSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.createGmailSetting
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.deleteGmailSetting
|
RESOURCE_DELETION
|
google.admin.AdminService.rejectFromQuarantine
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.releaseFromQuarantine
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.createGroup
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.deleteGroup
|
RESOURCE_DELETION
|
google.admin.AdminService.changeGroupDescription
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.groupListDownload
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.addGroupMember
|
GROUP_MODIFICATION
|
google.admin.AdminService.removeGroupMember
|
RESOURCE_DELETION
|
google.admin.AdminService.updateGroupMember
|
RESOURCE_WRITTEN
|
google.admin.AdminService.updateGroupMemberDeliverySettings
|
RESOURCE_WRITTEN
|
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride
|
RESOURCE_WRITTEN
|
google.admin.AdminService.groupMemberBulkUpload
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.groupMembersDownload
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeGroupName
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeGroupSetting
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.whitelistedGroupsUpdated
|
RESOURCE_WRITTEN
|
google.admin.AdminService.securityInvestigationAction
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationActionCancellation
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationActionCompletion
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationActionRetry
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationActionVerificationConfirmation
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationActionVerificationRequest
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationChartCreate
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.securityInvestigationContentAccess
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationDownloadAttachment
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationExportActionResults
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationExportQuery
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation
|
RESOURCE_DELETION
|
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationObjectSaveInvestigation
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing
|
RESOURCE_WRITTEN
|
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing
|
RESOURCE_WRITTEN
|
google.admin.AdminService.securityInvestigationQuery
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityInvestigationSettingUpdate
|
RESOURCE_WRITTEN
|
google.admin.AdminService.addToTrustedOauth2Apps
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.allowAspWithout2Sv
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.allowServiceForOauth2Access
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.allowStrongAuthentication
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.blockOnDeviceAccess
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeAllowedTwoStepVerificationMethods
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeAppAccessSettingsCollectionId
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeCaaAppAssignments
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeCaaDefaultAssignments
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeCaaErrorMessage
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeSessionLength
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeTwoStepVerificationFrequency
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeTwoStepVerificationStartDate
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.disallowServiceForOauth2Access
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.enableNonAdminUserPasswordRecovery
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.enforceStrongAuthentication
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
google.admin.AdminService.removeFromTrustedOauth2Apps
|
RESOURCE_DELETION
|
google.admin.AdminService.sessionControlSettingsChange
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleCaaEnablement
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.trustDomainOwnedOauth2Apps
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.unblockOnDeviceAccess
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.untrustDomainOwnedOauth2Apps
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps
|
RESOURCE_WRITTEN
|
google.admin.AdminService.weakProgrammaticLoginSettingsChanged
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.delete2SvScratchCodes
|
RESOURCE_DELETION
|
google.admin.AdminService.generate2SvScratchCodes
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.revoke3LoDeviceTokens
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.revoke3LoToken
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.addRecoveryEmail
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.addRecoveryPhone
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.grantAdminPrivilege
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.revokeAdminPrivilege
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.revokeAsp
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.toggleAutomaticContactSharing
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.bulkUpload
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.bulkUploadNotificationSent
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.cancelUserInvite
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserCustomField
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserExternalId
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserGender
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserIm
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.enableUserIpWhitelist
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserKeyword
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserLanguage
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserLocation
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserOrganization
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserPhoneNumber
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeRecoveryEmail
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeRecoveryPhone
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserRelation
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeUserAddress
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.createEmailMonitor
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.createDataTransferRequest
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.grantDelegatedAdminPrivileges
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.deleteAccountInfoDump
|
RESOURCE_DELETION
|
google.admin.AdminService.deleteEmailMonitor
|
RESOURCE_DELETION
|
google.admin.AdminService.deleteMailboxDump
|
RESOURCE_DELETION
|
google.admin.AdminService.changeFirstName
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.gmailResetUser
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changeLastName
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.mailRoutingDestinationAdded
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.mailRoutingDestinationRemoved
|
RESOURCE_DELETION
|
google.admin.AdminService.addNickname
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.removeNickname
|
RESOURCE_DELETION
|
google.admin.AdminService.changePassword
|
USER_CHANGE_PASSWORD
|
google.admin.AdminService.changePasswordOnNextLogin
|
USER_CHANGE_PASSWORD
|
google.admin.AdminService.downloadPendingInvitesList
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.removeRecoveryEmail
|
RESOURCE_DELETION
|
google.admin.AdminService.removeRecoveryPhone
|
RESOURCE_DELETION
|
google.admin.AdminService.requestAccountInfo
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.requestMailboxDump
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.resendUserInvite
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.resetSigninCookies
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.securityKeyRegisteredForUser
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.revokeSecurityKey
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.userInvite
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.viewTempPassword
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.turnOff2StepVerification
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.unblockUserSession
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.unenrollUserFromTitanium
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.archiveUser
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.updateBirthdate
|
RESOURCE_WRITTEN
|
google.admin.AdminService.createUser
|
USER_CREATION
|
google.admin.AdminService.deleteUser
|
RESOURCE_DELETION
|
google.admin.AdminService.downgradeUserFromGplus
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.userEnrolledInTwoStepVerification
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.downloadUserlistCsv
|
USER_RESOURCE_ACCESS
|
google.admin.AdminService.moveUserToOrgUnit
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.renameUser
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.unenrollUserFromStrongAuth
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.suspendUser
|
USER_CHANGE_PERMISSIONS
|
google.admin.AdminService.unarchiveUser
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.undeleteUser
|
RESOURCE_DELETION
|
google.admin.AdminService.upgradeUserToGplus
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.usersBulkUpload
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.usersBulkUploadNotificationSent
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.createAccessLevelV2
|
USER_RESOURCE_CREATION
|
google.admin.AdminService.systemDefinedRuleUpdated
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
google.admin.AdminService.createDeviceEnrollmentToken
|
USER_RESOURCE_CREATION
|
google.login.LoginService.2svDisable
|
STATUS_UPDATE
|
google.login.LoginService.2svEnroll
|
STATUS_UPDATE
|
google.login.LoginService.accountDisabledPasswordLeak
|
STATUS_UPDATE
|
google.login.LoginService.accountDisabledGeneric
|
USER_LOGIN
|
google.login.LoginService.accountDisabledSpammingThroughRelay
|
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledSpamming
|
USER_LOGIN
Security category: |
google.login.LoginService.accountDisabledHijacked
|
USER_LOGIN
Security category: |
google.login.LoginService.emailForwardingOutOfDomain
|
EMAIL_TRANSACTION
|
google.login.LoginService.govAttackWarning
|
USER_LOGIN
Security category: |
google.login.LoginService.loginChallenge
|
USER_LOGIN
|
google.login.LoginService.loginFailure
|
USER_LOGIN
Security category: |
google.login.LoginService.loginVerification
|
USER_LOGIN
|
google.login.LoginService.logout
|
USER_LOGOUT
|
google.login.LoginService.loginSuccess
|
USER_LOGIN
|
google.login.LoginService.passwordEdit
|
USER_CHANGE_PASSWORD
|
google.login.LoginService.recoveryEmailEdit
|
USER_RESOURCE_UPDATE_CONTENT
|
google.login.LoginService.recoveryPhoneEdit
|
USER_RESOURCE_UPDATE_CONTENT
|
google.login.LoginService.recoverySecretQaEdit
|
USER_RESOURCE_UPDATE_CONTENT
|
google.login.LoginService.suspiciousLogin
|
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousLoginLessSecureApp
|
USER_LOGIN
Security category: |
google.login.LoginService.suspiciousProgrammaticLogin
|
USER_LOGIN
Security category: |
google.login.LoginService.titaniumEnroll
|
USER_RESOURCE_UPDATE_CONTENT
|
google.login.LoginService.titaniumUnenroll
|
USER_RESOURCE_CREATION
|
google.identity.accesscontextmanager.v1.AccessContextManager.CreateAccessLevel
|
USER_RESOURCE_CREATION
|
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership
|
USER_RESOURCE_UPDATE_CONTENT
|
io.k8s.core.v1.pods.create
|
RESOURCE_CREATION
|
io.k8s.authorization.rbac.v1.clusterrolebindings.create
|
RESOURCE_CREATION
|
beta.compute.instanceTemplates.insert
|
RESOURCE_CREATION
|
SetOrgPolicy
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
beta.compute.instanceGroupManagers.patch
|
RESOURCE_WRITTEN
|
beta.compute.autoscalers.update
|
RESOURCE_WRITTEN
|
compute.v1.InstancesService.Get
|
USER_RESOURCE_ACCESS
|
google.storage.objects.list
|
USER_RESOURCE_ACCESS
|
google.cloudresourcemanager.v1.Projects.SetIamPolicy
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
cloudsql.instances.query
|
USER_RESOURCE_ACCESS
|
cloudtrace.googleapis.com/ListInsights
|
RESOURCE_READ
|
google.cloud.functions.v1.CloudFunctionsService.CreateFunction
|
RESOURCE_CREATION
|
google.api.servicemanagement.v1.ServiceManager.ActivateServices
|
USER_RESOURCE_UPDATE_CONTENT
|
google.admin.AdminService.changePassword
|
USER_CHANGE_PASSWORD
|
google.api.serviceusage.v1.ServiceUsage.DisableService
|
USER_RESOURCE_UPDATE_CONTENT
|
AuthorizeUser
|
USER_LOGIN
|
google.cloud.oslogin.v1.OsLoginService.CheckPolicy
|
USER_LOGIN
|
google.admin.AdminService.unsuspendUser
|
USER_CHANGE_PERMISSIONS
|
jobservice.jobcompleted
|
RESOURCE_WRITTEN
|
compute.v1.ProjectsService.Get
|
USER_RESOURCE_ACCESS
|
v1.compute.projects.setCommonInstanceMetadata
|
USER_RESOURCE_UPDATE_CONTENT
|
CreateCryptoKey
|
RESOURCE_CREATION
|
storage.buckets.get
|
RESOURCE_READ
|
google.longrunning.Operations.GetOperation
|
RESOURCE_READ
|
io.k8s.core.v1.pods.delete
|
RESOURCE_DELETION
|
v1.compute.disks.delete
|
RESOURCE_DELETION
|
v1.compute.disks.insert
|
RESOURCE_CREATION
|
ScheduledSnapshots
|
RESOURCE_WRITTEN
|
v1.compute.disks.setLabels
|
RESOURCE_WRITTEN
|
google.cloud.healthcare.v1alpha2.dataset.DatasetService.AccessEhrSearch
|
STATUS_UPDATE
|
io.k8s.apiextensions.v1.customresourcedefinitions.patch
|
RESOURCE_WRITTEN
|
io.k8s.post
|
USER_UNCATEGORIZED
|
v1.compute.instances.delete
|
RESOURCE_DELETION
|
storage.buckets.list
|
RESOURCE_READ
|
storage.objects.create
|
RESOURCE_CREATION
|
google.pubsub.v1.Publisher.CreateTopic
|
RESOURCE_CREATION
|
google.devtools.cloudbuild.v1.CloudBuild.ListBuilds
|
USER_RESOURCE_ACCESS
|
google.cloud.asset.v1.AssetService.UpdateFeed
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
storage.objects.update
|
RESOURCE_WRITTEN
|
datasetservice.insert
|
USER_RESOURCE_CREATION
|
storage.setIamPermissions
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
io.k8s.coordination.v1.leases.update
|
RESOURCE_WRITTEN
|
datasetservice.delete
|
USER_RESOURCE_DELETION
|
compute.instances.repair.recreateInstance
|
RESOURCE_CREATION
|
tableservice.delete
|
USER_RESOURCE_DELETION
|
io.k8s.core.v1.configmaps.update
|
RESOURCE_WRITTEN
|
io.k8s.core.v1.nodes.proxy.get
|
RESOURCE_READ
|
compute.instances.repair.deleteInstance
|
RESOURCE_DELETION
|
google.cloud.dataproc.v1.JobController.SubmitJob
|
RESOURCE_WRITTEN
|
google.cloud.dataproc.v1beta2.ClusterController.UpdateCluster
|
RESOURCE_WRITTEN
|
io.k8s.app.v1beta1.applications.update
|
RESOURCE_WRITTEN
|
io.gke.networking.v1beta1.managedcertificates.update
|
RESOURCE_WRITTEN
|
io.k8s.extensions.v1beta1.deployments.patch
|
RESOURCE_WRITTEN
|
compute.instanceGroupManagers.deleteInstances
|
RESOURCE_DELETION
|
io.k8s.authorization.rbac.v1.rolebindings.patch
|
RESOURCE_WRITTEN
|
google.admin.AdminService.toggleServiceEnabled
|
USER_UNCATEGORIZED
|
io.k8s.core.v1.services.proxy.get
|
RESOURCE_READ
|
google.datastore.v1.Datastore.RunQuery
|
STATUS_UPDATE
|
google.appengine.Datastore.Put
|
STATUS_UPDATE
|
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateSecurityHealthAnalyticsSettings
|
RESOURCE_WRITTEN
|
v1.compute.securityPolicies.patchRule
|
RESOURCE_WRITTEN
|
beta.compute.images.setIamPolicy
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
google.iam.v1.IAMPolicy.SetIamPolicy
|
USER_RESOURCE_UPDATE_PERMISSIONS
|
io.k8s.certificates.v1.certificatesigningrequests.create
|
RESOURCE_CREATION
|
io.k8s.core.v0.id.create
|
RESOURCE_CREATION
|
google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy
|
RESOURCE_WRITTEN
|
google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings
|
RESOURCE_DELETION
|
UpdateCryptoKeyVersion
|
RESOURCE_WRITTEN
|
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup
|
RESOURCE_WRITTEN
|
v1
|
STATUS_UPDATE
|
google.cloud.run.v1.Services.ReplaceService
|
SERVICE_UNCATEGORIZED
|
updatePolicy
|
RESOURCE_WRITTEN
|
updateBackup
|
RESOURCE_WRITTEN
|
Field mapping reference: GCP_CLOUDAUDIT
The following table lists the log fields of the GCP_CLOUDAUDIT log type and their corresponding UDM fields.Log field
UDM mapping
Logic
jsonPayload.accesses[].resourceName
about.resource.name
protoPayload.response.selfLink
about.url
protoPayload.metadata.event.eventName.parameter.name[login_challenge_method]
extensions.auth.auth_details
If the
protoPayload.metadata.event.eventName
log field value is equal to login_failure
or login_verification
or login_challenge
or login_success
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to login_challenge_method
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the extensions.auth.auth_details
UDM field.extensions.auth.auth_mechanism
If
protoPayload.metadata.event.eventName
is equal to login_failure
or login_verification
or login_challenge
or logic_success
, then the extensions.auth.auth_mechanism
UDM field is: - Set to
MECHANISM_OTHERwhen the following conditions are met: - The value in the
protoPayload.metadata.event.eventName.parameter.nameis equal tois_second_factor. - The
value protoPayload.metadata.event.eventName.parameter.valueis not equal toTrue. - Set to
USERNAME_PASSWORDwhen the following conditions are met: - The value in the
protoPayload.metadata.event.eventName.parameter.nameis equal tologin_challenge_methodorlogin_type. - The value
protoPayload.metadata.event.eventName.parameter.valueis equal toexchangeorpasswordorgoogle_passwordorsaml. - Set to
OTPwhen the following conditions are met: - The value in the
protoPayload.metadata.event.eventName.parameter.nameis equal tologin_challenge_methodorlogin_type. - The
value protoPayload.metadata.event.eventName.parameter.valueis equal tobackup_codeorgoogle_authenticatororidv_any_phoneoridv_preregistered_phoneoroffline_otporsecurity_key_otp. - Set to
INTERACTIVEwhen one of the following conditions are met: - The value in the
protoPayload.metadata.event.eventName.parameter.nameis equal tois_second_factorand the valueprotoPayload.metadata.event.eventName.parameter.valueis equal toTrue. - The value in the
protoPayload.metadata.event.eventName.parameter.nameis equal tologin_challenge_methodorlogin_typeand the valueprotoPayload.metadata.event.eventName.parameter.valueis equal tointernal_two_factororlogin_location. - Set to
MECHANISM_OTHERwhen the following conditions are met: - The value in the
protoPayload.metadata.event.eventName.parameter.nameis equal tologin_challenge_methodorlogin_type. - The value
protoPayload.metadata.event.eventName.parameter.valueis equal togoogle_promptorknowledge_employee_idorknowledge_preregistered_emailorknowledge_preregistered_phone or other. - Set to
HARDWARE_KEYwhen the following conditions are met: - The value in the
protoPayload.metadata.event.eventName.parameter.nameis equal tologin_challenge_methodorlogin_type. - The value
protoPayload.metadata.event.eventName.parameter.valueis equal tosecurity_key. - Set to
MECHANISM_UNSPECIFIEDwhen the following conditions are met: - The value in the
protoPayload.metadata.event.eventName.parameter.nameis equal tologin_challenge_methodorlogin_type. - The value
protoPayload.metadata.event.eventName.parameter.valueis equal toreauthorunknown.
extensions.auth.type
If the
protoPayload.metadata.event.eventName
log field value is equal to login_failure
or login_verification
or login_challenge
or login_success
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to login_challenge_method
, then the extensions.auth.type
UDM field is set to MACHINE
.protoPayload.response.vulnerability.shortDescription
extensions.vulns.vulnerabilities.cve_id
protoPayload.response.vulnerability.effectiveSeverity
extensions.vulns.vulnerabilities.severity
If the
protoPayload.response.vulnerability.effectiveSeverity
log field value contains one of the following values, then the protoPayload.response.vulnerability.effectiveSeverity
log field is mapped to the extensions.vulns.vulnerabilities.severity
UDM field. -
CRITICAL -
HIGH -
MEDIUM -
LOW
protoPayload.request.occurrence.vulnerability.shortDescription
extensions.vulns.vulnerabilities.cve_id
protoPayload.request.occurrence.vulnerability.effectiveSeverity
extensions.vulns.vulnerabilities.severity
If the
protoPayload.request.occurrence.vulnerability.effectiveSeverity
log field value contain one of the following values, then the protoPayload.request.occurrence.vulnerability.effectiveSeverity
log field is mapped to the extensions.vulns.vulnerabilities.severity
UDM field. -
CRITICAL -
HIGH -
MEDIUM -
LOW
protoPayload.request.occurrence.resourceUri
additional.fields[request_resourceuri]
protoPayload.request.spec.type
target.resource.attribute.labels[request_spec_type]
protoPayload.response.spec.type
target.resource.attribute.labels[response_spec_type]
protoPayload.request.spec.template.spec.shareProcessNamespace
target.resource.attribute.labels[req_spec_template_spec_share_process_namespace]
protoPayload.response.spec.template.spec.shareProcessNamespace
target.resource.attribute.labels[resp_spec_template_spec_share_process_namespace]
protoPayload.request.spec.jobTemplate.spec.template.spec.shareProcessNamespace
target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_share_process_namespace]
protoPayload.request.spec.jobTemplate.spec.template.spec.restartPolicy
target.resource.attribute.labels[req_spec_jobtemplate_spec_template_spec_restart_policy]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.args
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_arg_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.command
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_command_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.image
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.imagePullPolicy
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_image_pull_policy]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.name
target.resource_ancestors.name
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.cpu
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_cpu]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.limits.memory
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_limits_memory]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.cpu
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_cpu]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.resources.requests.memory
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_resource_request_memory]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.allowPrivilegeEscalation
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_allow_privilege_escalation]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.capabilities.drop
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_capabilities_drop_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.privileged
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_privileged]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.securityContext.readOnlyRootFilesystem
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_security_context_read_only_root_filesystem]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePath
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_path]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.terminationMessagePolicy
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_termination_message_policy]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.mountPath
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_mount_path_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.name
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_name_{index}]
protoPayload.request.spec.jobTemplate.spec.template.spec.containers.volumeMounts.readOnly
target.resource_ancestors.attribute.labels[req_spec_jobtemplate_spec_template_spec_container_volume_mounts_readonly_{index}]
protoPayload.metadata.event.eventName.parameter.name[GATEWAY_NAME]
intermediary.resource.name
receiveTimestamp
metadata.collected_timestamp
protoPayload.response.operationType
metadata.description
If the
protoPayload.methodName
log field value is equal to cloudsql.instances.create
, then the protoPayload.response.operationType - protoPayload.response.kind
log field is mapped to the metadata.description
UDM field.protoPayload.response.kind
target.resource.attribute.labels[response_kind]
protoPayload.status.message
metadata.description
protoPayload.metadata.event.eventName.parameter.name[SETTING_DESCRIPTION]
metadata.description
timestamp
metadata.event_timestamp
protoPayload.methodName
metadata.product_event_type
resource.labels.method
metadata.product_event_type
jsonPayload.event_subtype
metadata.product_event_type
insertId
metadata.product_log_id
protoPayload.metadata.event.eventName.parameter.name[PRODUCT_NAME]
metadata.product_name
If the
If the
If the
If the
If the
If the
If the
If the
If the
If the
protoPayload.serviceName
log field value matches the regular expression (compute.googleapis.com)
, then the metadata.product_name
UDM field is set to Google Compute Engine
.If the
protoPayload.serviceName
log field value matches the regular expression (bigquery.googleapis.com)
, then the metadata.product_name
UDM field is set to BigQuery
.If the
protoPayload.serviceName
log field value matches the regular expression (admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com)
, then the metadata.product_name
UDM field is set to G Suite
.If the
protoPayload.serviceName
log field value matches the regular expression (k8s.io)
, then the metadata.product_name
UDM field is set to Google Kubernetes Engine
.If the
protoPayload.serviceName
log field value matches the regular expression (servicemanagement.googleapis.com)
, then the metadata.product_name
UDM field is set to Google Service Management
.If the
protoPayload.serviceName
log field value matches the regular expression (storage.googleapis.com)
, then the metadata.product_name
UDM field is set to Google Cloud Storage
.If the
protoPayload.serviceName
log field value matches the regular expression (cloudsql.googleapis.com)
, then the metadata.product_name
UDM field is set to Google Cloud SQL
.If the
protoPayload.serviceName
log field value matches the regular expression (dataproc.googleapis.com)
, then the metadata.product_name
UDM field is set to Google Dataproc
.If the
protoPayload.serviceName
log field value matches the regular expression (iam.googleapis.com)
, then the metadata.product_name
UDM field is set to Google Cloud IAM
.If the
protoPayload.serviceName
log field value matches the regular expression (accesscontextmanager.googleapis.com)
, then the metadata.product_name
UDM field is set to Context Manager API
.logName
metadata.url_back_to_product
protoPayload.response.selfLinkWithId
metadata.url_back_to_product
metadata.vendor_name
The
metadata.vendor_name
UDM field is set to Google Cloud Platform
.httpRequest.protocol
network.application_protocol
protoPayload.metadata.request_id
network.community_id
protoPayload.resourceOriginalState.direction
network.direction
protoPayload.request.direction
network.direction
protoPayload.response.duration
network.session_duration
protoPayload.request.serialConsoleOptions
principal.port
Iterate through log field
If the
Else, the
protoPayload.request.serialConsoleOptions
, thenIf the
protoPayload.request.serialConsoleOptions.name
value is equal to port
then, protoPayload.request.serialConsoleOptions.value
log field is mapped to the principal.port
UDM field.Else, the
protoPayload.request.serialConsoleOptions.name
log field is mapped to the principal.resource.attribute.labels.key
UDM field and protoPayload.request.serialConsoleOptions.value
log field is mapped to the principal.resource.attribute.labels.value
UDM field.protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SENDER]
network.email.from
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_MSG_ID]
network.email.mail_id
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_RECIPIENT]
network.email.to
httpRequest.requestMethod
network.http.method
protoPayload.requestMetadata.requestAttributes.method
network.http.method
httpRequest.referer
network.http.referral_url
protoPayload.requestMetadata.requestAttributes.path
network.http.referral_url
httpRequest.requestUrl
network.http.referral_url
protoPayload.resourceOriginalState.network
network.http.referral_url
httpRequest.status
network.http.response_code
protoPayload.response.error.code
network.http.response_code
protoPayload.status.code
security_result.detection_fields [status_code]
protoPayload.requestMetadata.callerSuppliedUserAgent
network.http.user_agent
If the
protoPayload.requestMetadata.callerSuppliedUserAgent
log field value matches the regular expression Group
, then the protoPayload.requestMetadata.callerSuppliedUserAgent
log field is mapped to the principal.group.group_display_name
UDM field.httpRequest.userAgent
network.http.user_agent
protoPayload.resourceOriginalState.alloweds.IPProtocol
network.ip_protocol
protoPayload.requestMetadata.requestAttributes.protocol
network.ip_protocol
protoPayload.request.IPProtocol
network.ip_protocol
protoPayload.request.alloweds.IPProtocol
network.ip_protocol
jsonPayload.connection.protocol
network.ip_protocol
protoPayload.metadata.event.eventName.parameter.name[ORG_UNIT_NAME]
network.organization_name
httpRequest.responseSize
network.received_bytes
httpRequest.requestSize
network.sent_bytes
jsonPayload.bytes_sent
network.sent_bytes
protoPayload.requestMetadata.requestAttributes.id
network.session_id
ProtoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail
principal.email
jsonPayload.src_instance.vm_name
principal.hostname
protoPayload.requestMetadata.callerIp
principal.ip
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_SENDER_IP]
principal.ip
jsonPayload.connection.src_ip
principal.ip
httpRequest.serverIp
principal.ip
resourceLocation.originalLocations
principal.location.name
jsonPayload.connection.nat_ip
principal.nat_ip
jsonPayload.connection.nat_port
principal.nat_port
jsonPayload.connection.src_port
principal.port
protoPayload.authorizationInfo.resource
principal.resource.name
If the
protoPayload.authorizationInfo.resource
log field value is not
empty, then the protoPayload.authorizationInfo.resource
log field is mapped to the principal.resource.name
UDM field.protoPayload.authorizationInfo.resourceAttributes.name
principal.resource.name
If the
protoPayload.authorizationInfo.resourceAttributes.name
log field value is not
empty, then the protoPayload.authorizationInfo.resourceAttributes.name
log field is mapped to the principal.resource.name
UDM field.protoPayload.authorizationInfo.permission
target.resource_ancestors.attribute.permissions.name
protoPayload.authorizationInfo.permissionType
target.resource_ancestors.attribute.permissions.type
protoPayload.authorizationInfo.resourceAttributes.service
target.resource_ancestors.attribute.labels[resource_attribute_service]
protoPayload.authorizationInfo.granted
target.resource_ancestors.attribute.labels[authorization_granted]
protoPayload.resourceOriginalState.name
principal.resource.name
protoPayload.authorizationInfo.resourceAttributes.type
principal.resource.resource_subtype
principal.user.account_type
If the
If, the
access.principalSubject
log field value matches the regular expression serviceAccount
, then the principal.user.account_type
UDM field is set to SERVICE_ACCOUNT_TYPE
.If, the
access.principalSubject
log field value matches the regular expression user
, then the principal.user.account_type
UDM field is set to CLOUD_ACCOUNT_TYPE
.protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType
principal.user.attribute.permissions.description
protoPayload.request.serviceAccounts[].scopes
principal.user.attribute.permissions.name
protoPayload.authorizationInfo.permission
principal.user.attribute.permissions.name
protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType
principal.user.attribute.permissions.type
protoPayload.serviceData.policyDelta.bindingDeltas[].action
principal.user.attribute.roles.description
protoPayload.request.bindings.role
principal.user.attribute.roles.name
protoPayload.serviceData.policyDelta.bindingDeltas[].role
principal.user.attribute.roles.name
jsonPayload.location.principalEmployingEntity
principal.user.company_name
jsonPayload.location.principalOfficeCountry
principal.user.office_address.country_or_region
protoPayload.authenticationInfo.principalEmail
principal.user.userid
If the
protoPayload.authenticationInfo.principalEmail
log field value is not
empty, then userid_auth
is extracted from the protoPayload.authenticationInfo.principalEmail
log field using a Grok pattern, and mapped to the principal.user.userid
UDM field.protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query
additional.fields[job_insertion_query_org_id_{index}]
If the
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query
log field value is not
empty, then org_ids
are extracted from the protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query
log field using a Grok pattern, and mapped to the additional.fields.job_insertion_query_org_id_{index}
UDM field.protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query
additional.fields[job_insert_request_query_org_id_{index}]
If the
protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query
log field value is not
empty, then org_ids
are extracted from the protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query
log field using a Grok pattern, and mapped to the additional.fields.job_insert_request_query_org_id_{index}
UDM field.protoPayload.request.permissions
target.resource.attribute.labels.permission
protoPayload.request.username
principal.user.userid
protoPayload.metadata.event.eventName.parameter.value
principal.user.userid
If the If the
protoPayload.metadata.event.eventName
log field value is equal to CREATE_EMAIL_MONITOR
or CREATE_DATA_TRANSFER_REQUEST
: protoPayload.metadata.event.eventName.parameter.name
log field value is equal to USER_EMAIL
, then userid
is extracted from the protoPayload.metadata.event.eventName.parameter.value
log field using a Grok pattern, and mapped to the principal.user.userid
UDM field.protoPayload.authenticationInfo.authoritySelector
principal.user.userid
If the
protoPayload.authenticationInfo.authoritySelector
log field value is not
empty, then userid_selector
is extracted from the protoPayload.authenticationInfo.authoritySelector
log field using a Grok pattern, and mapped to the principal.user.userid
UDM field.jsonPayload.actor.user
principal.user.userid
If the
jsonPayload.actor.user
log field value is not
empty, then userid_actor
is extracted from the jsonPayload.actor.user
log field using a Grok pattern, and mapped to the principal.user.userid
UDM field.protoPayload.authenticationInfo.principalEmail
principal.user.email_addresses
If the
protoPayload.authenticationInfo.principalEmail
log field value is not
empty and the protoPayload.authenticationInfo.principalEmail
log field value matches the regular expression . @.
, then the protoPayload.authenticationInfo.principalEmail
log field is mapped to the principal.user.email_addresses
UDM field.protoPayload.metadata.event.eventName.parameter.value
principal.user.email_addresses
The
protoPayload.metadata.event.eventName.parameter.value
is mapped to principal.user.email_addresses
when the following conditions are met: - The value in the
protoPayload.metadata.event.eventNamelog field value is equal toCREATE_EMAIL_MONITORorCREATE_DATA_TRANSFER_REQUEST. - The value in the
protoPayload.metadata.event.eventName.parameter.namelog field value is equal toUSER_EMAIL. - The value in the
protoPayload.metadata.event.eventName.parameter.namelog field value matches the regular expression.@.
protoPayload.authenticationInfo.authoritySelector
principal.user.email_addresses
If the
protoPayload.authenticationInfo.authoritySelector
log field value is not
empty and the protoPayload.authenticationInfo.authoritySelector
log field value matches the regular expression . @.
, then the protoPayload.authenticationInfo.authoritySelector
log field is mapped to the principal.user.email_addresses
UDM field.jsonPayload.actor.user
principal.user.email_addresses
If the
jsonPayload.actor.user
log field value is not
empty and the jsonPayload.actor.user
log field value matches the regular expression . @.
, then the jsonPayload.actor.user
log field is mapped to the principal.user.email_addresses
UDM field.protoPayload.metadata.event.eventName.parameter.name[login_challenge_status]
security_result.action
The
security_result.action
is set to ALLOW
when the following conditions are met: - The value in the
protoPayload.metadata.event.eventNamelog field value is equal tologin_challengeorlogin_verification. - The value in the
protoPayload.metadata.event.eventName.parameter.namelog field value is equal tologin_challenge_status. - The value in the
protoPayload.metadata.event.parameter.valuelog field value is equal toChallenge Passed.
security_result.action
is set to FAIL
when the following conditions are met: - The value in the
protoPayload.metadata.event.eventNamelog field value is equal tologin_challengeorlogin_verification. - The value in the
protoPayload.metadata.event.eventName.parameter.namelog field value is equal tologin_challenge_status. - The value in the
protoPayload.metadata.event.parameter.valuelog field value is equal toChallenge Failed.
protoPayload.metadata.event.eventName.parameter.name[ACTION_TYPE]
security_result.action
The
security_result.action
is set to ALLOW
when the following conditions are met: - The value in the
protoPayload.metadata.event.eventNamelog field value is equal toACTION_CANCELLEDorACTION_REQUESTED. - The value in the
protoPayload.metadata.event.eventName.parameter.namelog field value is equal toACTION_TYPE. - The value in the
protoPayload.metadata.event.parameter.valuelog field value is equal toALLOW_ACCESSorAPPROVE.
security_result.action
is set to BLOCK
when the following conditions are met: - The value in the
protoPayload.metadata.event.eventNamelog field value is equal toACTION_CANCELLEDorACTION_REQUESTED. - The value in the
protoPayload.metadata.event.eventName.parameter.namelog field value is equal toACTION_TYPE. - The value in the
protoPayload.metadata.event.parameter.valuelog field value is equal toDISALLOW_ACCESSorBLOCK. - If the
protoPayload.response.error.errorslog field value is not empty.
security_result.action
is set to ALLOW_WITH_MODIFICATION
when the following conditions are met: - The value in the
protoPayload.metadata.event.eventNamelog field value is equal toACTION_CANCELLEDorACTION_REQUESTED. - The value in the
protoPayload.metadata.event.eventName.parameter.namelog field value is equal toACTION_TYPE. - The value in the
protoPayload.metadata.event.parameter.valuelog field value is equal toRESET_PINorREVOKE_TOKEN.
security_result.action
is set to QUARANTINE
when the following conditions are met: - The value in the
protoPayload.metadata.event.eventNamelog field value is equal toACTION_CANCELLEDorACTION_REQUESTED. - The value in the
protoPayload.metadata.event.eventName.parameter.namelog field value is equal toACTION_TYPE. - The value in the
protoPayload.metadata.event.parameter.valuelog field value is equal toLOCK_DEVICE.
security_result.action
is set to QUARANTINE
when the following conditions are met: - The value in the
protoPayload.metadata.event.eventNamelog field value is equal toACTION_CANCELLEDorACTION_REQUESTED. - The value in the
protoPayload.metadata.event.eventName.parameter.namelog field value is equal toACTION_TYPE. - The value in the
protoPayload.metadata.event.parameter.valuelog field value is equal toACCOUNT_WIPEorCOLLECT_BUGREPORTorDEVICE_WIPEorLOCATE_DEVICEorREMOVE_APP_FROM_DEVICEorREMOVE_IOS_PROFILEorRING_DEVICEorSYNC_DEVICEorUNKNOWN.
security_result.action_details
If the
If the
protoPayload.metadata.event.eventName
log field value is equal to login_challenge
or login_verification
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to login_challenge_status
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the security_result.action_details
UDM field.If the
protoPayload.metadata.event.eventName
log field value is equal to ACTION_CANCELLED
or ACTION_REQUESTED
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to ACTION_TYPE
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the security_result.action_details
UDM field.protoPayload.metadata.event.eventName.parameter.name[is_suspicious]
security_result.category
If the
protoPayload.metadata.event.eventName
log field value is equal to login_success
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to is_suspicious
, then if the protoPayload.metadata.event.eventName.parameter.value
log field value is equal to True
, then the security_result.category
UDM field is set to NETWORK_SUSPICIOUS
.logName
security_result.category_details
protoPayload.response.status
security_result.description
protoPayload.response.error.errors[].reason
security_result.description
protoPayload.metadata.tableCreation.reason
security_result.description
protoPayload.metadata.tableChange.reason
security_result.description
protoPayload.metadata.tableDeletion.reason
security_result.description
protoPayload.metadata.datasetCreation.reason
security_result.description
protoPayload.metadata.datasetDeletion.reason
security_result.description
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.errorMessage
security_result.description
protoPayload.status.message
security_result.description
protoPayload.request.status
security_result.description
jsonPayload.reason[].detail
security_result.description
protoPayload.response.status.state
security_result.description
protoPayload.response.status.conditions[].message
security_result.description
If the
message
log field value matches the regular expression response.*status.*conditions.*message
, then the protoPayload.response.status.conditions.0.message
log field is mapped to the security_result.description
UDM field.protoPayload.resourceOriginalState.priority
security_result.priority_details
protoPayload.request.priority
security_result.priority_details
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.queryPriority
security_result.priority_details
protoPayload.metadata.vpcServiceControlsUniqueId
security_result.rule_id
protoPayload.request.body.settings.activationPolicy
security_result.rule_name
protoPayload.request.policy
security_result.rule_name
protoPayload.metadata.violationReason
security_result.rule_name
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.policyType
security_result.rule_type
protoPayload.metadata.dryRun
security_result.rule_type
severity
security_result.severity
security_result.severity_details
If the
If the
If the
If the
If the
If the
Else, the
severity
log field value is equal to CRITICAL
, then the security_result.severity
UDM field is set to CRITICAL
.If the
severity
log field value is equal to ERROR
, then the security_result.severity
UDM field is set to ERROR
.If the
severity
log field value is equal to ALERT
or EMERGENCY
, then the security_result.severity
UDM field is set to HIGH
.If the
severity
log field value is equal to INFO
or NOTICE
, then the security_result.severity
UDM field is set to INFORMATIONAL
.If the
severity
log field value is equal to DEBUG
, then the security_result.severity
UDM field is set to LOW
.If the
severity
log field value is equal to WARNING
, then the security_result.severity
UDM field is set to MEDIUM
.Else, the
security_result.severity
UDM field is set to UNKNOWN_SEVERITY
.protoPayload.response.error.message
security_result.summary
protoPayload.response.error.errors[].message
security_result.summary
protoPayload.status.details.violations.description
security_result.summary
protoPayload.response.message
security_result.summary
protoPayload.request.description
security_result.summary
jsonPayload.reason[].type
security_result.summary
sourceLocation.file
src.file.full_path
protoPayload.serviceName
target.application
resource.labels.service
target.application
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_NAME]
target.application
protoPayload.metadata.event.eventName.parameter.name[APP_NAME]
target.application
If the
protoPayload.metadata.event.eventName.parameter.name1
log field value is equal to APP_NAME
and the protoPayload.metadata.event.eventName.parameter.name2
log field value is equal to APP_ID
, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1
log field is mapped to the target.application
UDM field.protoPayload.metadata.event.eventName.parameter.name[APP_ID]
target.application
If the
protoPayload.metadata.event.eventName.parameter.name1
log field value is equal to APP_NAME
and the protoPayload.metadata.event.eventName.parameter.name2
log field value is equal to APP_ID
, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1
log field is mapped to the target.application
UDM field.protoPayload.metadata.event.eventName.parameter.name[SERVICE_NAME]
target.application
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_SERVICE_NAME]
target.application
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_NAME]
target.application
If the
protoPayload.metadata.event.eventName.parameter.name1
log field value is equal to OAUTH2_APP_NAME
and the protoPayload.metadata.event.eventName.parameter.name2
log field value is equal to OAUTH2_APP_ID
, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1
log field is mapped to the target.application
UDM field.protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_ID]
target.application
If the
protoPayload.metadata.event.eventName.parameter.name1
log field value is equal to OAUTH2_APP_NAME
and the protoPayload.metadata.event.eventName.parameter.name2
log field value is equal to OAUTH2_APP_ID
, then the protoPayload.metadata.event.eventName.parameter.name2 - protoPayload.metadata.event.eventName.parameter.name1
log field is mapped to the target.application
UDM field.protoPayload.metadata.event.eventName.parameter.name[REAUTH_APPLICATION, SITE_NAME]
target.application
jsonPayload.product
target.application
protoPayload.metadata.device_id
target.asset.asset_id
protoPayload.metadata.event.eventName.parameter.name[DEVICE_SERIAL_NUMBER]
target.asset.hardware.serial_number
protoPayload.metadata.event.eventName.parameter.name[PRINT_SERVER_NAME]
target.asset.hostname
protoPayload.metadata.event.eventName.parameter.name[PRINTER_NAME]
target.asset.hostname
protoPayload.request.instances.instance
target.asset.product_object_id
The
For every other index value,
protoPayload.request.instances.instance
log field is mapped to the target.asset.product_object_id
UDM field when the index value in protoPayload.request.instances.instance
is equal to 0
.For every other index value,
target.asset.labels.key
UDM field is set to request_instance
and the protoPayload.request.instances.instance
log field is mapped to the target.asset.labels.value
UDM field.protoPayload.request.instance
target.asset.product_object_id
protoPayload.metadata.event.eventName.parameter.name[DEVICE_ID]
target.asset.product_object_id
protoPayload.metadata.event.eventName.parameter.name[COMPANY_DEVICE_ID]
target.asset.product_object_id
target.asset.type
If the
If the
If the
protoPayload.metadata.event.eventName.parameter.name
log field value is equal to PRINTER_SERVER_NAME
, then the target.asset.type
UDM field is set to SERVER
.If the
protoPayload.metadata.event.eventName.parameter.name
log field value is equal to PRINTER_NAME
, then the target.asset.type
UDM field is set to PRINTER
.If the
protoPayload.metadata.event.eventName.parameter.name
log field value is equal to DEVICE_TYPE
, then the target.asset.type
UDM field is set to ROLE_UNSPECIFIED
.protoPayload.metadata.event.eventName.parameter.name[SITE_LOCATION]
target.file.full_path
protoPayload.metadata.event.eventName.parameter.name[PERMISSION_GROUP_NAME]
target.group.attribute.permissions.name
protoPayload.metadata.event.eventName.parameter.name[GROUP_EMAIL]
target.group.email_addresses
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_NAME]
target.hostname
jsonPayload.dest_instance.vm_name
target.hostname
protoPayload.requestMetadata.requestAttributes.host
target.hostname
httpRequest.remoteIp
target.ip
protoPayload.requestMetadata.destinationAttributes.ip
target.ip
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP]
target.ip
protoPayload.request.ip
target.ip
jsonPayload.connection.dest_ip
target.ip
resource.labels.region
target.location.country_or_region
protoPayload.response.region
target.location.country_or_region
protoPayload.request.body.region
target.location.country_or_region
protoPayload.request.region
target.location.country_or_region
resource.labels.region
target.location.country_or_region
jsonPayload.dest_location.country
target.location.country_or_region
jsonPayload.dest_location.continent
target.location.country_or_region
protoPayload.request.override.overrideValue
target.resource.attribute.labels[request_override_value]
protoPayload.response.overrideValue
target.resource.attribute.labels[response_override_value]
resource.labels.location
target.location.name
protoPayload.resourceOriginalState.alloweds.ports
target.port
protoPayload.requestMetadata.destinationAttributes.port
target.port
jsonPayload.connection.dest_port
target.port
protoPayload.metadata.tableCreation.table.view.query
target.process.command_line
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query
target.process.command_line
protoPayload.serviceData.jobQueryRequest.query
target.process.command_line
protoPayload.serviceData.tableInsertResponse.resource.view.query
target.process.command_line
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query
target.process.command_line
protoPayload.metadata.tableChange.jobName
target.process.pid
protoPayload.metadata.tableCreation.jobName
target.process.pid
protoPayload.request.networkInterfaces[].subnetwork
target.resource_ancestors.name
protoPayload.request.body.instanceUid
target.resource_ancestors.product_object_id
protoPayload.response.instanceUid
target.resource_ancestors.product_object_id
protoPayload.request.disk[].mode
target.resource_ancestors.attributes.permission.name
protoPayload.request.disk[].autoDelete
target.resource_ancestors.attributes.permission.name
protoPayload.response.project_id
target.resource_ancestors.id
protoPayload.response.targetProject
target.resource_ancestors.name
protoPayload.request.target
target.resource_ancestors.name
protoPayload.resourceName
target.resource_ancestors.name
If the
protoPayload.methodName
log field value matches the regular expression (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider)
, then the protoPayload.resourceName
log field is mapped to the target.resource_ancestors.name
UDM field.protoPayload.resource.role_name
target.resource_ancestors.name
protoPayload.request.parent
target.resource_ancestors.name
protoPayload.request.disks[].deviceName
target.resource_ancestors.name
protoPayload.request.network
target.resource_ancestors.name
resource.labels.project_id
target.cloud.project.name
resource.labels.project_id
target.resource_ancestors.name
protoPayload.request.disk[].type
target.resource_ancestors.resource_subtype
If the
If the
If the
protoPayload.request.cluster.subnetwork
log field value is not
empty, then the target.resource_ancestors.resource_subtype
UDM field is set to subnetwork
.If the
protoPayload.request.cluster.network
log field value is not
empty, then the target.resource_ancestors.resource_subtype
UDM field is set to network
.If the
protoPayload.request.cluster.nodePools.name
log field value is not
empty, then the target.resource_ancestors.resource_subtype
UDM field is set to nodepool
.resource.location
target.resource.attribute.cloud.availability_zone
resourceLocation.currentLocations
target.resource.attribute.cloud.availability_zone
resource.labels.zone
target.resource.attribute.cloud.availability_zone
protoPayload.request.body.settings.locationPreference.zone
target.resource.attribute.cloud.availability_zone
protoPayload.metadata.tableChange.table.createTime
target.resource.attribute.creation_time
protoPayload.metadata.tableCreation.table.createTime
target.resource.attribute.creation_time
protoPayload.resourceOriginalState.creationTimestamp
target.resource.attribute.creation_time
protoPayload.response.insertTime
target.resource.attribute.creation_time
protoPayload.metadata.tableChange.table.updateTime
target.resource.attribute.last_update_time
protoPayload.metadata.tableCreation.table.updateTime
target.resource.attribute.last_update_time
protoPayload.serviceData.policyDelta.auditConfigDeltas[].logType
target.resource.attribute.permissions.type
request.role.title
target.resource.attribute.roles.name
protoPayload.request.role.included_permissions[]
target.resource.attributes.permission.name
protoPayload.request.role.description
target.resource.attributes.roles.description
protoPayload.resource.labels.firewall_rule_id
target.resource.id
protoPayload.resourceName
target.resource.name
If the
protoPayload.resourceName
log field value is not
empty, then the protoPayload.resourceName
log field is mapped to the target.resource.name
UDM field.protoPayload.resource.labels.role_name
target.resource.name
If the
protoPayload.methodName
log field value is equal to google.iam.admin.v1.CreateRole
, then the protoPayload.resource.labels.role_name
log field is mapped to the target.resource.name
UDM field.protoPayload.resource.role_name
target.resource.name
protoPayload.request.service_account.display_name
target.resource.name
protoPayload.request.workloadIdentityPool.displayName
target.resource.name
protoPayload.request.name
target.resource.name
If the
protoPayload.methodName
log field value is equal to beta.compute.instances.insert
, then the protoPayload.request.name
log field is mapped to the target.resource.name
UDM field.protoPayload.request.cluster.name
target.resource.name
protoPayload.metadata.tableCreation.table.tableName
target.resource.name
protoPayload.metadata.datasetCreation.dataset.datasetName
target.resource.name
jsonPayload.accessApprovals[]
target.resource.name
jsonPayload.resource.name
target.resource.name
resource.labels.email_id
target.resource.name
If the
resource.labels.email_id
log field value is not
empty, then the resource.labels.email_id
log field is mapped to the target.resource.name
UDM field.protoPayload.request.accessLevel.title
target.resource.name
resource.discoveryName
target.resource.name
protoPayload.response.name
target.resource.name
protoPayload.request.name
target.resource.name
resource.labels.network_id
target.resource.name
request.cluster.name
target.resource.name
resource.labels.cluster_name
target.resource.name
protoPayload.metadata.tableChange.table.tableName
target.resource.name
resource.labels.function_name
target.resource.name
If the
resource.type
log field value matches the regular expression cloud_function
, then the resource.labels.function_name
log field is mapped to the target.resource.name
UDM field.resource.parent
target.resource.parent
resource.labels.bucket_name
target.resource.parent
If the
resource.type
log field value is equal to gcs_bucket
, then the resource.labels.bucket_name
log field is mapped to the target.resource.parent
UDM field.resource.labels.dataset_id
target.resource.product_object_id
resource.labels.instance_group_id
target.resource.product_object_id
resource.labels.subnetwork_id
target.resource.product_object_id
resource.labels.firewall_rule_id
target.resource.product_object_id
resource.labels.forwarding_rule_id
target.resource.product_object_id
resource.labels.network_id
target.resource.product_object_id
resource.labels.unique_id
target.resource.product_object_id
protoPayload.metadata.event.eventName.parameter.name[RESOURCE_IDENTIFIER]
target.resource.product_object_id
protoPayload.metadata.event.eventName.parameter.name[SHARED_DRIVE_ID]
target.resource.product_object_id
protoPayload.response.unique_id
target.resource.product_object_id
If the
protoPayload.methodName
log field value matches the regular expression (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider)
, then the protoPayload.response.unique_id
log field is mapped to the target.resource.product_object_Id
UDM field.protoPayload.request.account_id
target.resource.product_object_id
protoPayload.request.role_id
target.resource.product_object_id
If the
protoPayload.methodName
log field value is equal to google.iam.admin.v1.CreateRole
, then the protoPayload.request.role_id
log field is mapped to the target.resource.product_object_id
UDM field.protoPayload.request.workloadIdentityPoolId
target.resource.product_object_id
jsonPayload.resource.id
target.resource.product_object_id
resource.labels.instance_id
target.resource.product_object_id
resource.data.uniqueId
target.resource.product_object_id
protoPayload.request.workloadIdentityPoolProviderId
target.resource.product_object_id
protoPayload.request.machineType
target.resource.resource_subtype
If the
resource.type
log field value matches the regular expression gce_(autoscaler or instance_group) or gae_app"
, then the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field.target.resource.resource_type
If the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if, the
Else if,the
Else if, the
Else if, the
Else, the
resource.type
log field value matches the regular expression gce_(firewall or forwarding_rule) or network_security_policy
, then the target.resource.resource_type
UDM field is set to FIREWALL_RULE
and the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field.Else if, the
resource.type
log field value matches the regular expression gce_(subnetwork or network)
, then the target.resource.resource_type
UDM field is set to VPC_NETWORK
.Else if, the
resource.type
log field value matches the regular expression cloud_dataproc_(batch or session)
, then the target.resource.resource_type
UDM field is set to TASK
.Else if, the
resource.type
log field value is equal to gce_backend_service
, then the target.resource.resource_type
UDM field is set to BACKEND_SERVICE
.Else if, the
resource.type
log field value is equal to build
, then the target.resource.resource_type
UDM field is set to TASK
and the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field.Else if, the
resource.type
log field value is equal to pubsub_topic
, then the target.resource.resource_type
UDM field is set to PIPE
and the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field.Else if, the
resource.type
log field value matches the regular expression cloudkms_cryptokey
, then the target.resource.resource_type
UDM field is set to CREDENTIAL
and the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field.Else if, the
resource.type
log field value is equal to iam_role
, then the target.resource.resource_type
UDM field is set to ACCESS_POLICY
and the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field.Else if, the
resource.type
log field value is equal to cloud_run_job
, then the target.resource.resource_type
UDM field is set to TASK
and the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field.Else if, the
resource.type
log field value is equal to cloud_run_revision
, then the target.resource.resource_type
UDM field is set to BACKEND_SERVICE
and the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field.Else if, the
resource.type
log field value matches the regular expression gcs_bucket
, then the target.resource.resource_type
UDM field is set to STORAGE_BUCKET
.Else if, the
resource.type
log field value matches the regular expression bigquery\.googleapis\.com/SparkJob
, then the target.resource.resource_type
UDM field is set to TASK
.Else if, the
resource.type
log field value matches the regular expression bigquery_(biengine_model or dataset)
, then the target.resource.resource_type
UDM field is set to DATASET
.Else if, the
resource.type
log field value matches the regular expression bigquery_dts_config
, then the target.resource.resource_type
UDM field is set to SETTING
.Else if, the
resource.type
log field value matches the regular expression cloudsql or bigquery_project or bigquery_resource
, then the target.resource.resource_type
UDM field is set to DATABASE
.Else if, the
resource.type
log field value matches the regular expression service_account
, then the target.resource.resource_type
UDM field is set to SERVICE_ACCOUNT
.Else if, the
resource.type
log field value matches the regular expression organization
, then the target.resource.resource_type
UDM field is set to CLOUD_ORGANIZATION
.Else if, the
resource.type
log field value matches the regular expression audited_resource or gae_app
, then the target.resource.resource_type
UDM field is set to BACKEND_SERVICE
.Else if, the
resource.type
log field value matches the regular expression cloud_function
, then the target.resource.resource_type
UDM field is set to FUNCTION
.Else if, the
resource.type
log field value matches the regular expression gce_(network_endpoint_group or node_group)
, then the target.resource.resource_type
UDM field is set to BACKEND_SERVICE
.Else if, the
resource.type
log field value matches the regular expression gce_(node_template or resource_policy)
, then the target.resource.resource_type
UDM field is set to SETTING
.Else if, the
resource.type
log field value matches the regular expression gce_disk
, then the target.resource.resource_type
UDM field is set to DISK
.Else if, the
resource.type
log field value matches the regular expression k8s_(scale or service)
, then the target.resource.resource_type
UDM field is set to BACKEND_SERVICE
.Else if, the
resource.type
log field value matches the regular expression k8s_(control_plane_component or container)
, then the target.resource.resource_type
UDM field is set to CONTAINER
.Else if, the
resource.type
log field value matches the regular expression k8s_node
, then the target.resource.resource_type
UDM field is set to VIRTUAL_MACHINE
.Else if, the
resource.type
log field value matches the regular expression k8s_pod
, then the target.resource.resource_type
UDM field is set to POD
.Else if, the
resource.type
log field value matches the regular expression k8s_cluster or cloud_dataproc_cluster or gke_cluster or gke_nodepool
, then the target.resource.resource_type
UDM field is set to CLUSTER
.Else if, the
resource.type
log field value matches the regular expression gke_container
, then the target.resource.resource_type
UDM field is set to CONTAINER
.Else if, the
resource.type
log field value matches the regular expression gkebackup\.googleapis\.com/(BackupPlan or RestorePlan)
, then the target.resource.resource_type
UDM field is set to SETTING
.Else if, the
resource.type
log field value matches the regular expression gce_(instance or snapshot)
, then the target.resource.resource_type
UDM field is set to VIRTUAL_MACHINE
.Else if, the
resource.type
log field value matches the regular expression gce_image
, then the target.resource.resource_type
UDM field is set to IMAGE
.Else if,the
resource.type
log field value contain one of the following values, then the resource.type
log field is set to UNSPECIFIED
and the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field. -
identitytoolkit_project -
storage.googleapis.com/Project -
videostitcher.googleapis.com/Project
Else if, the
resource.type
log field value matches the regular expression project
, then the target.resource.resource_type
UDM field is set to CLOUD_PROJECT
.Else if, the
resource.type
log field value matches the regular expression gke_
, then the target.resource.resource_type
UDM field is set to CLUSTER
.Else, the
target.resource.resource_type
UDM field is set to UNSPECIFIED
and the resource.type
raw log field is mapped to target.resource.resource_subtype
UDM field.protoPayload.response.targetLink
target.url
protoPayload.metadata.event.eventName.parameter.name[WEB_ADDRESS]
target.url
protoPayload.request.httpRequest.url
target.url
resource.discoveryDocumentUri
target.url
httpRequest.requestUrl
target.url
protoPayload.request.role.included_permissions[]
target.user.attribute.permissions.name
protoPayload.metadata.event.eventName.parameter.name[ROLE_ID]
target.user.attribute.roles.description
If the
protoPayload.metadata.event.eventName.parameter.name
log field value is equal to ROLE_ID
, then the Role_ID - protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the target.user.attribute.roles.description
UDM field.protoPayload.response.bindings[].role
target.user.attribute.roles.name
protoPayload.metadata.event.eventName.parameter.name[ROLE_NAME]
target.user.attribute.roles.name
protoPayload.request.serviceAccounts[].email
target.user.email_addresses
protoPayload.metadata.event.eventName.parameter.value
target.user.email_addresses
If the
protoPayload.metadata.event.eventName.parameter.value
log
field value is not
empty and the protoPayload.metadata.event.eventName
log field value is equal to USER_EMAIL
or EMAIL_MONITOR_DEST_EMAIL
or DESTINATION_USER_EMAIL
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the target.user.email_addresses
UDM field.protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]
target.user.first_name
If the
protoPayload.metadata.event.eventName
log field value is equal to FIRST_NAME, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to NEW_VALUE
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the target.user.first_name
UDM field.protoPayload.request.personIdentifier.canonicalPersonId
target.user.group_identifiers
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]
target.user.last_name
If the
protoPayload.metadata.event.eventName
log field value is equal to LAST_NAME, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to NEW_VALUE
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the target.user.last_name
UDM field.protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]
target.user.user_display_name
If the
protoPayload.metadata.event.eventName
log field value is equal to RENAME_USER, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to NEW_VALUE
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the target.user.user_display_name
UDM field.protoPayload.response.user
target.user.userid
protoPayload.metadata.event.eventName.parameter.name[USER_EMAIL]
target.user.userid
If the
Else if, the
protoPayload.metadata.event.eventName
log field value is equal to CREATE_EMAIL_MONITOR
or CREATE_DATA_TRANSFER_REQUEST
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to USER_EMAIL
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the principal.user.userid
UDM field.Else if, the
protoPayload.metadata.event.eventName.parameter.name
log field value is equal to USER_EMAIL
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the target.user.userid
UDM field.protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_DEST_EMAIL]
target.user.userid
protoPayload.metadata.event.eventName.parameter.name[DESTINATION_USER_EMAIL]
target.user.userid
protoPayload.request.user
target.user.userid
protoPayload.serviceData.policyDelta.bindingDeltas[].member
target.user.userid
protoPayload.request.objects.db
about.labels [database_name]
(deprecated)jsonPayload.accesses[].methodName
about.labels [methodName]
(deprecated)protoPayload.request.objects.name
about.labels [objects_name]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME]
about.labels[api_client_name]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[API_SCOPES]
about.labels[api_scopes]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME]
about.labels[begin_date_time]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER]
about.labels[bulk_upload_fail_users_number]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER]
about.labels[bulk_upload_total_users_number]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW]
about.labels[caa_assignments_new]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD]
about.labels[caa_assignments_old]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW]
about.labels[caa_enforcement_endpoints_new]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD]
about.labels[caa_enforcement_endpoints_old]
(deprecated)protoPayload.requestMetadata.requestAttributes.size
about.labels[caller_network_request_size]
(deprecated)protoPayload.requestMetadata.requestAttributes.time
about.labels[caller_network_request_time]
(deprecated)protoPayload.requestMetadata.callerNetwork
about.labels[caller_network]
(deprecated)protoPayload.requestMetadata.requestAttributes.size
principal.labels[caller_network_request_size]
(deprecated)protoPayload.requestMetadata.requestAttributes.time
principal.labels[request_attributes_time]
(deprecated)protoPayload.requestMetadata.callerNetwork
principal.labels[caller_network]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED]
about.labels[chrome_licenses_enabled]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME]
about.labels[end_date_time]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[END_DATE]
about.labels[end_date]
(deprecated)protoType.metadata.event[].eventName
about.labels[event_name]
(deprecated)protoPayload.metadata.event.parameter[].label
about.labels[event_param_label]
(deprecated)protoPayload.metadata.event.parameter[].type
about.labels[event_param_type]
(deprecated)protoType.metadata.event[].eventType
about.labels[event_type]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME]
about.labels[field_name]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH]
about.labels[full_org_unit_path]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER]
about.labels[grp_member_bulk_upload_failed]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER]
about.labels[grp_member_bulk_upload_total]
(deprecated)httpRequest.cacheFillBytes
about.labels[httpreq_cache_fill_bytes]
(deprecated)httpRequest.cacheHit
about.labels[httpreq_cache_hit]
(deprecated)httpRequest.cacheLookup
about.labels[httpreq_cache_lookup]
(deprecated)httpRequest.cacheValidatedWithOriginServer
about.labels[httpreq_cache_validated_with_origin_server]
(deprecated)httpRequest.latency
about.labels[httprequest_latency]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE]
about.labels[info_type]
(deprecated)protoPayload.metadata.activityId.timeUsec
about.labels[metadata_activityId_time_usec]
(deprecated)protoPayload.metadata.activityId.uniqQualifier
about.labels[metadata_activityId_uniq_qualifier]
(deprecated)protoPayload.metadata.@type
about.labels[metadata_type]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE]
about.labels[new_permission_grant_state]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES]
about.labels[num_of_company_owned_device]
(deprecated)protoPayload.numResponseItems
about.labels[num_response_items]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE]
about.labels[old_permission_grant_state]
(deprecated)operation.first
about.labels[operation_first]
(deprecated)operation.id
about.labels[operation_id]
(deprecated)operation.last
about.labels[operation_last]
(deprecated)operation.producer
about.labels[operation_producer]
(deprecated)protoPayload.resourceOriginalState.selfLinkWithId
about.labels[rc_old_selflinkWithId]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW]
about.labels[reauth_setting_new]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD]
about.labels[reauth_setting_old]
(deprecated)protoPayload.request.alloweds[].ports
about.labels[req_alloweds_ports]
(deprecated)protoPayload.request.body.name
about.labels[req_body_name]
(deprecated)protoPayload.request.body.settings.activityPolicy
about.labels[req_body_settings_activity_policy]
(deprecated)protoPayload.request.deletionProtection
about.labels[req_deletion_protection]
(deprecated)protoPayload.request.disabled
about.labels[req_disabled]
(deprecated)protoPayload.request.displayDevice.enableDisplay
about.labels[req_display_device_enable_display]
(deprecated)protoPayload.request.enableFlowLogs
about.labels[req_enable_flow_logs]
(deprecated)protoPayload.request.fingerprint
about.labels[req_fingerprint]
(deprecated)protoPayload.request.shieldedInstanceConfig.enableSecureBoot
about.labels[req_instance_config_enable_secure_boot]
(deprecated)protoPayload.request.shieldedInstanceConfig.enableVtpm
about.labels[req_instance_config_enable_vtpm]
(deprecated)protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring
about.labels[req_instance_enable_integrity_monitoring]
(deprecated)protoPayload.request.key_types[]
about.labels[req_key_types]
(deprecated)protoPayload.request.logconfig.enable
about.labels[req_logconfig_enable]
(deprecated)protoPayload.request.networkTier
about.labels[req_network_tier]
(deprecated)protoPayload.request.network
about.labels[req_network]
(deprecated)protoPayload.request.page_size
about.labels[req_page_size]
(deprecated)request.pagesize
about.labels[req_page_size]
(deprecated)protoPayload.request.policy.etag
about.labels[req_policy_etag]
(deprecated)protoPayload.request.portRange
about.labels[req_port_range]
(deprecated)protoPayload.request.privateIpGoogleAccess
about.labels[req_private_ip_google_access]
(deprecated)protoPayload.request.private_key_type
about.labels[req_private_key_type]
(deprecated)protoPayload.request.remove_deleted_service_accounts
about.labels[req_remove_deleted_serviceAcc]
(deprecated)protoPayload.request.showDeleted
about.labels[req_show_deleted]
(deprecated)protoPayload.request.skip_visibility_check
about.labels[req_skip_visibility_check]
(deprecated)protoPayload.request.stackType
about.labels[req_stack_type]
(deprecated)protoPayload.request.type
about.labels[req_type]
(deprecated)protoPayload.request.updateMask
about.labels[req_update_mask]
(deprecated)protoPayload.request.version
about.labels[req_version]
(deprecated)protoPayload.response.clientOperationId
about.labels[res_client_operation_id]
(deprecated)protoPayload.response.endTime
about.labels[res_end_time]
(deprecated)protoPayload.response.id
about.labels[res_id]
(deprecated)protoPayload.response.key_algorithm
about.labels[res_key_algorithm]
(deprecated)protoPayload.response.key_origin
about.labels[res_key_origin]
(deprecated)protoPayload.response.key_type
about.labels[res_key_type]
(deprecated)protoPayload.response.kind
about.labels[res_kind]
(deprecated)protoPayload.response.private_key_type
about.labels[res_private_key_type]
(deprecated)protoPayload.response.progress
about.labels[res_progress]
(deprecated)protoPayload.response.startTime
about.labels[res_start_time]
(deprecated)protoPayload.response.status
about.labels[res_status]
(deprecated)If the
protoPayload.methodName
log field value is equal to cloudsql.instances.create
, then the protoPayload.response.status
log field is mapped to the security_result.description
UDM field.protoPayload.response.type
about.labels[res_type]
(deprecated)protoPayload.response.unique_id
about.labels[res_unique_id]
(deprecated)If the
protoPayload.methodName
log field value matches the regular expression (CreateServiceAccount, CreateWorkloadIdentityPool, CreateWorkloadIdentityPoolProvider, managedZones.create, changes.create, resourceRecordSets.create, responsePolicies.create, responsePolicyRules.create, policies.create, CreateRole, CreatePolicy, CreateServiceAccountKey, CreateWorkforcePool, CreateWorkforcePoolProvider)
, then the protoPayload.response.unique_id
log field is mapped to the target.resource.product_object_id
UDM field.protoPayload.response.valid_after_time.seconds
about.labels[res_valid_after_time]
(deprecated)protoPayload.response.valid_before_time.seconds
about.labels[res_valid_before_time]
(deprecated)protoPayload.response.version
about.labels[res_version]
(deprecated)protoPayload.response.zone
about.labels[res_zone]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP]
about.labels[search_query_for_dump]
(deprecated)spanId
about.labels[span_id]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[START_DATE]
about.labels[start_date]
(deprecated)traceSampled
about.labels[trace_sampled]
(deprecated)Trace
about.labels[trace]
(deprecated)protoPayload.@type
about.labels[type]
(deprecated)protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys
metadata.ingestion_labels [instance_metadata_key_added]
protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys
metadata.ingestion_labels [instance_metadata_key_deletion]
protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys
metadata.ingestion_labels [instance_metadata_key_modification]
protoPayload.metadata.projectMetadataDelta.addedMetadataKeys
metadata.ingestion_labels [AddedMetadataKeys]
protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys
metadata.ingestion_labels [DeletedMetadataKeys]
protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys
metadata.ingestion_labels [ModifiedMetadataKeys]
protoPayload.redactions.reason
principal.labels [protoPayload.redactions.field]
(deprecated)protoPayload.redactions.type
principal.labels [protoPayload.redactions.field]
(deprecated)authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata
principal.labels [service_metadata]
(deprecated)jsonPayload.sourceNetwork
principal.labels [source_network]
(deprecated)authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims
principal.labels [third_party_claims]
(deprecated)protoPayload.requestMetadata.requestAttributes.time
principal.labels[caller_network_request_time]
(deprecated)protoPayload.request.description
principal.labels[req_description]
(deprecated)protoPayload.request.ipCidrRange
principal.labels[req_ip_cidr_range]
(deprecated)protoPayload.request.sourceRanges[]
principal.labels[req_source_ranges]
(deprecated)protoPayload.requestMetadata.requestAttributes.reason
principal.labels[request_attributes_reason]
(deprecated)protoPayload.authenticationInfo.thirdPartyPrincipal
principal.labels[third_party_principal]
(deprecated)protoPayload.metadata.jobChange.after
target.resource_ancestors.attribute.labels[jobchange_after]
protoPayload.metadata.jobChange.before
target.resource_ancestors.attribute.labels[jobchange_before]
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_query]
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.createDisposition
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_createdisposition]
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.destinationTable
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_destinationtable]
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.priority
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_priority]
protoPayload.metadata.jobChange.job.jobConfig.queryConfig.writeDisposition
target.resource_ancestors.attribute.labels[jobchange_jobconfig_queryconfig_writedisposition]
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.createDisposition
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_createdisposition]
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.destinationTable
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_destinationtable]
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.operationType
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_operationtype]
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.writeDisposition
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_writedisposition]
protoPayload.metadata.jobChange.job.jobConfig.type
target.resource_ancestors.attribute.labels[jobchange_jobconfig_type]
protoPayload.metadata.jobChange.job.jobName
target.resource_ancestors.name
protoPayload.metadata.jobChange.job.jobStats.createTime
target.resource_ancestors.attribute.creation_time
protoPayload.metadata.jobChange.job.jobStats.endTime
target.resource_ancestors.attribute.labels[jobchange_jobstats_endtime]
protoPayload.metadata.jobChange.job.jobStats.queryStats
target.resource_ancestors.attribute.labels[jobchange_jobstats_querystats]
protoPayload.metadata.jobChange.job.jobStats.reservation
target.resource_ancestors.attribute.labels[jobchange_jobstats_reservation]
protoPayload.metadata.jobChange.job.jobStats.startTime
target.resource_ancestors.attribute.labels[jobchange_jobstats_starttime]
protoPayload.metadata.jobChange.job.jobStatus.errorResult.code
security_result.detection_fields[jobchange_jobstatus_errorresult_code]
protoPayload.metadata.jobChange.job.jobStatus.errorResult.message
security_result.detection_fields[jobchange_jobstatus_errorresult_message]
protoPayload.metadata.jobChange.job.jobStatus.jobState
target.resource_ancestors.attribute.labels[jobstatus_jobstate]
protoPayload.metadata.jobChange.job.jobConfig.tableCopyConfig.sourceTables
target.resource_ancestors.attribute.labels[jobchange_jobconfig_tablecopyconfig_sourcetables]
protoPayload.metadata.jobChange.job.jobStatus.errors.code
security_result.detection_fields[jobchange_jobstatus_errors_code]
protoPayload.metadata.jobChange.job.jobStatus.errors.message
security_result.detection_fields[jobchange_jobstatus_errors_message]
protoPayload.metadata.jobChange.job.jobConfig.extractConfig.sourceTable
target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_sourcetable]
protoPayload.metadata.jobChange.job.jobConfig.extractConfig.destinationUris
target.resource_ancestors.attribute.labels[jobchange_jobconfig_extractconfig_destinationuris]
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.query
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_query]
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.createDisposition
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_createdisposition]
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.destinationTable
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_destinationtable]
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.priority
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_priority]
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.writeDisposition
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_queryconfig_writedisposition]
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.createDisposition
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_createdisposition]
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.destinationTable
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_destinationtable]
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.operationType
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_operationtype]
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.writeDisposition
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_writedisposition]
protoPayload.metadata.jobInsertion.job.jobConfig.type
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_type]
protoPayload.metadata.jobInsertion.job.jobName
target.resource_ancestors.name
protoPayload.metadata.jobInsertion.job.jobStats.createTime
target.resource_ancestors.attribute.creation_time
protoPayload.metadata.jobInsertion.job.jobStats.reservation
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_reservation]
protoPayload.metadata.jobInsertion.job.jobStats.queryStats
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_querystats]
protoPayload.metadata.jobInsertion.job.jobStats.startTime
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_starttime]
protoPayload.metadata.jobInsertion.job.jobStats.endTime
target.resource_ancestors.attribute.labels[jobinsertion_jobstats_endtime]
protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.code
security_result.detection_fields[jobinsertion_jobstatus_errorresult_code]
protoPayload.metadata.jobInsertion.job.jobStatus.errorResult.message
security_result.detection_fields[jobinsertion_jobstatus_errorresult_message]
protoPayload.metadata.jobInsertion.job.jobStatus.jobState
target.resource_ancestors.attribute.labels[jobinsertion_jobstatus_jobstate]
protoPayload.metadata.jobInsertion.reason
target.resource_ancestors.attribute.labels[jobinsertion_reason]
protoPayload.metadata.jobInsertion.job.jobConfig.tableCopyConfig.sourceTables
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_tablecopyconfig_sourcetables]
protoPayload.metadata.jobInsertion.job.jobStatus.errors.code
security_result.detection_fields[jobinsertion_jobstatus_errors_code]
protoPayload.metadata.jobInsertion.job.jobStatus.errors.message
security_result.detection_fields[jobinsertion_jobstatus_errors_message]
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.sourceTable
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_sourcetable]
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris
target.resource_ancestors.attribute.labels[jobinsertion_jobconfig_extractconfig_destinationuris]
protoPayload.response.buildConfig.entryPoint
target.resource.attribute.labels[buildconfig_entrypoint]
protoPayload.request.member
target.user.email_addresses
protoPayload.request.email
target.user.email_addresses
protoPayload.metadata.jobInsertion.reason
target.resource.attribute.labels[job_insertion_reason]
protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.statementType
target.resource.attribute.labels[job_insertion_job_job_config_query_config_statement_type]
protoPayload.metadata.jobInsertion.job.jobStatus.jobState
target.resource.attribute.labels[job_insertion_job_job_status_job_state]
protoPayload.response.state
target.resource.attribute.labels[response_state]
protoPayload.request.metadata.state
target.resource.attribute.labels[request_state]
protoPayload.authenticationInfo.principalSubject
principal.user.userid
If the
protoPayload.authenticationInfo.principalSubject
log field value is not
empty, then new_user_id
is extracted from the protoPayload.authenticationInfo.principalSubject
log field using a Grok pattern, and mapped to the principal.user.userid
UDM field.protoPayload.authenticationInfo.principalSubject
principal.user.email_addresses
If the
protoPayload.authenticationInfo.principalSubject
log field value is not
empty, then new_email_id
is extracted from the protoPayload.authenticationInfo.principalSubject
log field using a Grok pattern, and mapped to the principal.user.email_addresses
UDM field.protoPayload.authenticationInfo.serviceAccountDelegationInfo.principalSubject
principal.user.attribute.labels[access_serviceAcc_principalSubject]
protoPayload.response.oauth2_client_id
principal.user.attribute.labels[response_oauth2_client_id]
protoPayload.authorizationInfo.resourceAttributes.service
principal.resource.attribute.labels[authorization_info_rcService]
protoPayload.authorizationInfo.granted
principal.user.attributes.labels[authorization_granted]
protoPayload.request.cryptoKey.versionTemplate.algorithm
security_result.detection_fields [algorithm]
protoPayload.response.details[].@type
security_result.detection_fields [details_type]
protoPayload.request.cryptoKey.nextRotationTime
security_result.detection_fields [next_rotation_time]
protoPayload.request.cryptoKey.versionTemplate.protectionLevel
security_result.detection_fields [protection_level]
protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.value
security_result.detection_fields [protoPayload.request.body.settings.ipConfiguration.authorizedNetworks.kind]
protoPayload.request.cryptoKey.purpose
security_result.detection_fields [purpose]
protoPayload.resourceName
security_result.detection_fields [resource_name]
protoPayload.authorizationInfo.resource
security_result.detection_fields [resource]
protoPayload.response.code
security_result.detection_fields [response_code]
protoPayload.request.cryptoKey.rotationPeriod
security_result.detection_fields [rotation_period]
protoPayload.metadata.securityPolicyInfo.organizationId
security_result.detection_fields [securityPolicyInfo.organizationId]
protoPayload.request.serviceAccounts[].scopes
security_result.detection_fields [service_account_scope]
protoPayload.response.details[].violations[].subject
security_result.detection_fields [violation_subject]
protoPayload.response.details[].violations[].type
security_result.detection_fields [violation_type]
protoPayload.metadata.event.eventName.parameter.name[ACTION_ID]
security_result.detection_fields[action_id]
protoPayload.serviceData.policyDelta.auditConfigDeltas[].action
security_result.detection_fields[action]
protoPayload.metadata.event.eventName.parameter.name[ALERT_NAME]
security_result.detection_fields[alert_name]
protoPayload.metadata.event.eventName.parameter.name[ALLOWED_TWO_STEP_VERIFICATION_METHOD]
security_result.detection_fields[allowed_two_step_verification_method]
protoPayload.requestMetadata.callerNetwork.requestAttributes.reason
security_result.detection_fields[caller_network_request_reason]
protoPayload.metadata.event.eventName.parameter.name[is_second_factor]
security_result.detection_fields[is_second_factor]
If the
protoPayload.metadata.event.eventName
log field value is equal to login_verification
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to is_second_factor
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the security_result.detection_fields.value
UDM field.protoPayload.metadata.event.eventName.parameter.name[is_suspicious]
security_result.detection_fields[is_suspicious]
If the
protoPayload.metadata.event.eventName
log field value is equal to login_success
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to is_suspicious
, then the protoPayload.metadata.event.eventName.parameter.boolValue
log field is mapped to the security_result.detection_fields.value
UDM field.protoPayload.metadata.event.eventName.parameter.name[login_failure_type]
security_result.detection_fields[login_failure_type]
If the
protoPayload.metadata.event.eventName
log field value is equal to login_failure
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to login_failure_type
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the security_result.detection_fields.value
UDM field.protoPayload.metadata.event.eventName.parameter.name[login_type]
security_result.detection_fields[login_type]
If the
protoPayload.metadata.event.eventName
log field value is equal to login_failure
or login_challenge
or login_verification
or login_success
or logout
, then if the protoPayload.metadata.event.eventName.parameter.name
log field value is equal to login_type
, then the protoPayload.metadata.event.eventName.parameter.value
log field is mapped to the about.labels.value
UDM field.protoPayload.request.bindings.members[]
security_result.detection_fields[members]
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.checkedValue
security_result.detection_fields[policy_violation_checked_value]
protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo.constraint
security_result.detection_fields[policy_violation_constraint]
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags
security_result.detection_fields[policy_violation_resource_tags]
protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType
security_result.detection_fields[policy_violation_resource_type]
protoPayload.metadata.event.eventName.parameter.name[QUARANTINE_NAME]
security_result.detection_fields[quarantine_name]
protoPayload.resourceOriginalState.logconfig.enable
security_result.detection_fields[rc_orgState_logconfig_enable]
protoPayload.request.alloweds[].ports
security_result.detection_fields[req_alloweds_ports]
protoPayload.response.error.errors[].domain
security_result.detection_fields[res_error_domain]
protoPayload.resourceOriginalState.direction
security_result.detection_fields[resource_original_state_direction]
protoPayload.authenticationInfo.serviceAccountKeyName
security_result.detection_fields[service_account_key_name]
Referred this from Default parser.
security_result.detection_fields[SERVICE]
protoPayload.status.details.type
security_result.detection_fields[status_details_type]
protoPayload.status.details.violations.subject
security_result.detection_fields[status_details_violation_subject]
protoPayload.status.details.violations.type
security_result.detection_fields[status_details_violation_type]
sourceLocation.function
src.labels[src_location_function]
sourceLocation.line
src.labels[src_location_line]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_STATE]
target.asset.attribute.labels[dvc_new_state]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_STATE]
target.asset.attribute.labels[dvc_previous_state]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_TYPE]
target.asset.attribute.labels[dvc_type]
protoPayload.metadata.event.eventName.parameter.name[MANAGED_CONFIGURATION_NAME]
target.asset.attribute.labels[managed_config_name]
protoPayload.metadata.event.eventName.parameter.name[MOBILE_APP_PACKAGE_ID]
target.asset.attribute.labels[mobile_app_package_id]
protoPayload.metadata.event.eventName.parameter.name[MOBILE_CERTIFICATE_COMMON_NAME]
target.asset.attribute.labels[mobile_certificate_common_name]
protoPayload.metadata.event.eventName.parameter.name[MOBILE_WIRELESS_NETWORK_NAME]
target.asset.attribute.labels[mobile_wireless_network_name]
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_MDM_VENDOR_NAME]
target.asset.attribute.labels[play_for_work_mdm_vendor_name]
protoPayload.metadata.event.eventName.parameter.name[PLAY_FOR_WORK_TOKEN_ID]
target.asset.attribute.labels[play_for_work_token_id]
resource.labels.instance_id
target.asset.attribute.labels[rc_instance_id]
protoPayload.metadata.event.eventName.parameter.name[SKU_NAME]
target.asset.attribute.labels[sku_name]
protoPayload.response.targetId
target.asset.attribute.labels[target_id]
If the
protoPayload.methodName
log field value is not
equal to cloudsql.instances.create
, then the protoPayload.response.targetId
log field is mapped to the target.asset.attribute.labels.value
UDM field.resource.labels.backend_service_name
target.labels [backend_service_name]
(deprecated)protoPayload.requestMetadata.requestAttributes.auth.claims
target.labels [request_auth_claims]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION]
target.labels[application_edition]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[ASP_ID]
target.labels[asp_id]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE]
target.labels[chrome_os_session_type]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT]
target.labels[device_new_org_unit]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT]
target.labels[device_previous_org_unit]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS]
target.labels[domain_alias]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED]
target.labels[email_export_include_deleted]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT]
target.labels[email_export_package_content]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE]
target.labels[email_log_search_end_date]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE]
target.labels[email_log_search_start_date]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT]
target.labels[email_monitor_level_chat]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL]
target.labels[email_monitor_level_draft_email]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL]
target.labels[email_monitor_level_in_email]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL]
target.labels[email_monitor_level_out_email]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON]
target.labels[email_reset_reason]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]
target.labels[new_value]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE]
target.labels[oauth2_app_type]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE]
target.labels[old_value]
(deprecated)protoPayload.requestMetadata.destinationAttributes.principal
target.labels[peer_principal]
(deprecated)protoPayload.requestMetadata.destinationAttributes.regionCode
target.labels[peer_region_code]
(deprecated)protoPayload.request.loadBalancingScheme
target.labels[req_load_balancing_scheme]
(deprecated)protoPayload.request.requestId
target.labels[request_id]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID]
target.labels[request_id]
(deprecated)protoPayload.resourceOriginalState.description
target.labels[res_originalState_description]
(deprecated)protoPayload.response.bindings[].members[]
target.labels[response_bindings_members]
(deprecated)protoPayload.response.description
target.labels[response_description]
(deprecated)protoPayload.response.display_name
target.labels[response_display_name]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME]
target.labels[secondary_domain_name]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME]
target.labels[setting_name]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD]
target.labels[user_custom_field]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME]
target.labels[user_defined_setting_name]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN]
target.labels[web_origin]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS]
target.labels[whitelisted_groups]
(deprecated)protoPayload.metadata.event.eventName.parameter.name[APP_LICENSES_ORDER_NUMBER]
target.asset.labels[app_licenses_order_number]
protoPayload.metadata.event.eventName.parameter.name[CHROME_NUM_LICENSES_PURCHASED]
target.asset.labels[chrome_num_licenses_purchased]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_COMMAND_DETAILS]
target.asset.labels[device_command_details]
protoPayload.metadata.event.eventName.parameter.name[DIRECTORY_API_ID]
target.asset.labels[directory_api_id]
protoPayload.metadata.event.eventName.parameter.name[GROUP_PRIORITIES]
target.group.attribute.labels[group_priorities]
protoPayload.request.cluster.subnetwork
target.resource_ancestor.attribute.labels[req_cls_subnetwork]
protoPayload.request.cluster.nodePools[].autoscaling.enabled
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_enabled]
protoPayload.request.cluster.nodePools[].autoscaling.maxNodeCount
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_max_node_cnt]
protoPayload.request.cluster.nodePools[].autoscaling.minNodeCount
target.resource_ancestor.attribute.labels[req_clsNodePools_autoscaling_min_node_cnt]
protoPayload.request.cluster.nodePools[].management.autoupgrade
target.resource_ancestor.attribute.labels[req_clsNodePools_autoupgrade]
protoPayload.request.cluster.nodePools[].config.diskSizeGb
target.resource_ancestor.attribute.labels[req_clsNodePools_config_disksize]
protoPayload.request.cluster.nodePools[].config.imageType
target.resource_ancestor.attribute.labels[req_clsNodePools_config_imagetype]
protoPayload.request.cluster.nodePools[].config.machineType
target.resource_ancestor.attribute.labels[req_clsNodePools_config_machinetype]
protoPayload.request.cluster.nodePools[].config.oauthScopes[]
target.resource_ancestor.attribute.labels[req_clsNodePools_config_oauth_scopes]
protoPayload.request.cluster.nodePools[].name
target.resource_ancestor.attribute.labels[req_clsNodePools_name]
protoPayload.request.cluster.nodePools[].initialNodeCount
target.resource_ancestor.attribute.labels[req_clsterNodePools_autoscaling_initial_node_cnt]
resource.data.oauth2ClientId
target.resource.attribute.labels [oauth_client_id]
protoPayload.request.properties.confidentialInstanceConfig.enableConfidentialCompute
target.resource.attribute.labels [ enable_confidential_compute]
protoPayload.request.function.timeout
target.resource.attribute.labels [ function_time_out]
protoPayload.requestMetadata.requestAttributes.auth.accessLevels
target.resource.attribute.labels [accessLevel]
protoPayload.request.date
target.resource.attribute.labels [audit_event_occurred]
protoPayload.request.auditId
target.resource.attribute.labels [audit_id]
protoPayload.request.autoscalingPolicy.mode
target.resource.attribute.labels [autoscaling_policy_mode]
protoPayload.request.autoscalingPolicy.coolDownPeriodSec
target.resource.attribute.labels [cool_down_period]
protoPayload.request.denieds.0.IPProtocol
target.resource.attribute.labels [Denied Protocol]
protoPayload.request.destinationRanges
target.resource.attribute.labels [destination_ranges]
protoPayload.request.function.entryPoint
target.resource.attribute.labels [function_entry_point]
protoPayload.request.function.httpsTrigger.securityLevel
target.resource.attribute.labels [function_httptrigger_security_level]
protoPayload.request.function.runtime
target.resource.attribute.labels [function_runtime]
protoPayload.request.function.serviceAccountEmail
target.resource.attribute.labels [function_service_account_email]
protoPayload.request.function.sourceUploadUrl
target.resource.attribute.labels [function_source_upload_url]
protoPayload.metadata.iapEnabled
target.resource.attribute.labels [iapEnabled]
protoPayload.request.listManagedInstancesResults
target.resource.attribute.labels [managed_instances_result]
protoPayload.request.autoscalingPolicy.maxNumReplicas
target.resource.attribute.labels [max_replicas]
protoPayload.request.autoscalingPolicy.minNumReplicas
target.resource.attribute.labels [min_replicas]
protoPayload.request.msgType
target.resource.attribute.labels [msg_type]
protoPayload.metadata.oauth_client_id
target.resource.attribute.labels [oauth_client_id]
protoPayload.request.autoscalingPolicy.cpuUtilization.predictiveMethod
target.resource.attribute.labels [predictive_method]
protoPayload.request.labels.0.value
target.resource.attribute.labels [protoPayload.request.labels.0.key]
protoPayload.request.queryId
target.resource.attribute.labels [query_id]
protoPayload.request.constraint
target.resource.attribute.labels [request_constraint]
protoPayload.request.dataAccessed
target.resource.attribute.labels [request_data_accessed]
protoPayload.request.function.labels.deployment-tool
target.resource.attribute.labels [request_deployment_tool]
protoPayload.request.properties.description
target.resource.attribute.labels [request_description]
protoPayload.request.function.name
target.resource.attribute.labels [request_function_name]
protoPayload.request.location
target.resource.attribute.labels [request_location]
protoPayload.request.policy.constraint
target.resource.attribute.labels [request_policy_constraint]
protoPayload.request.@type
target.resource.attribute.labels [request_type]
protoPayload.request.cmd
target.resource.attribute.labels [sql_operation_type ]
protoPayload.request.threadId
target.resource.attribute.labels [thread_id]
protoPayload.metadata.unsatisfied_access_levels
target.resource.attribute.labels [unsatisfied_access_levels]
protoPayload.request.autoscalingPolicy.cpuUtilization.utilizationTarget
target.resource.attribute.labels [utilization_target]
protoPayload.request.body.settings.backupConfiguration.binaryLogEnabled
target.resource.attribute.labels[backup_config_binarylog_enabled]
protoPayload.request.body.settings.backupConfiguration.enabled
target.resource.attribute.labels[backup_config_enabled]
protoPayload.request.body.settings.backupConfiguration.transactionLogRetentionDays
target.resource.attribute.labels[backup_config_logRetention_days]
protoPayload.request.body.settings.backupConfiguration.pointInTimeRecoveryEnabled
target.resource.attribute.labels[backup_config_point_in_time_recovery_enabled]
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retainedBackups
target.resource.attribute.labels[backup_config_retention_settings_retained_backups]
protoPayload.request.body.settings.backupConfiguration.backupRetentionSettings.retentionUnit
target.resource.attribute.labels[backup_config_retention_settings_unit]
protoPayload.request.body.settings.backupConfiguration.startTime
target.resource.attribute.labels[backup_config_start_time]
protoPayload.request.canIpForward
target.resource.attribute.labels[can_ip_forward]
resource.labels.cluster_name
target.resource.attribute.labels[cls_name]
request.cluster.name
target.resource.attribute.labels[cls_name]
protoPayload.request.body.settings.dataDiskSizeGb
target.resource.attribute.labels[data_disk_size_gb]
protoPayload.request.body.settings.dataDiskType
target.resource.attribute.labels[data_disk_type]
protoPayload.metadata.tableDataRead.fields
target.resource.attribute.labels[data_read_fields]
protoPayload.metadata.jobInsertion.job.jobConfig.extractConfig.destinationUris[]
target.resource.attribute.labels[destination_uris]
protoPayload.request.direction
target.resource.attribute.labels[direction]
resource.labels.email_id
target.resource.attribute.labels[email_id]
resource.email_id
target.resource.attribute.labels[email_id]
resource.labels.forwarding_rule_name
target.resource.attribute.labels[forwarding_rule_name]
protoPayload.request.body.settings.ipConfiguration.ipv4Enabled
target.resource.attribute.labels[ip_config_ipv4_enabled]
protoPayload.request.body.settings.ipconfiguration.privatNetwork
target.resource.attribute.labels[ip_config_private_network]
protoPayload.request.body.settings.ipconfiguration.requireSsl
target.resource.attribute.labels[ip_config_require_ssl]
protoPayload.metadata.jobChange.job.jobConfig.type
target.resource.attribute.labels[job_type]
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id
target.resource.attribute.labels[job_change_looker_studio_report_id]
protoPayload.metadata.jobChange.job.jobConfig.labels.requestor
target.resource.attribute.labels[job_change_requestor]
protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id
target.resource.attribute.labels[job_change_looker_studio_datasource_id]
protoPayload.metadata.tableChange.table.tableName
target.resource.attribute.labels[metadata_changedTable_name]
protoPayload.metadata.tableCreation.table.expireTime
target.resource.attribute.labels[metadata_creationTable_expire_time]
protoPayload.request.body.settings.pricingPlan
target.resource.attribute.labels[pricing_plan]
resource.data.projectId
target.resource.attribute.labels[projectId]
resource.labels.instance_group_name
target.resource.attribute.labels[rc_instance_groupName]
resource.labels.method
target.resource.attribute.labels[rc_method]
protoPayload.resourceOriginalState.disabled
target.resource.attribute.labels[rc_orgState_disabled]
protoPayload.resourceOriginalState.enableLogging
target.resource.attribute.labels[rc_orgState_enable_logging]
protoPayload.resourceOriginalState.logconfig.enable
target.resource.attribute.labels[rc_orgState_logconfig_enable]
protoPayload.resourceOriginalState.selfLink
target.resource.attribute.labels[rc_orgState_selflink]
protoPayload.resourceOriginalState.sourceRanges
target.resource.attribute.labels[rc_orgState_srcranges]
protoPayload.resourceOriginalState.targetTags
target.resource.attribute.labels[rc_orgState_target_tags]
protoPayload.resourceOriginalState.@type
target.resource.attribute.labels[rc_orgState_type]
resource.labels.service
target.resource.attribute.labels[rc_service]
resource.labels.subnetwork_name
target.resource.attribute.labels[rc_subnetwork_name]
resource.labels.version
target.resource.attribute.labels[rc_version]
protoPayload.request.body.databaseVersion
target.resource.attribute.labels[req_body_dbVersion]
protoPayload.request.cluster.releaseChannel.channel
target.resource.attribute.labels[req_cls_channel]
protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled
target.resource.attribute.labels[req_cls_policy_config_disabled]
protoPayload.request.reservationAffinity.consumeReservationType
target.resource.attribute.labels[req_consumeReservation_type]
protoPayload.request.disabled
target.resource.attribute.labels[req_disabled]
protoPayload.request.disks[].boot
target.resource.attribute.labels[req_disk_boot]
protoPayload.request.disks[].initializeParams.diskSizeGb
target.resource.attribute.labels[req_disk_initialize_disk_size]
protoPayload.request.disks[].initializeParams.diskType
target.resource.attribute.labels[req_disk_initialize_disk_type]
protoPayload.request.disks[].initializeParams.sourceImage
target.resource.attribute.labels[req_disk_initialize_source_image]
protoPayload.request.workloadIdentityPoolProvider.attributeCondition
target.resource.attribute.labels[req_identityPool_attribute_condition]
protoPayload.request.workloadIdentityPoolProvider.aws.accountId
target.resource.attribute.labels[req_identityPool_aws_accountId]
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.attribute.aws_role
target.resource.attribute.labels[req_identityPool_aws_role]
protoPayload.request.workloadIdentityPool.description
target.resource.attribute.labels[req_identityPool_description]
protoPayload.request.workloadIdentityPool.disabled
target.resource.attribute.labels[req_identityPool_disabled]
protoPayload.request.workloadIdentityPoolProvider.displayName
target.resource.attribute.labels[req_identityPool_displayName]
protoPayload.request.workloadIdentityPoolProvider.attributeMapping.google.subject
target.resource.attribute.labels[req_identityPool_googleSubject]
protoPayload.request.workloadIdentityPoolProvider.disabled
target.resource.attribute.labels[req_identityPool_provider_disabled]
protoPayload.request.workloadIdentityPoolProviderId
target.resource.attribute.labels[req_identityPool_providerId]
protoPayload.request.instances[].instance
target.resource.attribute.labels[req_instance]
protoPayload.request.logconfig.enable
target.resource.attribute.labels[req_logconfig_enable]
protoPayload.serviceData.tabelDataListRequest.maxResults
target.resource.attribute.labels[req_max_results]
protoPayload.serviceData.jobGetQueryResultsRequest.maxResults
target.resource.attribute.labels[req_max_results]
protoPayload.request.maxResults
target.resource.attribute.labels[req_max_results]
protoPayload.request.name
target.resource.attribute.labels[req_name]
protoPayload.request.networkInterfaces[].accessConfig.name
target.resource.attribute.labels[req_network_access_config_name]
protoPayload.request.networkInterfaces[].accessConfig.networkTier
target.resource.attribute.labels[req_network_access_config_network_tier]
protoPayload.request.networkInterfaces[].accessConfig.type
target.resource.attribute.labels[req_network_access_config_type]
protoPayload.request.network
target.resource.attribute.labels[req_network]
protoPayload.request.network
target.resource.attribute.labels[req_network]
protoPayload.request.priority
target.resource.attribute.labels[Request Priority]
protoPayload.request.project
target.resource.attribute.labels[req_project]
protoPayload.request.role.stage
target.resource.attribute.labels[req_role_stage]
protoPayload.request.scheduling.automaticRestart
target.resource.attribute.labels[req_scheduling_automatic_restart]
protoPayload.request.scheduling.onHostMaintenance
target.resource.attribute.labels[req_scheduling_on_host_mainten]
protoPayload.request.scheduling.preemptible
target.resource.attribute.labels[req_scheduling_preemptible]
protoPayload.request.service_account.description
target.resource.attribute.labels[req_serviceAcc_description]
protoPayload.request.serviceAccounts[].email
target.resource.attribute.labels[req_serviceAcc_email]
protoPayload.request.policy.booleanPolicy.enforced
target.resource.attribute.labels[request_constraint]
protoPayload.response.email
target.resource.attribute.labels[res_email]
protoPayload.response.etag
target.resource.attribute.labels[res_etag]
protoPayload.response.name
target.resource.attribute.labels[res_name]
protoPayload.response.operationType
target.resource.attribute.labels[response_operation_type]
protoPayload.response.zone
target.resource.attribute.labels[res_zone]
resource.data.name
target.resource.attribute.labels[resource_data_name]
protoPayload.response.booleanPolicy.enforced
target.resource.attribute.labels[response_enforce_policy]
protoPayload.response.status
target.resource.attribute.labels[response_status]
protoPayload.response.status.conditions.message
target.resource.attribute.labels[response_status]
protoPayload.serviceData.permissionDelta.addedPermissions[]
target.resource.attribute.labels[ser_added_perm]
protoPayload.serviceData.policyDelta.bindingDeltas[].action
target.resource.attribute.labels[ser_binding_deltas_action]
protoPayload.serviceData.policyDelta.bindingDeltas[].member
target.resource.attribute.labels[ser_binding_deltas_member]
Referred this from default parser.
target.resource.attribute.labels[ser_binding_deltas_member]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.datasetId
target.resource.attribute.labels[ser_destTable_datasetId]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.projectId
target.resource.attribute.labels[ser_destTable_projectId]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.destinationTable.tableId
target.resource.attribute.labels[ser_destTable_tableId]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.createTime
target.resource.attribute.labels[ser_jobCreate_time]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.jobId
target.resource.attribute.labels[ser_req_jobId]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.query
target.resource.attribute.labels[ser_req_query]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.createDisposotion
target.resource.attribute.labels[ser_reqCreate_disposotion]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.location
target.resource.attribute.labels[ser_reqJob_location]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobName.projectId
target.resource.attribute.labels[ser_reqJob_projectid]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.startTime
target.resource.attribute.labels[ser_reqJob_start_time]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatus.state
target.resource.attribute.labels[ser_reqJob_state]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobStatistics.totalSlotMs
target.resource.attribute.labels[ser_reqJob_total_slot_ms]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.statementType
target.resource.attribute.labels[ser_reqStatement_type]
protoPayload.serviceData.jobGetQueryResultsResponse.job.jobConfiguration.query.writeDisposition
target.resource.attribute.labels[ser_reqWrite_disposition]
protoPayload.serviceData.tableInsertRequest.resource.view.query
target.resource.attribute.labels[ser_tableInsert_query]
protoPayload.serviceData.@type
target.resource.attribute.labels[ser_type]
protoPayload.request.sourceRanges[]
target.resource.attribute.labels[source_ranges]
protoPayload.request.body.settings.storageAutoResize
target.resource.attribute.labels[storage_auto_resize]
resource.labels.target_proxy_name
target.resource.attribute.labels[target_proxy_name]
protoPayload.request.body.settings.tier
target.resource.attribute.labels[tier]
resource.labels.url_map_name
target.resource.attribute.labels[url_map_name]
protoPayload.request.cluster.network
target.resource_ancestors.attribute.labels[req_cls_network]
protoPayload.request.cluster.nodePools[].management.autoRepair
target.resource_ancestors.attribute.labels[req_clsNodePools_autorepair]
protoPayload.request.body.settings.availabilityType
target.resource.attributes.labels[resource_avaibilitytype]
protoPayload.metadata.tableCreation.table.schemaJSON
target.resource.attributes.labels[table_schemaJson]
protoPayload.metadata.event.eventName.parameter.name[BIRTHDATE]
target.user.attribute.labels[birthdate]
protoPayload.metadata.event.eventName.parameter.name[PRIVILEGE_NAME]
target.user.attribute.labels[privilege_name]
protoPayload.metadata.event.eventName.parameter.name[USER_NICKNAME]
target.user.attribute.labels[user_nickname]
resource.type
target.resource_ancestors.resource_type
If the
If the
If the
If the
If the
If the
If the
If the
If the
If the
If the
If the
Else, the
If the
resource.type
log field value matches the regular expression gce_(firewall or forwarding_rule)
, then the target.resource_ancestors.resource_type
UDM field is set to FIREWALL_RULE
.If the
resource.type
log field value matches the regular expression gce_(subnetwork or network)
, then the target.resource_ancestors.resource_type
UDM field is set to VPC_NETWORK
.If the
resource.type
log field value matches the regular expression dataproc
, then the target.resource_ancestors.resource_type
UDM field is set to CLUSTER
.If the
resource.type
log field value matches the regular expression k8s or gke_
, then the target.resource_ancestors.resource_type
UDM field is set to CLUSTER
.If the
resource.type
log field value is equal to gce_backend_service
, then the target.resource_ancestors.resource_type
UDM field is set to BACKEND_SERVICE
.If the
resource.type
log field value matches the regular expression (gce_ or dns_query)
, then the target.resource.resource_type
UDM field is set to VIRTUAL_MACHINE
.If the
resource.type
log field value matches the regular expression gcs_bucket
, then the target.resource_ancestors.resource_type
UDM field is set to STORAGE_BUCKET
.If the
resource.type
log field value matches the regular expression bigquery
, then the target.resource_ancestors.resource_type
UDM field is set to DATABASE
.If the
resource.type
log field value matches the regular expression cloudsql
, then the target.resource_ancestors.resource_type
UDM field is set to DATABASE
.If the
resource.type
log field value matches the regular expression service_account
, then the target.resource_ancestors.resource_type
UDM field is set to SERVICE_ACCOUNT
.If the
resource.type
log field value matches the regular expression project
, then the target.resource_ancestors.resource_type
UDM field is set to CLOUD_PROJECT
.If the
resource.type
log field value matches the regular expression organization
, then the target.resource_ancestors.resource_type
UDM field is set to CLOUD_ORGANIZATION
.Else, the
target.resource_ancestors.resource_type
UDM field is set to UNSPECIFIED
.If the
resource.labels.project_id
log field value is not
empty, then the target.resource_ancestors.resource_type
UDM field is set to CLOUD_PROJECT
.jsonPayload.end_time
about.labels[jsonPayload_end_time]
(deprecated)jsonPayload.packets_sent
network.sent_packets
jsonPayload.reporter
about.labels[jsonPayload_reporter]
(deprecated)jsonPayload.src_vpc.vpc_name
principal.resource.name
jsonPayload.src_vpc.project_id
principal.resource.product_object_id
jsonPayload.src_vpc.subnetwork_name
principal.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]
jsonPayload.start_time
about.labels[jsonPayload_start_time]
(deprecated)jsonPayload.src_instance.region
principal.location.name
jsonPayload.src_instance.project_id
principal.labels[jsonPayload_src_instance_project_id]
(deprecated)jsonPayload.src_instance.zone
principal.cloud.availability_zone
resource.labels.subnetwork_id
target.resource.attribute.labels[resource_labels_subnetwork_id]
jsonPayload.dest_vpc.project_id
target.resource.product_object_id
jsonPayload.dest_vpc.subnetwork_name
target.resource.attribute.labels[jsonPayload_src_vpc_subnetwork_name]
jsonPayload.dest_vpc.vpc_name
target.resource.name
jsonPayload.dest_instance.region
target.location.name
jsonPayload.dest_instance.project_id
target.labels[jsonPayload_dest_instance_project_id]
(deprecated)jsonPayload.dest_instance.zone
target.cloud.availability_zone
jsonPayload.src_location.asn
principal.labels[jsonPayload_src_location_asn]
(deprecated)jsonPayload.src_location.city
principal.location.city
jsonPayload.src_location.continent
principal.labels[jsonPayload_src_location_continent]
(deprecated)jsonPayload.src_location.country
principal.location.country_or_region
jsonPayload.src_location.region
principal.labesl[jsonPayload_src_location_region]
jsonPayload.dest_location.asn
target.labels[jsonPayload_dest_location_asn]
(deprecated)jsonPayload.dest_location.city
target.location.city
jsonPayload.dest_location.continent
target.labels[jsonPayload_dest_location_continent]
(deprecated)jsonPayload.dest_location.region
target.labesl[jsonPayload_dest_location_region]
protoPayload.metadata.ingressViolations.servicePerimeter
security_result.detection_fields[protoPayload_metadata_ingressViolations_serviceParameter]
protoPayload.metadata.ingressViolations.source
security_result.detection_fields[protoPayload_metadata_ingressViolations_source]
protoPayload.metadata.ingressViolations.sourceType
security_result.detection_fields[protoPayload_metadata_ingressViolations_sourceType]
protoPayload.metadata.ingressViolations.targetResource
security_result.detection_fields[protoPayload_metadata_ingressViolations_targetResource]
protoPayload.request.subjects.name
target.user.attribute.labels[subject_name]
protoPayload.request.spec.containers.0.image
target.process.command_line
protoPayload.request.spec.containers.0.name
target.resource.attribute.labels[name]
protoPayload.request.spec.containers.0.terminationMessagePolicy
traget.resource.attribute.labels[terminationMessagePolicy]
protoPayload.request.spec.containers.0.terminationMessagePath
traget.resource.attribute.labels[terminationMessagePath]
protoPayload.request.spec.containers.0.imagePullPolicy
traget.resource.attribute.labels[imagePullPolicy]
protoPayload.request.spec.dnsPolicy
target.resource.attribute.labels[imagePullPolicy]
protoPayload.request.spec.enableServiceLinks
traget.resource.attribute.labels[enableServiceLinks]
protoPayload.request.spec.restartPolicy
target.resource.attribute.labels[restartPolicy]
protoPayload.request.spec.schedulerName
target.resource.attribute.labels[schedulerName]
protoPayload.request.spec.terminationGracePeriodSeconds
traget.resource.attribute.labels[protoPayload_request_spec_terminationGracePeriodSeconds]
protoPayload.request.metadata.namespace
principal.namespace
protoPayload.request.apiVersion
target.resource.attribute.labels [request apiVersion]
protoPayload.request.kind
target.resource.attribute.labels[request.kind]
protoPayload.request.metadata.name
target.resource.attribute.labels[request.metadata.name]
labels.mutation.webhook.admission.k8s.io/round_0_index_0
security_result.about.resource.attribute.labels[labels_round_0_index_0]
protoPayload.request.spec.containers.0.args
about.file.capabilities_tags
protoPayload.request.properties.disks.0.initializeParams.diskSizeGb
principal.resource.attribute.labels[diskSizeGb]
protoPayload.request.properties.disks.0.initializeParams.diskType
principal.resource.attribute.labels[diskType]
protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type
principal.resource.attribute.labels[guestOsFeatures type]
protoPayload.request.properties.disks.0.initializeParams.labels.0.key
principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key]
protoPayload.request.properties.disks.0.initializeParams.sourceImage
principal.resource.attribute.labels[sourceImage]
protoPayload.request.properties.disks.0.type
principal.resource.attribute.labels[disks Type]
key_id
security_result.detection_field[key_id]
key_id
field value is extracted from the message
log
field using a Grok pattern.protoPayload.request.securityHealthAnalyticsSettings.modules.PUBLIC_BUCKET_ACL.moduleEnablementState
target.resource.attribute.labels[PUBLIC_BUCKET_ACL_module_enablement_state]
protoPayload.response.serviceEnablementState
target.resource.attribute.labels[service_enablement_state]
protoPayload.request.metadata.creationTimestamp
target.resource.attribute.creation_time
protoPayload.request.metadata.labels.trivy.automatic.created
target.resource.attribute.labels[req_metadata_trivy_automatic_created]
protoPayload.request.metadata.labels.trivy.collector.name
target.resource.attribute.labels[req_metadata_trivy_collector_name]
protoPayload.request.metadata.labels.trivy.resource.kind
target.resource.attribute.labels[req_metadata_trivy_resource_kind]
protoPayload.request.metadata.labels.trivy.resource.name
target.resource.attribute.labels[req_metadata_trivy_resource_name]
protoPayload.request.spec.backoffLimit
target.resource.attribute.labels[req_spec_backoff_limit]
protoPayload.request.spec.completionMode
target.resource.attribute.labels[req_spec_completion_mode]
protoPayload.request.spec.completions
target.resource.attribute.labels[req_spec_completions]
protoPayload.request.spec.parallelism
target.resource.attribute.labels[req_spec_parallelism]
protoPayload.request.spec.suspend
target.resource.attribute.labels[req_spec_suspend]
protoPayload.request.spec.template.metadata.creationTimestamp
target.resource.attribute.labels[req_spec_template_metadata_creation_time]
protoPayload.request.spec.template.metadata.labels.app
target.resource.attribute.labels[req_spec_template_metadata_app]
protoPayload.request.spec.template.spec.automountServiceAccountToken
target.resource.attribute.labels[req_spec_template_spec_automount_service_account_token]
protoPayload.request.spec.template.spec.containers.command
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_command]
protoPayload.request.spec.template.spec.containers.image
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image]
protoPayload.request.spec.template.spec.containers.imagePullPolicy
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_image_pull_policy]
protoPayload.request.spec.template.spec.containers.name
target.resource_ancestors.name
protoPayload.request.spec.template.spec.containers.resources.limits.cpu
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_cpu]
protoPayload.request.spec.template.spec.containers.resources.limits.memory
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_limits_memory]
protoPayload.request.spec.template.spec.containers.resources.requests.cpu
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_cpu]
protoPayload.request.spec.template.spec.containers.resources.requests.memory
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_resource_request_memory]
protoPayload.request.spec.template.spec.containers.securityContext.allowPrivilegeEscalation
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_allow_privilege_escalation]
protoPayload.request.spec.template.spec.containers.securityContext.capabilities.drop
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_capabilities_drop]
protoPayload.request.spec.template.spec.containers.securityContext.privileged
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_privileged]
protoPayload.request.spec.template.spec.containers.securityContext.readOnlyRootFilesystem
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_security_context_read_only_root_filesystem]
protoPayload.request.spec.template.spec.containers.terminationMessagePath
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_path]
protoPayload.request.spec.template.spec.containers.terminationMessagePolicy
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_termination_message_policy]
protoPayload.request.spec.template.spec.containers.volumeMounts.mountPath
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_mount_path]
protoPayload.request.spec.template.spec.containers.volumeMounts.name
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_name]
protoPayload.request.spec.template.spec.containers.volumeMounts.readOnly
target.resource_ancestors.attribute.labels[req_spec_template_spec_container_volume_mounts_readonly]
protoPayload.request.spec.template.spec.dnsPolicy
target.resource.attribute.labels[req_spec_template_spec_dns_policy]
protoPayload.request.spec.template.spec.hostPID
target.resource.attribute.labels[req_spec_template_spec_host_pid]
protoPayload.request.spec.template.spec.restartPolicy
target.resource.attribute.labels[req_spec_template_spec_restart_policy]
protoPayload.request.spec.template.spec.schedulerName
target.resource.attribute.labels[req_spec_template_spec_scheduler_name]
protoPayload.request.spec.template.spec.securityContext.runAsGroup
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_group]
protoPayload.request.spec.template.spec.securityContext.runAsUser
target.resource.attribute.labels[req_spec_template_spec_security_context_run_as_user]
protoPayload.request.spec.template.spec.securityContext.seccompProfile.type
target.resource.attribute.labels[req_spec_template_spec_security_context_seccomp_profile_type]
protoPayload.request.spec.template.spec.terminationGracePeriodSeconds
target.resource.attribute.labels[req_spec_template_spec_termination_grace_period_seconds]
protoPayload.request.spec.template.spec.volumes.hostPath.path
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path]
protoPayload.request.spec.template.spec.volumes.hostPath.type
target.resource.attribute.labels[req_spec_template_spec_volumes_host_path_type]
protoPayload.request.spec.template.spec.volumes.name
target.resource.attribute.labels[req_spec_template_spec_volumes_name]
protoPayload.request.spec.automountServiceAccountToken
target.resource.attribute.labels[req_spec_automount_service_account_token]
protoPayload.request.spec.containers.command
target.resource.attribute.labels[req_spec_container_command]
protoPayload.request.spec.containers.securityContext.privileged
target.resource.attribute.labels[req_spec_container_security_context_privileged]
protoPayload.request.spec.containers.securityContext.allowPrivilegeEscalation
target.resource.attribute.labels[req_spec_container_security_context_allow_privilege_escalation]
protoPayload.request.spec.containers.securityContext.readOnlyRootFilesystem
target.resource.attribute.labels[req_spec_container_security_context_read_only_root_filesystem]
protoPayload.request.spec.containers.securityContext.capabilities.drop
target.resource.attribute.labels[req_spec_container_security_context_capabilities_drop]
protoPayload.request.spec.containers.volumeMounts.mountPath
target.resource.attribute.labels[req_spec_container_volume_mount_path]
protoPayload.request.spec.containers.volumeMounts.name
target.resource.attribute.labels[req_spec_container_volume_mount_name]
protoPayload.request.spec.containers.volumeMounts.readOnly
target.resource.attribute.labels[req_spec_container_volume_mount_read_only]
protoPayload.request.metadata.annotations.deprecated.daemonset.template.generation
target.resource.attribute.labels[req_metadata_annotations_deprecated_daemonset_template_generation]
protoPayload.request.metadata.labels.app
target.resource.attribute.labels[req_metadata_app]
protoPayload.request.metadata.labels.type
target.resource.attribute.labels[req_metadata_labels_type]
protoPayload.request.spec.serviceAccount
target.resource.attribute.labels[req_spec_service_account]
protoPayload.request.spec.serviceAccountName
target.resource.attribute.labels[req_spec_serivce_account_name]
protoPayload.request.spec.hostIPC
target.resource.attribute.labels[req_spec_host_ipc]
protoPayload.request.spec.hostNetwork
target.resource.attribute.labels[req_spec_host_network]
protoPayload.request.spec.hostPID
target.resource.attribute.labels[req_spec_host_pid]
protoPayload.request.spec.nodeName
target.resource.attribute.labels[req_spec_node_name]
protoPayload.request.spec.securityContext.privileged
target.resource.attribute.labels[req_spec_security_context_privileged]
protoPayload.request.spec.securityContext.allowPrivilegeEscalation
target.resource.attribute.labels[req_spec_security_context_allow_privilege_escalation]
protoPayload.request.spec.securityContext.readOnlyRootFilesystem
target.resource.attribute.labels[req_spec_security_context_read_only_root_filesystem]
protoPayload.request.spec.securityContext.capabilities.drop
target.resource.attribute.labels[req_spec_security_context_capabilities_drop]
protoPayload.request.spec.volumes.hostPath.path
target.resource.attribute.labels[req_spec_volume_host_path]
protoPayload.request.spec.volumes.hostPath.type
target.resource.attribute.labels[req_spec_volume_host_path_type]
protoPayload.request.spec.volumes.name
target.resource.attribute.labels[req_spec_volume_name]
protoPayload.request.spec.revisionHistoryLimit
target.resource.attribute.labels[req_spec_revision_history_limit]
protoPayload.request.spec.selector.matchLabels.app
target.resource.attribute.labels[req_spec_selector_match_label_app]
protoPayload.request.spec.selector.matchLabels.type
target.resource.attribute.labels[req_spec_selector_match_label_type]
protoPayload.request.spec.template.metadata.labels.type
target.resource.attribute.labels[req_spec_template_metadata_labels_type]
protoPayload.request.spec.template.spec.containers.args
target.resource.attribute.labels[req_spec_template_spec_container_arg]
protoPayload.request.spec.template.spec.hostIPC
target.resource.attribute.labels[req_spec_template_spec_host_ipc]
protoPayload.request.spec.template.spec.hostNetwork
target.resource.attribute.labels[req_spec_template_spec_host_network]
protoPayload.request.spec.updateStrategy.rollingUpdate.maxSurge
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_surge]
protoPayload.request.spec.updateStrategy.rollingUpdate.maxUnavailable
target.resource.attribute.labels[req_spec_update_strategy_rolling_update_max_unavailable]
protoPayload.request.spec.updateStrategy.type
target.resource.attribute.labels[req_spec_update_strategy_type]
protoPayload.request.status.currentNumberScheduled
target.resource.attribute.labels[req_status_current_number_scheduled]
protoPayload.request.status.desiredNumberScheduled
target.resource.attribute.labels[req_status_desired_number_scheduled]
protoPayload.request.status.numberMisscheduled
target.resource.attribute.labels[req_status_number_miss_scheduled]
protoPayload.request.status.numberReady
target.resource.attribute.labels[req_status_number_ready]
protoPayload.response.@type
target.resource.attribute.labels[res_type]
protoPayload.response.apiVersion
target.resource.attribute.labels[res_api_version]
protoPayload.response.metadata.annotations.deprecated.daemonset.template.generation
target.resource.attribute.labels[res_metadata_annotations_deprecated_daemonset_template_generation]
protoPayload.response.metadata.generation
target.resource.attribute.labels[res_metadata_generation]
protoPayload.response.metadata.labels.type
target.resource.attribute.labels[res_metadata_labels_type]
protoPayload.response.metadata.labels.app
target.resource.attribute.labels[res_metadata_label_app]
protoPayload.response.metadata.creationTimestamp
target.resource.attribute.labels[res_metadata_creation_time]
protoPayload.response.metadata.name
target.resource.attribute.labels[res_metadata_name]
protoPayload.response.metadata.namespace
target.resource.attribute.labels[res_metadata_namespace]
protoPayload.response.metadata.resourceVersion
target.resource.attribute.labels[res_metadata_resource_version]
protoPayload.response.metadata.uid
target.resource.attribute.labels[res_metadata_uid]
protoPayload.response.spec.revisionHistoryLimit
target.resource.attribute.labels[res_spec_revision_history_limit]
protoPayload.response.spec.selector.matchLabels.app
target.resource.attribute.labels[res_spec_selector_match_label_app]
protoPayload.response.spec.selector.matchLabels.type
target.resource.attribute.labels[res_spec_selector_match_label_type]
protoPayload.response.spec.template.metadata.creationTimestamp
target.resource.attribute.labels[res_spec_template_metadata_creation_time]
protoPayload.response.spec.template.metadata.labels.app
target.resource.attribute.labels[res_spec_template_metadata_app]
protoPayload.response.spec.template.metadata.labels.type
target.resource.attribute.labels[res_spec_template_metadata_type]
protoPayload.response.spec.template.spec.containers.args
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_arg]
protoPayload.response.spec.template.spec.containers.command
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_command]
protoPayload.response.spec.template.spec.containers.image
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image]
protoPayload.response.spec.template.spec.containers.imagePullPolicy
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_image_pull_policy]
protoPayload.response.spec.template.spec.containers.name
target.resource_ancestors.name
protoPayload.response.spec.template.spec.containers.resources.limits.cpu
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_cpu]
protoPayload.response.spec.template.spec.containers.resources.limits.memory
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_limits_memory]
protoPayload.response.spec.template.spec.containers.resources.requests.cpu
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_cpu]
protoPayload.response.spec.template.spec.containers.resources.requests.memory
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_resource_request_memory]
protoPayload.response.spec.template.spec.containers.securityContext.privileged
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_privileged]
protoPayload.response.spec.template.spec.containers.securityContext.allowPrivilegeEscalation
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_allow_privilege_escalation]
protoPayload.response.spec.template.spec.containers.securityContext.readOnlyRootFilesystem
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_read_only_root_filesystem]
protoPayload.response.spec.template.spec.containers.securityContext.capabilities.drop
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_security_context_capabilities_drop]
protoPayload.response.spec.template.spec.containers.terminationMessagePath
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_path]
protoPayload.response.spec.template.spec.containers.terminationMessagePolicy
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_termination_message_policy]
protoPayload.response.spec.template.spec.containers.volumeMounts.mountPath
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_mount_path]
protoPayload.response.spec.template.spec.containers.volumeMounts.name
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_name]
protoPayload.response.spec.template.spec.containers.volumeMounts.readOnly
target.resource_ancestors.attribute.labels[res_spec_template_spec_container_volume_mounts_read_only]
protoPayload.response.spec.template.spec.dnsPolicy
target.resource.attribute.labels[res_spec_template_spec_dns_policy]
protoPayload.response.spec.template.spec.hostIPC
target.resource.attribute.labels[res_spec_template_spec_host_pid]
protoPayload.response.spec.template.spec.hostNetwork
target.resource.attribute.labels[res_spec_template_spec_host_network]
protoPayload.response.spec.template.spec.hostPID
target.resource.attribute.labels[res_spec_template_spec_host_ipc]
protoPayload.response.spec.template.spec.nodeName
target.resource.attribute.labels[res_spec_template_spec_node_name]
protoPayload.response.spec.template.spec.restartPolicy
target.resource.attribute.labels[res_spec_template_spec_restart_policy]
protoPayload.response.spec.template.spec.schedulerName
target.resource.attribute.labels[res_spec_template_spec_scheduler_name]
protoPayload.response.spec.template.spec.securityContext.runAsGroup
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_group]
protoPayload.response.spec.template.spec.securityContext.runAsUser
target.resource.attribute.labels[res_spec_template_spec_security_context_run_as_user]
protoPayload.response.spec.template.spec.securityContext.seccompProfile.type
target.resource.attribute.labels[res_spec_template_spec_security_context_seccomp_profile_type]
protoPayload.response.spec.template.spec.terminationGracePeriodSeconds
target.resource.attribute.labels[res_spec_template_spec_termination_grace_period_seconds]
protoPayload.response.spec.template.spec.volumes.hostPath.path
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path]
protoPayload.response.spec.template.spec.volumes.hostPath.type
target.resource.attribute.labels[res_spec_template_spec_volumes_host_path_type]
protoPayload.response.spec.template.spec.volumes.name
target.resource.attribute.labels[res_spec_template_spec_volumes_name]
protoPayload.response.spec.updateStrategy.rollingUpdate.maxSurge
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_surge]
protoPayload.response.spec.updateStrategy.rollingUpdate.maxUnavailable
target.resource.attribute.labels[res_spec_update_strategy_rolling_update_max_unavailable]
protoPayload.response.spec.updateStrategy.type
target.resource.attribute.labels[res_spec_update_strategy_type]
protoPayload.response.spec.containers.args
target.resource_ancestors.attribute.labels[res_spec_container_arg]
protoPayload.response.spec.containers.command
target.resource_ancestors.attribute.labels[res_spec_container_command]
protoPayload.response.spec.containers.image
target.resource_ancestors.attribute.labels[res_spec_container_image]
protoPayload.response.spec.containers.imagePullPolicy
target.resource_ancestors.attribute.labels[res_spec_container_image_pull_policy]
protoPayload.response.spec.containers.name
target.resource_ancestors.name
protoPayload.response.spec.containers.securityContext.privileged
target.resource_ancestors.attribute.labels[res_spec_container_security_context_privileged]
protoPayload.response.spec.containers.securityContext.allowPrivilegeEscalation
target.resource_ancestors.attribute.labels[res_spec_container_security_context_allow_privilege_escalation]
protoPayload.response.spec.containers.securityContext.readOnlyRootFilesystem
target.resource_ancestors.attribute.labels[res_spec_container_security_context_read_only_root_filesystem]
protoPayload.response.spec.containers.securityContext.capabilities.drop
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_drop]
protoPayload.response.spec.containers.terminationMessagePath
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_path]
protoPayload.response.spec.containers.terminationMessagePolicy
target.resource_ancestors.attribute.labels[res_spec_container_termination_message_policy]
protoPayload.response.spec.containers.volumeMounts.mountPath
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_path]
protoPayload.response.spec.containers.volumeMounts.name
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_name]
protoPayload.response.spec.containers.volumeMounts.readOnly
target.resource_ancestors.attribute.labels[res_spec_container_volume_mount_read_only]
protoPayload.response.spec.dnsPolicy
target.resource.attribute.labels[res_spec_dns_policy]
protoPayload.response.spec.enableServiceLinks
target.resource.attribute.labels[res_spec_enable_service_links]
protoPayload.response.spec.hostIPC
target.resource.attribute.labels[res_spec_host_ipc]
protoPayload.response.spec.hostNetwork
target.resource.attribute.labels[res_spec_host_network]
protoPayload.response.spec.hostPID
target.resource.attribute.labels[res_spec_host_pid]
protoPayload.response.spec.nodeName
target.resource.attribute.labels[res_spec_node_name]
protoPayload.response.spec.preemptionPolicy
target.resource.attribute.labels[res_spec_preemption_policy]
protoPayload.response.spec.priority
target.resource.attribute.labels[res_spec_priority]
protoPayload.response.spec.restartPolicy
target.resource.attribute.labels[res_spec_restart_policy]
protoPayload.response.spec.schedulerName
target.resource.attribute.labels[res_spec_scheduler_name]
protoPayload.response.spec.serviceAccount
target.resource.attribute.labels[res_spec_service_account]
protoPayload.response.spec.serviceAccountName
target.resource.attribute.labels[res_spec_serivce_account_name]
protoPayload.response.spec.terminationGracePeriodSeconds
target.resource.attribute.labels[res_spec_termination_grace_period_seconds]
protoPayload.response.spec.tolerations.effect
target.resource.attribute.labels[res_spec_toleration_effect]
protoPayload.response.spec.tolerations.key
target.resource.attribute.labels[res_spec_toleration_key]
protoPayload.response.spec.tolerations.operator
target.resource.attribute.labels[res_spec_toleration_operator]
protoPayload.response.spec.tolerations.tolerationSeconds
target.resource.attribute.labels[res_spec_toleration_second]
protoPayload.response.spec.volumes.hostPath.path
target.resource.attribute.labels[res_spec_volume_host_path]
protoPayload.response.spec.volumes.hostPath.type
target.resource.attribute.labels[res_spec_volume_host_path_type]
protoPayload.response.spec.volumes.name
target.resource.attribute.labels[res_spec_volume_name]
protoPayload.response.spec.volumes.projected.defaultMode
target.resource.attribute.labels[res_spec_volume_projected_default_mode]
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.expirationSeconds
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_ecpiration_sec]
protoPayload.response.spec.volumes.projected.sources.serviceAccountToken.path
target.resource.attribute.labels[res_spec_volume_projected_src_service_acc_token_path]
protoPayload.response.spec.volumes.projected.sources.configMap.items.key
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_key]
protoPayload.response.spec.volumes.projected.sources.configMap.items.path
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_item_path]
protoPayload.response.spec.volumes.projected.sources.configMap.name
target.resource.attribute.labels[res_spec_volume_projected_src_config_map_name]
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.apiVersion
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_api_version]
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.fieldRef.fieldPath
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_field_ref_field_path]
protoPayload.response.spec.volumes.projected.sources.downwardAPI.items.path
target.resource.attribute.labels[res_spec_volume_projected_src_downward_api_item_path]
protoPayload.response.status.phase
target.resource.attribute.labels[res_status_phase]
protoPayload.response.status.qosClass
target.resource.attribute.labels[res_status_qos_class]
protoPayload.response.status.currentNumberScheduled
target.resource.attribute.labels[res_status_current_number_scheduled]
protoPayload.response.status.desiredNumberScheduled
target.resource.attribute.labels[res_status_desired_number_scheduled]
protoPayload.response.status.numberMisscheduled
target.resource.attribute.labels[res_status_number_miss_scheduled]
protoPayload.response.status.numberReady
target.resource.attribute.labels[res_status_number_ready]
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor
target.resource.attribute.labels[ser_jobconf_requestor]
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id
target.resource.attribute.labels[ser_jobconf_looker_studio_datasource_id]
protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id
target.resource.attribute.labels[ser_jobconf_looker_studio_report_id]
labels.authorization.k8s.io/decision
security_result.action
If the
Else, if the
labels.authorization.k8s.io/decision
log field value is equal to allow
, then the security_result.action
UDM field is set to ALLOW
.Else, if the
labels.authorization.k8s.io/decision
log field value is equal to block
, then the security_result.action
UDM field is set to BLOCK
.labels.pod-security.kubernetes.io/enforce-policy
security_result.detection_fields[pod_security_kubernetes_io_enforce_policy]
labels.authorization.k8s.io/reason
security_result.action_details
protoPayload.request.roleRef.apiGroup
target.user.attribute.labels[req_role_ref_api_group]
protoPayload.request.roleRef.kind
target.user.attribute.labels[req_role_ref_kind]
protoPayload.request.roleRef.name
target.user.attribute.roles.name
protoPayload.request.subjects.apiGroup
target.user.attribute.labels[req_subject_api_group]
protoPayload.request.subjects.kind
target.user.attribute.labels[req_subject_kind]
protoPayload.request.rules.apiGroups
security_result.rule_labels[req_rule_api_group]
protoPayload.request.rules.resources
security_result.rule_labels[req_rule_resource]
protoPayload.request.rules.verbs
security_result.rule_labels[req_rule_verb]
protoPayload.request.rules.resourceNames
security_result.rule_labels[req_rule_resource_name]
protoPayload.response.metadata.managedFields.apiVersion
target.resource.attribute.labels[res_managed_field_api_version]
protoPayload.response.metadata.managedFields.fieldsType
target.resource.attribute.labels[res_managed_field_type]
protoPayload.response.metadata.managedFields.manager
target.resource.attribute.labels[res_managed_field_manager]
protoPayload.response.metadata.managedFields.operation
target.resource.attribute.labels[res_managed_field_operation]
protoPayload.response.metadata.managedFields.time
target.resource.attribute.labels[res_managed_field_time]
protoPayload.request.spec.containers.securityContext.capabilities.add
target.resource_ancestors.attribute.labels[req_spec_container_security_context_capabilities_add]
protoPayload.request.spec.containers.securityContext.seccompProfile.type
target.resource_ancestors.attribute.labels[req_spec_container_security_context_seccomp_profile_type]
protoPayload.request.spec.shareProcessNamespace
target.resource.attribute.labels[req_spec_share_process_namespace]
protoPayload.response.spec.containers.securityContext.capabilities.add
target.resource_ancestors.attribute.labels[res_spec_container_security_context_capabilities_add]
protoPayload.response.spec.containers.securityContext.seccompProfile.type
target.resource_ancestors.attribute.labels[res_spec_container_security_context_seccomp_profile_type]
protoPayload.response.spec.shareProcessNamespace
target.resource.attribute.labels[res_spec_share_process_namespace]
protoPayload.metadata.membershipDelta.member
target.resource.attribute.labels[membership_delta_member]
protoPayload.metadata.membershipDelta.roleDeltas.action
target.resource.attribute.labels[membership_role_deltas_action]
protoPayload.metadata.membershipDelta.roleDeltas.role
target.resource.attribute.labels[membership_role_deltas_role]
protoPayload.request.spec.resourceAttributes.namespace
target.resource.attribute.labels[req_spec_resource_attribute_namespace]
protoPayload.request.spec.resourceAttributes.resource
target.resource.attribute.labels[req_spec_resource_attribute_resource]
protoPayload.request.spec.resourceAttributes.verb
target.resource.attribute.labels[req_spec_resource_attribute_verb]
protoPayload.request.status.allowed
target.resource.attribute.labels[req_status_allowed]
protoPayload.response.spec.resourceAttributes.namespace
target.resource.attribute.labels[res_spec_resource_attribute_namespace]
protoPayload.response.spec.resourceAttributes.resource
target.resource.attribute.labels[res_spec_resource_attribute_resource]
protoPayload.response.spec.resourceAttributes.verb
target.resource.attribute.labels[res_spec_resource_attribute_verb]
protoPayload.response.status.allowed
target.resource.attribute.labels[res_status_allowed]
protoPayload.request.objects.db
additional.fields[database_name]
jsonPayload.accesses.methodName
additional.fields[methodName]
protoPayload.request.objects.name
additional.fields[objects_name]
protoPayload.metadata.event.eventName.parameter.name[API_CLIENT_NAME]
additional.fields[api_client_name]
protoPayload.metadata.event.eventName.parameter.name[API_SCOPES]
additional.fields[api_scopes]
protoPayload.metadata.event.eventName.parameter.name[BEGIN_DATE_TIME]
additional.fields[begin_date_time]
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_FAIL_USERS_NUMBER]
additional.fields[bulk_upload_fail_users_number]
protoPayload.metadata.event.eventName.parameter.name[BULK_UPLOAD_TOTAL_USERS_NUMBER]
additional.fields[bulk_upload_total_users_number]
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_NEW]
additional.fields[caa_assignments_new]
protoPayload.metadata.event.eventName.parameter.name[CAA_ASSIGNMENTS_OLD]
additional.fields[caa_assignments_old]
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_NEW]
additional.fields[caa_enforcement_endpoints_new]
protoPayload.metadata.event.eventName.parameter.name[CAA_ENFORCEMENT_ENDPOINTS_OLD]
additional.fields[caa_enforcement_endpoints_old]
protoPayload.requestMetadata.requestAttributes.size
additional.fields[caller_network_request_size]
protoPayload.requestMetadata.requestAttributes.time
additional.fields[caller_network_request_time]
protoPayload.requestMetadata.callerNetwork
additional.fields[caller_network]
protoPayload.requestMetadata.requestAttributes.size
additional.fields[caller_network_request_size]
protoPayload.requestMetadata.requestAttributes.time
additional.fields[request_attributes_time]
protoPayload.requestMetadata.callerNetwork
additional.fields[caller_network]
protoPayload.metadata.event.eventName.parameter.name[CHROME_LICENSES_ENABLED]
additional.fields[chrome_licenses_enabled]
protoPayload.metadata.event.eventName.parameter.name[END_DATE_TIME]
additional.fields[end_date_time]
protoPayload.metadata.event.eventName.parameter.name[END_DATE]
additional.fields[end_date]
protoType.metadata.event.eventName
additional.fields[event_name]
protoPayload.metadata.event.parameter.label
additional.fields[event_param_label]
protoPayload.metadata.event.parameter.type
additional.fields[event_param_type]
protoType.metadata.event.eventType
additional.fields[event_type]
protoPayload.metadata.event.eventName.parameter.name[FIELD_NAME]
additional.fields[field_name]
protoPayload.metadata.event.eventName.parameter.name[FULL_ORG_UNIT_PATH]
additional.fields[full_org_unit_path]
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER]
additional.fields[grp_member_bulk_upload_failed]
protoPayload.metadata.event.eventName.parameter.name[GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER]
additional.fields[grp_member_bulk_upload_total]
httpRequest.cacheFillBytes
additional.fields[httpreq_cache_fill_bytes]
httpRequest.cacheHit
additional.fields[httpreq_cache_hit]
httpRequest.cacheLookup
additional.fields[httpreq_cache_lookup]
httpRequest.cacheValidatedWithOriginServer
additional.fields[httpreq_cache_validated_with_origin_server]
httpRequest.latency
additional.fields[httprequest_latency]
protoPayload.metadata.event.eventName.parameter.name[INFO_TYPE]
additional.fields[info_type]
protoPayload.metadata.activityId.timeUsec
additional.fields[metadata_activityId_time_usec]
protoPayload.metadata.activityId.uniqQualifier
additional.fields[metadata_activityId_uniq_qualifier]
protoPayload.metadata.@type
additional.fields[metadata_type]
protoPayload.metadata.event.eventName.parameter.name[NEW_PERMISSION_GRANT_STATE]
additional.fields[new_permission_grant_state]
protoPayload.metadata.event.eventName.parameter.name[NUMBER_OF_COMPANY_OWNED_DEVICES]
additional.fields[num_of_company_owned_device]
protoPayload.numResponseItems
additional.fields[num_response_items]
protoPayload.metadata.event.eventName.parameter.name[OLD_PERMISSION_GRANT_STATE]
additional.fields[old_permission_grant_state]
operation.first
additional.fields[operation_first]
operation.id
additional.fields[operation_id]
operation.last
additional.fields[operation_last]
operation.producer
additional.fields[operation_producer]
protoPayload.resourceOriginalState.selfLinkWithId
additional.fields[rc_old_selflinkWithId]
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_NEW]
additional.fields[reauth_setting_new]
protoPayload.metadata.event.eventName.parameter.name[REAUTH_SETTING_OLD]
additional.fields[reauth_setting_old]
protoPayload.request.alloweds.ports
additional.fields[req_alloweds_ports]
protoPayload.request.body.name
additional.fields[req_body_name]
protoPayload.request.body.settings.activityPolicy
additional.fields[req_body_settings_activity_policy]
protoPayload.request.deletionProtection
additional.fields[req_deletion_protection]
protoPayload.request.disabled
additional.fields[req_disabled]
protoPayload.request.displayDevice.enableDisplay
additional.fields[req_display_device_enable_display]
protoPayload.request.enableFlowLogs
additional.fields[req_enable_flow_logs]
protoPayload.request.fingerprint
additional.fields[req_fingerprint]
protoPayload.request.shieldedInstanceConfig.enableSecureBoot
additional.fields[req_instance_config_enable_secure_boot]
protoPayload.request.shieldedInstanceConfig.enableVtpm
additional.fields[req_instance_config_enable_vtpm]
protoPayload.request.shieldedInstanceConfig.enableIntegrityMonitoring
additional.fields[req_instance_enable_integrity_monitoring]
protoPayload.request.key_types
additional.fields[req_key_types]
protoPayload.request.logconfig.enable
additional.fields[req_logconfig_enable]
protoPayload.request.networkTier
additional.fields[req_network_tier]
protoPayload.request.network
additional.fields[req_network]
protoPayload.request.page_size
additional.fields[req_page_size]
request.pagesize
additional.fields[req_page_size]
protoPayload.request.policy.etag
additional.fields[req_policy_etag]
protoPayload.request.portRange
additional.fields[req_port_range]
protoPayload.request.privateIpGoogleAccess
additional.fields[req_private_ip_google_access]
protoPayload.request.private_key_type
additional.fields[req_private_key_type]
protoPayload.request.remove_deleted_service_accounts
additional.fields[req_remove_deleted_serviceAcc]
protoPayload.request.showDeleted
additional.fields[req_show_deleted]
protoPayload.request.skip_visibility_check
additional.fields[req_skip_visibility_check]
protoPayload.request.stackType
additional.fields[req_stack_type]
protoPayload.request.type
additional.fields[req_type]
protoPayload.request.updateMask
additional.fields[req_update_mask]
protoPayload.request.version
additional.fields[req_version]
protoPayload.response.clientOperationId
additional.fields[res_client_operation_id]
protoPayload.response.endTime
additional.fields[res_end_time]
protoPayload.response.id
additional.fields[res_id]
protoPayload.response.key_algorithm
additional.fields[res_key_algorithm]
protoPayload.response.key_origin
additional.fields[res_key_origin]
protoPayload.response.key_type
additional.fields[res_key_type]
protoPayload.response.kind
additional.fields[res_kind]
protoPayload.response.private_key_type
additional.fields[res_private_key_type]
protoPayload.response.progress
additional.fields[res_progress]
protoPayload.response.startTime
additional.fields[res_start_time]
protoPayload.response.status
security_result.action
The
security_result.action
is set to FAIL
when the following conditions are met: - The value in the
protoPayload.response.statuslog field value is equal toFailure. - The value in the
security_result.actionUDM field is equal toALLOW.
protoPayload.response.status
additional.fields[res_status]
protoPayload.response.type
additional.fields[res_type]
protoPayload.response.unique_id
additional.fields[res_unique_id]
protoPayload.response.valid_after_time.seconds
additional.fields[res_valid_after_time]
protoPayload.response.valid_before_time.seconds
additional.fields[res_valid_before_time]
protoPayload.response.version
additional.fields[res_version]
protoPayload.response.zone
additional.fields[res_zone]
protoPayload.metadata.event.eventName.parameter.name[SEARCH_QUERY_FOR_DUMP]
additional.fields[search_query_for_dump]
spanId
additional.fields[span_id]
protoPayload.metadata.event.eventName.parameter.name[START_DATE]
additional.fields[start_date]
traceSampled
additional.fields[trace_sampled]
Trace
additional.fields[trace]
protoPayload.@type
additional.fields[type]
protoPayload.redactions.reason
additional.fields[protoPayload.redactions.field]
protoPayload.redactions.type
additional.fields[protoPayload.redactions.field]
authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.serviceMetadata
additional.fields[service_metadata]
jsonPayload.sourceNetwork
additional.fields[source_network]
authenticationInfo.serviceAccountDelegationInfo.thirdPartyPrincipal.thirdPartyClaims
additional.fields[third_party_claims]
protoPayload.requestMetadata.requestAttributes.time
additional.fields[caller_network_request_time]
protoPayload.request.ipCidrRange
additional.fields[req_ip_cidr_range]
protoPayload.request.description
additional.labels[req_description]
protoPayload.request.sourceRanges
additional.fields[req_source_ranges]
protoPayload.requestMetadata.requestAttributes.reason
additional.fields[request_attributes_reason]
protoPayload.authenticationInfo.thirdPartyPrincipal
additional.fields[third_party_principal]
sourceLocation.function
additional.fields[src_location_function]
sourceLocation.line
additional.fields[src_location_line]
resource.labels.backend_service_name
additional.fields[backend_service_name]
protoPayload.requestMetadata.requestAttributes.auth.claims
additional.fields[request_auth_claims]
protoPayload.metadata.event.eventName.parameter.name[APPLICATION_EDITION]
additional.fields[application_edition]
protoPayload.metadata.event.eventName.parameter.name[ASP_ID]
additional.fields[asp_id]
protoPayload.metadata.event.eventName.parameter.name[CHROME_OS_SESSION_TYPE]
additional.fields[chrome_os_session_type]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_NEW_ORG_UNIT]
additional.fields[device_new_org_unit]
protoPayload.metadata.event.eventName.parameter.name[DEVICE_PREVIOUS_ORG_UNIT]
additional.fields[device_previous_org_unit]
protoPayload.metadata.event.eventName.parameter.name[DOMAIN_ALIAS]
additional.fields[domain_alias]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_INCLUDE_DELETED]
additional.fields[email_export_include_deleted]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_EXPORT_PACKAGE_CONTENT]
additional.fields[email_export_package_content]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_END_DATE]
additional.fields[email_log_search_end_date]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_LOG_SEARCH_START_DATE]
additional.fields[email_log_search_start_date]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_CHAT]
additional.fields[email_monitor_level_chat]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_DRAFT_EMAIL]
additional.fields[email_monitor_level_draft_email]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_INCOMING_EMAIL]
additional.fields[email_monitor_level_in_email]
protoPayload.metadata.event.eventName.parameter.name[EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL]
additional.fields[email_monitor_level_out_email]
protoPayload.metadata.event.eventName.parameter.name[GMAIL_RESET_REASON]
additional.fields[email_reset_reason]
protoPayload.metadata.event.eventName.parameter.name[NEW_VALUE]
additional.fields[new_value]
protoPayload.metadata.event.eventName.parameter.name[OAUTH2_APP_TYPE]
additional.fields[oauth2_app_type]
protoPayload.metadata.event.eventName.parameter.name[OLD_VALUE]
additional.fields[old_value]
protoPayload.requestMetadata.destinationAttributes.principal
additional.fields[peer_principal]
protoPayload.requestMetadata.destinationAttributes.regionCode
additional.fields[peer_region_code]
protoPayload.request.loadBalancingScheme
additional.fields[req_load_balancing_scheme]
protoPayload.request.requestId
additional.fields[request_id]
protoPayload.metadata.event.eventName.parameter.name[REQUEST_ID]
additional.fields[request_id]
protoPayload.resourceOriginalState.description
additional.fields[res_originalState_description]
protoPayload.response.bindings.members
additional.fields[response_bindings_members]
protoPayload.response.description
additional.fields[response_description]
protoPayload.response.display_name
additional.fields[response_display_name]
protoPayload.metadata.event.eventName.parameter.name[SECONDARY_DOMAIN_NAME]
additional.fields[secondary_domain_name]
protoPayload.metadata.event.eventName.parameter.name[SETTING_NAME]
additional.fields[setting_name]
protoPayload.metadata.event.eventName.parameter.name[USER_CUSTOM_FIELD]
additional.fields[user_custom_field]
protoPayload.metadata.event.eventName.parameter.name[USER_DEFINED_SETTING_NAME]
additional.fields[user_defined_setting_name]
protoPayload.metadata.event.eventName.parameter.name[WEB_ORIGIN]
additional.fields[web_origin]
protoPayload.metadata.event.eventName.parameter.name[WHITELISTED_GROUPS]
additional.fields[whitelisted_groups]
jsonPayload.end_time
additional.fields[jsonPayload_end_time]
jsonPayload.reporter
additional.fields[jsonPayload_reporter]
jsonPayload.start_time
additional.fields[jsonPayload_start_time]
jsonPayload.src_instance.project_id
additional.fields[jsonPayload_src_instance_project_id]
jsonPayload.dest_instance.project_id
additional.fields[jsonPayload_dest_instance_project_id]
jsonPayload.src_location.asn
additional.fields[jsonPayload_src_location_asn]
jsonPayload.src_location.continent
additional.fields[jsonPayload_src_location_continent]
jsonPayload.dest_location.asn
additional.fields[jsonPayload_dest_location_asn]
jsonPayload.dest_location.continent
additional.fields[jsonPayload_dest_location_continent]
protoPayload.request.spec.expirationSeconds
target.resource.attribute.labels[req_spec_expiration_seconds]
protoPayload.request.spec.request
target.resource.attribute.labels[req_spec_request]
protoPayload.request.spec.signerName
target.resource.attribute.labels[req_spec_signer_name]
protoPayload.request.spec.usages
target.resource.attribute.labels[req_spec_usage]
protoPayload.response.spec.expirationSeconds
target.resource.attribute.labels[res_spec_expiration_seconds]
protoPayload.response.spec.extra.iam.gke.io/user-assertion
target.resource.attribute.labels[res_spec_extra_iam_gke_io/user_assertion]
protoPayload.response.spec.extra.user-assertion.cloud.google.com
target.resource.attribute.labels[res_spec_extra_user_assertion_cloud_google_com]
protoPayload.response.spec.groups
target.resource.attribute.labels[res_spec_group]
protoPayload.response.spec.request
target.resource.attribute.labels[res_spec_request]
protoPayload.response.spec.signerName
target.resource.attribute.labels[res_spec_signer_name]
protoPayload.response.spec.usages
target.resource.attribute.labels[res_spec_usage]
protoPayload.response.spec.username
target.resource.attribute.labels[res_spec_username]
protoPayload.request.cryptoKeyVersion.state
target.resource.attribute.labels[req_cryptokey_version_state]
protoPayload.serviceData.policyDelta.auditConfigDeltas.action
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_action]
protoPayload.serviceData.policyDelta.auditConfigDeltas.service
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_service]
protoPayload.serviceData.policyDelta.auditConfigDeltas.exemptedMember
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_exempted_member]
protoPayload.serviceData.policyDelta.auditConfigDeltas.logType
target.resource.attribute.labels[service_data_policy_delta_audit_config_delta_log_type]
protoPayload.request.policy.bindings.role
target.resource.attribute.labels[req_policy_bindings_role]
protoPayload.request.policy.bindings.members
target.resource.attribute.labels[req_bindings_members]
protoPayload.metadata.tableChange.bindingDeltas.action
target.resource.attribute.labels[table_change_binding_deltas_action]
protoPayload.metadata.tableChange.bindingDeltas.member
target.resource.attribute.labels[table_change_binding_deltas_member]
protoPayload.metadata.tableChange.bindingDeltas.role
target.resource.attribute.labels[table_change_binding_deltas_role]
protoPayload.metadata.datasetChange.bindingDeltas.action
target.resource.attribute.labels[dataset_change_binding_deltas_action]
protoPayload.metadata.datasetChange.bindingDeltas.member
target.resource.attribute.labels[dataset_change_binding_deltas_member]
protoPayload.metadata.datasetChange.bindingDeltas.role
target.resource.attribute.labels[dataset_change_binding_deltas_role]
protoPayload.metadata.tableChange.table.policy.etag
target.resource.attribute.labels[table_change_table_policy_etag]
protoPayload.metadata.tableChange.table.policy.bindings.role
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_role]
protoPayload.metadata.tableChange.table.policy.bindings.members
target.resource.attribute.labels[table_change_table_policy_bindings_{index}_members_{index1}]
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.role
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_role]
protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members
target.resource.attribute.labels[dataset_change_dataset_acl_policy_bindings_{index}_members_{index1}]
protoPayload.request.bindings.role
target.resource.attribute.labels[request_bindings_{index}_role]
protoPayload.request.bindings.members
target.resource.attribute.labels[request_bindings_{index}_members_{index1}]
protoPayload.metadata.groupDelta.newGroup.description
target.group.attribute.labels[metadata_group_delta_new_group_description]
protoPayload.metadata.groupDelta.newGroup.email
target.group.email_addresses
protoPayload.metadata.groupDelta.newGroup.name
target.group.group_display_name
protoPayload.metadata.groupDelta.action
target.group.attribute.labels[metadata_group_delta_action]
protoPayload.response.spec.template.metadata.labels.client.knative.dev/nonce
target.resource.attribute.labels[res_spec_template_metadata_nonce]
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-name
target.resource.attribute.labels[res_spec_template_metadata_client_name]
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/client-version
target.resource.attribute.labels[res_spec_template_metadata_client_version]
protoPayload.response.spec.template.metadata.annotations.run.googleapis.com/execution-environment
target.resource.attribute.labels[res_spec_template_metadata_exection_environment]
protoPayload.response.spec.template.spec.taskCount
target.resource.attribute.labels[res_spec_template_spec_taskcount]
protoPayload.response.spec.template.spec.template.spec.containers.image
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_image]
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.memory
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_memory]
protoPayload.response.spec.template.spec.template.spec.containers.resources.limits.cpu
target.resource_ancestors.attribute.labels[res_spec_template_spec_template_spec_container_resource_limits_cpu]
protoPayload.response.spec.template.spec.template.spec.maxRetries
target.resource.attribute.labels[res_spec_template_spec_template_spec_max_retries]
protoPayload.response.spec.template.spec.template.spec.timeoutSeconds
target.resource.attribute.labels[res_spec_template_spec_template_spec_timeout_seconds]
protoPayload.response.spec.template.spec.template.spec.serviceAccountName
principal.user.email_addresses
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-name
target.resource_ancestors.attribute.labels[req_service_metadata_client_name]
protoPayload.request.service.metadata.annotations.serving.knative.dev/creator
target.resource_ancestors.attribute.labels[req_service_metadata_creator]
protoPayload.request.service.metadata.annotations.run.googleapis.com/client-version
target.resource_ancestors.attribute.labels[req_service_metadata_client_version]
protoPayload.request.service.metadata.annotations.run.googleapis.com/operation-id
target.resource_ancestors.attribute.labels[req_service_metadata_client_operation_id]
protoPayload.request.service.metadata.annotations.run.googleapis.com/binary-authorization
target.resource_ancestors.attribute.labels[req_service_metadata_binary_authorization]
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress-status
target.resource_ancestors.attribute.labels[req_service_metadata_client_ingress_status]
protoPayload.request.service.metadata.annotations.serving.knative.dev/lastModifier
target.resource_ancestors.attribute.labels[req_service_metadata_last_modifier]
protoPayload.request.service.metadata.annotations.run.googleapis.com/ingress
target.resource_ancestors.attribute.labels[req_service_metadata_ingress]
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-name
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_name]
protoPayload.request.service.spec.template.metadata.annotations.run.googleapis.com/client-version
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_client_version]
protoPayload.request.service.spec.template.metadata.annotations.autoscaling.knative.dev/maxScale
target.resource_ancestors.attribute.labels[req_service_spec_template_metadata_max_scale]
protoPayload.request.New Data
target.resource_ancestors.attribute.labels[req_new_data]
protoPayload.response.Original Data
target.resource_ancestors.attribute.labels[req_original_data]
protoPayload.response.spec.template.spec.containers.securityContext.runAsUser
target.resource_ancestors.attribute.labels[res_spec_template_spec_containers_securitycontext_run_as_user]
protoPayload.request.timestampRange.startTime
target.resource.attribute.labels[timestamp_range_start_time]
protoPayload.request.timestampRange.endTime
target.resource.attribute.labels[timestamp_range_end_time]
protoPayload.request.regexSearch
target.resource.attribute.labels[request_regex_search]
protoPayload.request.productSources
target.resource.attribute.labels[request_product_sources]
protoPayload.request.query
target.resource.attribute.labels[request_query]
protoPayload.request.caseSensitive
target.resource.attribute.labels[request_case_sensitive]
protoPayload.request.baselineQuery
target.resource.attribute.labels[baseline_query]
protoPayload.request.baselineTimeRange.startTime
target.resource.attribute.labels[baseline_time_range_start_time]
protoPayload.request.baselineTimeRange.endTime
target.resource.attribute.labels[baseline_time_range_end_time]
protoPayload.response.serviceConfig.timeoutSeconds
target.resource.attribute.labels[response_service_config_timeout_seconds]
labels.execution_id
additional.fields[execution_id]
labels.instance_id
additional.fields[instance_id]
labels.runtime_version
additional.fields[runtime_version]
protoPayload.metadata.updatedGrant.requester
principal.user.userid
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.updatedGrant.requester
log field is mapped to the principal.user.userid
UDM field.protoPayload.metadata.updatedGrant.requestedDuration
target.resource.attribute.labels[requestedDuration]
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.updatedGrant.requestedDuration
log field is mapped to the target.resource.attribute.labels
UDM field.protoPayload.metadata.updatedGrant.justification.unstructuredJustification
target.resource.attribute.labels[justification]
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.updatedGrant.justification.unstructuredJustification
log field is mapped to the target.resource.attribute.labels
UDM field.protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role
target.resource.attribute.roles.name
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role
log field is mapped to the target.resource.attribute.roles.name
UDM field.protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType
target.resource.attribute.labels[resourceType]
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType
log field is mapped to the target.resource.attribute.labels
UDM field.protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource
target.resource.attribute.labels[resource]
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource
log field is mapped to the target.resource.attribute.labels
UDM field.protoPayload.metadata.updatedGrant.state
target.resource.attribute.labels[state]
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.updatedGrant.state
log field is mapped to the target.resource.attribute.labels
UDM field.protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id
target.resource.attribute.labels[job_insertion_looker_studio_report_id]
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id
log field is mapped to the target.resource.attribute.labels
UDM field.protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor
target.resource.attribute.labels[job_insertion_requestor]
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor
log field is mapped to the target.resource.attribute.labels
UDM field.protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id
target.resource.attribute.labels[job_insertion_looker_studio_datasource_id]
If the
protoPayload.serviceName
log field value is equal to privilegedaccessmanager.googleapis.com
, then the protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id
log field is mapped to the target.resource.attribute.labels
UDM field.protoPayload.response.displayName
security_result.associations.name
If the
protoPayload.response.displayName
log field value is not empty, then the protoPayload.response.displayName
log field is mapped to the security_result.associations.name
UDM field.protoPayload.request.referenceList.displayName
security_result.associations.name
If the
protoPayload.response.displayName
log field value is empty, then the protoPayload.request.referenceList.displayName
log field is mapped to the security_result.associations.name
UDM field.protoPayload.resourceName
security_result.detection_fields[rule_id]
If the
protoPayload.resourceName
log field value is not
empty and the protoPayload.response.@type
log field value is type.googleapis.com/google.cloud.chronicle.v1alpha.Rule
, then new_rule_id
is extracted from the protoPayload.resourceName
log field using a Grok pattern, and mapped to the security_result.detection_fields[rule_id]
UDM field.protoPayload.request.projection
target.resource.attribute.labels[req_projection]
protoPayload.response.items.metageneration
target.resource.attribute.labels[res_items_metageneration]
protoPayload.response.items.labels.created_date
target.resource.attribute.labels[res_items_labels_created_date]
protoPayload.response.items.labels.team_email
target.resource.attribute.labels[res_items_labels_team_email]
protoPayload.response.items.labels.team_name
target.resource.attribute.labels[res_items_labels_team_name]
protoPayload.response.items.labels.office_number
target.resource.attribute.labels[res_items_labels_official_number]
protoPayload.response.items.labels.department
target.resource.attribute.labels[res_items_labels_department]
protoPayload.response.items.labels.business_project_number
target.resource.attribute.labels[res_items_labels_business_project_number]
protoPayload.response.items.labels.owner_email
target.resource.attribute.labels[res_items_labels_owner_email]
protoPayload.response.items.labels.purchase_order_number
target.resource.attribute.labels[res_items_labels_purchase_order_number]
protoPayload.response.items.labels.office_name
target.resource.attribute.labels[res_items_labels_office_name]
protoPayload.response.items.labels.environment
target.resource.attribute.labels[res_items_labels_environment]
protoPayload.response.items.labels.created_by
target.resource.attribute.labels[res_items_labels_created_by]
protoPayload.response.items.labels.project_name
target.resource.attribute.labels[res_items_labels_project_name]
protoPayload.response.items.labels.finops_tag
target.resource.attribute.labels[res_items_labels_finops_tag]
protoPayload.response.items.labels.owner_role
target.resource.attribute.labels[res_items_labels_owner_role]
protoPayload.response.items.versioning.enabled
target.resource.attribute.labels[res_items_versioning_enabled]
protoPayload.response.items.iamConfiguration.publicAccessPrevention
target.resource.attribute.labels[res_items_iam_conf_public_access_prevention]
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_locked_time]
protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled
target.resource.attribute.labels[res_items_iam_conf_uniform_bucket_level_access_enabled]
protoPayload.response.items.id
target.resource.attribute.labels[res_items_id]
protoPayload.response.items.updated
target.resource.attribute.labels[res_items_updated]
protoPayload.response.items.storageClass
target.resource.attribute.labels[res_items_storage_class]
protoPayload.response.items.timeCreated
target.resource.attribute.labels[res_items_time_created]
protoPayload.response.items.location
target.resource.attribute.labels[res_items_location]
protoPayload.response.items.locationType
target.resource.attribute.labels[res_items_location_type]
protoPayload.response.items.projectNumber
target.resource.attribute.labels[res_items_project_number]
protoPayload.response.items.name
target.resource.attribute.labels[res_items_name]
protoPayload.response.items.softDeletePolicy.effectiveTime
target.resource.attribute.labels[res_items_soft_delete_policy_effective_time]
protoPayload.response.items.softDeletePolicy.retentionDurationSeconds
target.resource.attribute.labels[res_items_soft_delete_policy_retention_duration_seconds]
protoPayload.response.items.etag
target.resource.attribute.labels[res_items_etag]
protoPayload.response.code
network.http.response_code
protoPayload.response.reason
additional.fields[res_reason]
protoPayload.request.spec.template.spec.containers.securityContext.runAsUser
target.resource.attribute.labels[req_spec_template_spec_containers_securitycontext_run_as_user]
What's next
Need more help? Get answers from Community members and Google SecOps professionals.
