Collect Chrome Enterprise data
This document describes how to collect Google Chrome logs into Google SecOps using the Enterprise reporting connector. It details the data ingestion process for both Google Chrome Enterprise Core and Chrome Enterprise Premium deployments, while noting that some advanced log data requires a Chrome Enterprise Premium license.
Typical deployment
A typical deployment consists of a combination of the following components:
-
Chrome: The Chrome browser and ChromeOS management events that you want to collect.
-
ChromeOS: You can configure ChromeOS managed devices to send logs to Google SecOps. ChromeOS devices are optional.
-
Chrome Enterprise reporting connector: The Chrome Enterprise reporting connector forwards Chrome logs to Google SecOps.
-
Google SecOps: Retains and analyzes Chrome logs.
Before you begin
- A Google Workspace Administrator account.
- Google Chrome 137 or later. Earlier versions don't provide complete referer URL data.
- Chrome Enterprise Premium licenses for advanced features.
- Optional: A Google SecOps ingestion token. If using this option, you also need your Google Workspace
Customer IDfrom the Google Workspace Admin console. - Optional: A Chronicle Ingestion API key provided by your Google SecOps representative.
Set up Chrome browser cloud management
-
Enroll the target devices to enable cloud management of Chrome browsers. For details, see Enroll cloud-managed Chrome browsers .
-
Optional: Configure Evidence Locker for investigation of suspicious files. (Chrome Enterprise Premium only)
-
Optional: If you use Identity-Aware Proxy, perform the steps in Collect Chrome Enterprise Premium Context Access Aware Data to integrate this data into Google SecOps.
Connect Chrome data to your Google SecOps instance
Configure the Chrome Management parser and the Chrome Enterprise reporting connector.
Configure the Chrome Management parser
You may need to update to a new version of the Chrome Management parser to support recent Chrome logs.
- In your Google SecOps instance, go to Menu> Settings> Parsers.
- Find the Chrome Management prebuilt entry and verify that you are using a version date 2025-08-14or newer by applying any pending updates.
Configure Chrome Enterprise Premium
This section describes how to set up logging for Chrome Enterprise Premium.
You can configure log forwarding for Chrome Enterprise Premium that includes context from Safe Browsing. The Chrome Enterprise reporting connector for Chrome Enterprise Premium can configure, and optionally forward the following log types:
- Browser crashes
- Content transfers
- Data access controls
- Extension installations
- Extension telemetry
- Google login activity
- Malware transfer
- Password breach
- Password changed
- Password reuse
- Sensitive data transfer
- Suspicious URL
- Unsafe site visits
- URL filtering interstitial
- URL navigations
Set up the Chrome Enterprise Premium data for export
To configure the Chrome Enterprise reporting connector for Chrome Enterprise Premium logging using the recommended security settings:
- In the Google Admin console, go to Menu > Chrome browser > Connectors .
- In the Introducing Google SecOps for Chrome Enterprise Databanner, click View Details & Enable.
- On the Enable Google SecOps for Chrome Enterprise Premiumpage, enter a Configuration name.
- Select a forwarding option, as described in Configure the Chrome Enterprise reporting connector .
Configure the Chrome Enterprise reporting connector
The Chrome Enterprise reporting connector sends log data to Google SecOps for both Chrome Enterprise Premium and Chrome Enterprise Core.
Configure the Chrome Enterprise reporting connector to send Chrome data to Google SecOps using one of the following options:
-
If you've previously configured Google Cloud Audit Logs to forward to a Google SecOps, you may have an option to send Chrome Enterprise Premium logs. For details, see
Configure Chrome Forwarding to a Google SecOps instance in the same organization . -
You can use a temporary token code generated from Google SecOps to configure forwarding to a Chrome Enterprise Premium instance. For details, see
Configure Chrome Forwarding to Google SecOps using an integration token . -
Alternatively, you can use a Chronicle Ingestion API key. For details, see
Configure Chrome Forwarding to Google SecOps using the Chronicle Ingestion API .
Configure Chrome Forwarding to a Google SecOps instance in the same organization
You may have an option to select an existing Google SecOps instance in the connector configuration if all of the following prerequisites are satisfied:
-
The Google SecOps instance is connected to a Google Cloud project.
-
The Google Cloud project is within the same organization as the Google Workspace managing your Chrome Enterprise Premium.
-
You previously configured a Cloud Audit Logs integration from that organization to Google SecOps.
If these prerequisites are satisfied, the Google SecOps instance should appear in the selection list under Use instance in associated GCP account.
To configure Chrome forwarding to a Google SecOps instance in the same organization, do the following:
- Type a name for the configuration.
- From the Use instance in associated GCP accountoption, select the Google SecOps instance.
- Select the log types to forward from the Log export settings.
- Click Test connection.
- Click Enableafter successfully testing the connection.
- Click Donewhen the configuration has completed.
Configure Chrome Forwarding to Google SecOps using an integration token
If the destination Google SecOps instance doesn't appear in the selection list or you need to forward Chrome logs to a Google SecOps instance in a different Google Cloud, do the following:
-
Provide your Google Workspace Customer ID to the Google SecOps administrator of the destination instance and have them obtain your Google SecOps instance ID and token . This token is valid for 24 hours.
-
Type a name for the configuration.
-
Select Use instance outside of your organization.
-
Enter the token code provided by the Google SecOps administrator.
-
Select the log types to forward from the Log export settings.
-
Click Test Connection.
-
Click Enableafter successfully testing the connection.
-
Click Donewhen the configuration has completed.
Configure Chrome Forwarding to Google SecOps using the Chronicle Ingestion API
You can configure the Google Chrome reporting connector using a Chronicle Ingestion API key. You should only use this method if no other integration method is available.
-
In the Admin console, go to Menu > Devices > Chrome > Connectors.
-
Click + New provider configuration.
-
On the side panel, find the Google SecOps setup and click Set up.
-
Enter the Configuration ID, API key, and Host Name:
-
Configuration ID: The ID is shown on the User & browsers settingspage and the Connectorspage.
-
API key: The API key to specify when calling the Chronicle ingestion API to identify the customer.
-
Host Name: The Ingestion API endpoint. For US customers, this must be malachiteingestion-pa.googleapis.com. For other regions, see regional endpoints documentation .
-
-
Click Add Configurationto add the new provider configuration.
Collect Chrome Enterprise Premium context access-aware data
Set up feeds to ingest Chrome Enterprise Premium content specific to Identity-Aware Proxy (IAP) and context access aware data.
Who should enable the Identity-Aware Proxy API?
- Chrome Enterprise Premium customers who use Identity-Aware Proxy (IAP) data should enable it.
- For Chrome Enterprise Premium customers who don't use Identity-Aware Proxy data, enabling the Identity-Aware Proxy API is optional (but recommended). Doing so adds additional context-access aware data fields to your log data.
To enable the Identity-Aware Proxy API, perform the steps in Collect Chrome Enterprise Premium Context Access Aware Data .
Verify the data flow
To verify the data flow:
- Open your Google SecOps instance.
- Go to Menu> Search.
- Run the following search query to look for raw, unparsed events:
metadata.log_type = "CHROME_MANAGEMENT"
Supported log types
The following sections are applicable to the CHROME_MANAGEMENT
parser.
Supported log events
| Security category | Event type |
|---|---|
Audit Activity
|
|
ChromeOS
|
ChromeOS login failure ChromeOS login success ChromeOS logout ChromeOS user added ChromeOS user removed ChromeOS lock success ChromeOS unlock success ChromeOS unlock failure ChromeOS device boot state change ChromeOS USB device added ChromeOS USB device removed ChromeOS USB status change ChromeOS CRD host started ChromeOS CRD client connected ChromeOS CRD client disconnected ChromeOS CRD host stopped |
Credential Security
|
|
Data Protection
|
|
File Transfer
|
|
Malicious Activity
|
|
Navigation
|
|
Supported Chrome log formats
The CHROME_MANAGEMENT
parser supports logs in JSON format.
Supported Chrome sample log
Sample of a raw log for ingestion by the Chrome Management
parser, in JSON format:
-
JSON:
{ "event": "badNavigationEvent", "time": "1622093983.104", "reason": "SOCIAL_ENGINEERING", "result": "EVENT_RESULT_WARNED", "device_name": "", "device_user": "", "profile_user": "sample@domain.io", "url": "https://test.domain.com/s/phishing.html", "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f", "os_platform": "", "os_version": "", "browser_version": "109.0.5414.120", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36", "client_type": "CHROME_BROWSER_PROFILE" }
Field mapping reference
The following field mapping tables are relevant to the CHROME_MANAGEMENT
parser (log type).
All fields are applicable to Chrome Enterprise Core customers and Chrome Enterprise Premium customers. Fields that are only applicable to Chrome Enterprise Premium customers are labeled "[CEP Only]".
Field mapping reference: Event Identifier to Event Type
The following table lists the CHROME_MANAGEMENT
log types and their corresponding UDM event types.
badNavigationEvent - SOCIAL_ENGINEERING
USER_RESOURCE_ACCESS
SOCIAL_ENGINEERING
badNavigationEvent - SSL_ERROR
USER_RESOURCE_ACCESS
NETWORK_SUSPICIOUS
badNavigationEvent - MALWARE
USER_RESOURCE_ACCESS
SOFTWARE_MALICIOUS
badNavigationEvent - UNWANTED_SOFTWARE
USER_RESOURCE_ACCESS
SOFTWARE_PUA
badNavigationEvent - THREAT_TYPE_UNSPECIFIED
USER_RESOURCE_ACCESS
SOFTWARE_MALICIOUS
browserCrashEvent
STATUS_UPDATE
browserExtensionInstallEvent
USER_RESOURCE_UPDATE_CONTENT
Extension install - BROWSER_EXTENSION_INSTALL
USER_RESOURCE_UPDATE_CONTENT
EXTENSION_REQUEST
USER_UNCATEGORIZED
CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED
USER_CREATION
CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED
USER_CREATION
ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED
USER_CREATION
ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED
USER_DELETION
CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED
USER_DELETION
CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED
USER_DELETION
Login events
USER_LOGIN
LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN
USER_LOGIN
loginEvent
USER_LOGIN
ChromeOS login success
USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN
USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN
USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN
USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN
USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN
USER_LOGIN
CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN
USER_LOGIN
ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN
USER_LOGIN
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN
USER_LOGIN
CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN
USER_LOGIN
CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN
USER_LOGIN
CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT
USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT
USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT
USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT
USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT
USER_LOGOUT
CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT
USER_LOGOUT
ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT
USER_LOGOUT
CHROME_OS_REPORTING_DATA_LOST
STATUS_UPDATE
ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED
USER_LOGIN
ChromeOS CRD client disconnected
USER_LOGOUT
CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED
STATUS_STARTUP
ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED
STATUS_STARTUP
ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED
STATUS_STARTUP
ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE
SETTING_MODIFICATION
ChromeOS device boot state change - CHROME_OS_DEV_MODE
SETTING_MODIFICATION
DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE
SETTING_MODIFICATION
ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS
USER_LOGOUT
ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS
USER_LOGIN
ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN
USER_LOGIN
ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED
USER_RESOURCE_ACCESS
ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED
USER_RESOURCE_DELETION
ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED
USER_RESOURCE_UPDATE_CONTENT
CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED
USER_RESOURCE_UPDATE_CONTENT
Client Side Detection
USER_UNCATEGORIZED
Content transfer
SCAN_FILE
CONTENT_TRANSFER
SCAN_FILE
contentTransferEvent
SCAN_FILE
Content unscanned
SCAN_UNCATEGORIZED
CONTENT_UNSCANNED
SCAN_UNCATEGORIZED
dataAccessControlEvent
USER_RESOURCE_ACCESS
dangerousDownloadEvent - Dangerous
SCAN_FILE
SOFTWARE_PUA
dangerousDownloadEvent - DANGEROUS_HOST
SCAN_HOST
dangerousDownloadEvent - UNCOMMON
SCAN_UNCATEGORIZED
dangerousDownloadEvent - POTENTIALLY_UNWANTED
SCAN_UNCATEGORIZED
SOFTWARE_PUA
dangerousDownloadEvent - UNKNOWN
SCAN_UNCATEGORIZED
dangerousDownloadEvent - DANGEROUS_URL
SCAN_UNCATEGORIZED
dangerousDownloadEvent - UNWANTED_SOFTWARE
SCAN_FILE
SOFTWARE_PUA
dangerousDownloadEvent - DANGEROUS_FILE_TYPE
SCAN_FILE
SOFTWARE_MALICIOUS
Desktop DLP Warnings
USER_UNCATEGORIZED
DLP_EVENT
USER_UNCATEGORIZED
interstitialEvent - Malware
NETWORK_HTTP
NETWORK_SUSPICIOUS
IOS/OSX Warnings
SCAN_UNCATEGORIZED
Malware transfer - MALWARE_TRANSFER_DANGEROUS
SCAN_FILE
SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON
SCAN_FILE
SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS
SCAN_FILE
SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE
SCAN_FILE
SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN
SCAN_FILE
SOFTWARE_MALICIOUS
MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST
SCAN_FILE
SOFTWARE_MALICIOUS
malwareTransferEvent - DANGEROUS
SCAN_FILE
SOFTWARE_MALICIOUS
malwareTransferEvent - UNSPECIFIED
SCAN_FILE
SOFTWARE_MALICIOUS
Password breach
USER_RESOURCE_ACCESS
PASSWORD_BREACH
USER_RESOURCE_ACCESS
passwordBreachEvent - PASSWORD_ENTRY
USER_RESOURCE_ACCESS
Password changed
USER_CHANGE_PASSWORD
PASSWORD_CHANGED
USER_CHANGE_PASSWORD
passwordChangedEvent
USER_CHANGE_PASSWORD
Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE
USER_RESOURCE_ACCESS
POLICY_VIOLATION, AUTH_VIOLATION
Password reuse - PASSWORD_REUSED_PHISHING_URL
USER_UNCATEGORIZED
PHISHING
PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE
USER_RESOURCE_ACCESS
POLICY_VIOLATION, AUTH_VIOLATION
passwordReuseEvent - Unauthorized site
USER_RESOURCE_ACCESS
POLICY_VIOLATION, AUTH_VIOLATION
passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL
USER_UNCATEGORIZED
PHISHING
passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE
USER_RESOURCE_ACCESS
POLICY_VIOLATION, AUTH_VIOLATION
Permissions Blacklisting
RESOURCE_PERMISSIONS_CHANGE
Sensitive data transfer
SCAN_FILE
DATA_EXFILTRATION
SENSITIVE_DATA_TRANSFER
SCAN_FILE
DATA_EXFILTRATION
sensitiveDataEvent - [test_user_5] warn
SCAN_FILE
DATA_EXFILTRATION
sensitiveDataTransferEvent
SCAN_FILE
DATA_EXFILTRATION
Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR
USER_RESOURCE_ACCESS
NETWORK_SUSPICIOUS
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE
USER_RESOURCE_ACCESS
SOFTWARE_MALICIOUS
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE
USER_RESOURCE_ACCESS
SOFTWARE_SUSPICIOUS
UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED
USER_RESOURCE_ACCESS
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING
USER_RESOURCE_ACCESS
SOCIAL_ENGINEERING
UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR
USER_RESOURCE_ACCESS
NETWORK_SUSPICIOUS
unscannedFileEvent - FILE_PASSWORD_PROTECTED
SCAN_FILE
unscannedFileEvent - FILE_TOO_LARGE
SCAN_FILE
urlFilteringInterstitialEvent
USER_RESOURCE_ACCESS
POLICY_VIOLATION
extensionTelemetryEvent
telemetry_event_signals.signal_name
log field value is equal to the COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO
, then the event_type
set to USER_RESOURCE_ACCESS
.Else, if the
telemetry_event_signals.signal_name
log field value is equal to REMOTE_HOST_CONTACTED_INFO
, then if the telemetry_event_signals.connection_protocol
log field value is equal to HTTP_HTTPS
, then the event_type
is set to NETWORK_HTTP
.Else, the
event_type
UDM field is set to NETWORK_UNCATEGORIZED
.telemetry_event_signals.signal_name
log field value is equal to REMOTE_HOST_CONTACTED_INFO
, then the security category
is set to NETWORK_SUSPICIOUS
.Else, if the
telemetry_event_signals.signal_name
log field value contain one of the following values, then the security category
UDM field is set to SOFTWARE_SUSPICIOUS
. -
COOKIES_GET_INFO -
COOKIES_GET_ALL_INFO
Field mapping reference: CHROME_MANAGEMENT preview version
The following table lists the log fields of the CHROME_MANAGEMENT
log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
about.file.sha256
|
pehash_sha256
|
[CEP Only] The SHA256 file hash ( pehash_sha256
) reported from a dangerousDownloadEvent
or contentTransferEvent
. |
about.domain.name
|
device_fqdn
|
[CEP Only] The device's fully qualified domain name reported in a urlNavigationEvent
, suspiciousUrlEvent
, or urlFilteringInterstitialEvent
. Not reported for unmanaged devices
with managed user profiles. |
principal.network.carrier_name
|
network_name
|
[CEP Only] The network name (SSID) the device is connected to reported in a urlNavigationEvent
, suspiciousUrlEvent
, or urlFilteringInterstitialEvent
. |
security_result.threat_name
|
content_risk.threat_type
|
[CEP Only] The threat type of the content reported in a dangerousDownloadEvent
or contentTransferEvent
. |
security_result.severity
|
content_risk_level, content_risk.risk_level
|
[CEP Only] The content risk level reported by Safe Browsing in a dangerousDownloadEvent
or contentTransferEvent
. |
security_result.rule_label
|
content_risk.risk_reasons
|
[CEP Only] The content risk reason reported by Safe Browsing in a dangerousDownloadEvent
or contentTransferEvent
. |
security_result.detection_fields[content_risk_indicators]
|
content_risk.risk_indicators
|
[CEP Only] The list of indicators from the Safe Browsing risk level in a dangerousDownloadEvent
or contentTransferEvent
. |
security_result.detection_fields[content_risk_source]
|
content_risk.risk_source
|
[CEP Only] The risk source of the content reported by Safe Browsing in a dangerousDownloadEvent
or contentTransferEvent
. |
additional.fields[is_encrypted]
|
is_encrypted
|
[CEP Only] Set to true
if the content is encrypted in dangerousDownloadEvent
or contentTransferEvent
. |
additional.fields[server_scan_status]
|
server_scan_status
|
[CEP Only] The status of whether the content in dangerousDownloadEvent
or contentTransferEvent
was successfully scanned by Safe Browsing. |
principal.url
|
url_info.url
|
[CEP Only] The URL of dangerousDownloadEvent
, contentTransferEvent
, urlNavigationEvent
, suspiciousUrlEvent
, or urlFilteringInterstitialEvent
. |
principal.ip
|
url_info.ip
|
[CEP Only] The IP address of dangerousDownloadEvent
, contentTransferEvent
, urlNavigationEvent
, suspiciousUrlEvent
, or urlFilteringInterstitialEvent
. |
principal.security_result.detection_fields[url_info_type]
|
url_info.type
|
[CEP Only] The URL type (download, tab, or redirect) of dangerousDownloadEvent
, contentTransferEvent
, urlNavigationEvent
, suspiciousUrlEvent
, or urlFilteringInterstitialEvent
. |
principal.security_result.severity
|
url_info.risk_level
|
[CEP Only] The risk level of the URL reported by Safe Browsing. |
principal.security_result.severity
|
url_info.risk_infos.risk_level
|
[CEP Only] Additional risk information reported by Safe Browsing. |
principal.security_result.detection_fields[url_info_initiator_type]
|
url_info.navigation_initiator.initiator_type
|
[CEP Only] This maps the url_info_initiator_type
in a dangerousDownloadEvent
or contentTransferEvent
. In a urlNavigationEvent
, suspiciousUrlEvent
, or urlFilteringInterstitialEvent
this maps the url_navigation_initiator
. |
principal.security_result.detection_fields[url_info_entity]
|
url_info.navigation_initiator.entity
|
[CEP Only] This maps the url_info_entity
in a dangerousDownloadEvent
or contentTransferEvent
. In a urlNavigationEvent
, suspiciousUrlEvent
, or urlFilteringInterstitialEvent
this maps the url_infos_navigation_entity
. |
principal.security_result.detection_fields[url_info_request_http_method]
|
url_info.request_http_method
|
[CEP Only] The HTTP method used to contact the URL. |
principal.url_metadata.categories
|
url_info.url_categories
|
[CEP Only] The URL category reported by Safe Browsing of urlNavigationEvent
or suspiciousUrlEvent
. |
principal.security_result.detection_fields[url_info_risk_infos_risk_indicators_key]
|
url_info.risk_infos.risk_indicators
|
[CEP Only] The URL risk indicators reported by Safe Browsing of urlNavigationEvent
or suspiciousUrlEvent
. |
principal.security_result.rule_label[risk_reason]
|
url_info.risk_infos.risk_reasons
|
[CEP Only] The Safe Browsing reason for the URL risk classification of urlNavigationEvent
or suspiciousUrlEvent
. |
principal.security_result.detection_fields[content_risk_source]
|
url_info.risk_infos.risk_source
|
[CEP Only] The risk source determination reported by Safe Browsing. This includes URL and file reputation
and content scanning results for urlNavigationEvent
, suspiciousUrlEvent
, or urlFilteringInterstitialEvent
. |
security_result.threat_name
|
url_info.risk_infos.threat_type
|
[CEP Only] The threat type reported by Safe Browsing of the URL for urlNavigationEvent
, suspiciousUrlEvent
, or urlFilteringInterstitialEvent
. |
about.url
|
tab_url_info.url, tab_url, referrers.url
|
[CEP Only] Maps the tab_url_info.url
of dangerousDownloadEvent
or contentTransferEvent
. Maps the referrers.url
of a urlNavigationEvent
, or suspiciousUrlEvent
. |
about.ip
|
tab_url_info.ip, remote_ip, referrers.ip
|
[CEP Only] Maps the tab_url_info_ip
IP address associated with dangerousDownloadEvent
or contentTransferEvent
. Maps the IP address of remote_ip
or referrers.ip
in urlNavigationEvent
or suspiciousUrlEvent
. |
about.security_result.detection_fields[tab_url_info_type]
|
tab_url_info.type
|
[CEP Only] The URL tab type for dangerousDownloadEvent
or contentTransferEvent
. |
about.security_result.severity
|
tab_url_info.risk_level
|
[CEP Only] The Safe Browsing risk level associated with the URL from a tab event for dangerousDownloadEvent
or contentTransferEvent
. |
about.security_result.detection_fields[tab_url_info_initiator_type]
|
tab_url_info.navigation_initiator.initiator_type
|
[CEP Only] The initiator type of the tab event for dangerousDownloadEvent
or contentTransferEvent
. |
about.security_result.detection_fields[tab_url_info_entity]
|
tab_url_info.navigation_initiator.entity
|
[CEP Only] The tab_url_info_entity
for dangerousDownloadEvent
or contentTransferEvent
. |
about.security_result.detection_fields[tab_url_info_request_http_method]
|
tab_url_info.request_http_method
|
[CEP Only] The HTTP method a tab used to contact the URL of dangerousDownloadEvent
or contentTransferEvent
. |
about.security_result.detection_fields[referrers_navigation_initiator_entity]
|
referrers.navigation_initiator.entity
|
[CEP Only] The referrer entity name that initiated the navigation event for urlNavigationEvent
or suspiciousUrlEvent
. |
about.security_result.detection_fields[referrers_navigation_initiator_initiator_type]
|
referrers.navigation_initiator.initiator_type
|
[CEP Only] The referrer type that initiated urlNavigationEvent
or suspiciousUrlEvent
. |
about.security_result.detection_fields[referrers_request_http_method]
|
referrers.request_http_method
|
[CEP Only] The HTTP method of urlNavigationEvent
or suspiciousUrlEvent
. |
about.security_result.detection_fields[referrers_risk_infos_risk_categories]
|
referrers.risk_infos.risk_categories
|
[CEP Only] The URL category of the referrer, as provided by the Safe Browsing service, associated with urlNavigationEvent
or suspiciousUrlEvent
. |
about.security_result.severity
|
referrers.risk_infos.risk_level, referrers.risk_level
|
[CEP Only] Maps the risk level provided by Safe Browsing referrers.risk_level
for a urlNavigationEvent
or suspiciousUrlEvent
or referrers.risk_infos.risk_level
for urlNavigationEvent
or suspiciousUrlEvent
. |
about.security_result.detection_fields[referrers_type]
|
referrers.type
|
[CEP Only] The URL type provided by Safe Browsing of the referrer URL of urlNavigationEvent
or suspiciousUrlEvent
. |
about.security_result.detection_fields[referrers_risk_source]
|
referrers.risk_infos.risk_source
|
[CEP Only] The risk source provided by Safe Browsing for the referrer URL of urlNavigationEvent
or suspiciousUrlEvent
. |
about.security_result.threat_name
|
referrers.risk_infos.threat_type
|
[CEP Only] The threat type provided by Safe Browsing for the referrer URL of urlNavigationEvent
or suspiciousUrlEvent
. |
about.url_metadata.categories
|
referrers.url_categories
|
[CEP Only] The URL category provided by Safe Browsing for the referrer URL of urlNavigationEvent
or suspiciousUrlEvent
. |
Need more help? Get answers from Community members and Google SecOps professionals.
