Collect Salesforce logs

This document explains how to ingest Salesforce logs to Google Security Operations using two methods: Amazon AppFlow with Amazon S3or Third Party API. The parser handles the logs in LEEF, CSV, and JSON formats. It extracts fields, performs format-specific processing (handling LEEF key-value pairs, CSV columns, and JSON structures), maps them to the UDM, and enriches the data with metadata and derived fields. The parser also handles various Salesforce event types, applying specific logic for logins, logouts, and other actions, categorizing events, and setting appropriate UDM event types.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Privileged access to Salesforce (System Administrator or equivalent)

Option 1: Third Party API method

• A Salesforce Shield Event Monitoringlicense or Event Monitoring add-on
• Ability to generate and manage X.509 certificates and RSA key pairs

Option 2: Amazon AppFlow with S3 method

• Privileged access to AWS
• Your organization uses Salesforce Enterprise, Unlimited, or Performance Edition

Important Licensing Note: Without Salesforce Shield Event Monitoring, API access to EventLogFile is limited to only 7 basic event types (Login, Logout, API Total Usage, CORS Violation Record, CSP Violation, Hostname Redirects, Apex Unexpected Exception) with 1-day retention. Most organizations without Shield should use the Amazon AppFlow method (Option 2).

Option 1: Configure Salesforce Direct API Integration using Third Party API (OAuth JWT Bearer)

This method establishes a direct API connection from Google SecOps to Salesforce using OAuth 2.0 JWT Bearer flow for server-to-server authentication.

Prerequisites for This Method:

• A Salesforce Shield Event Monitoringlicense or Event Monitoring add-on (required for comprehensive EventLogFile access)
• System Administrator access in Salesforce
• Ability to generate and manage X.509 certificates and RSA key pairs

Generate RSA Key Pair and X.509 certificate

You need an RSA private key and corresponding X.509 certificate for JWT bearer authentication.

1. Generate an RSA private key:

    openssl  
   genrsa  
   -out  
   salesforce_jwt_private.key  
    2048 
    
   

2. Generate a certificate signing request (CSR):

    openssl  
   req  
   -new  
   -key  
   salesforce_jwt_private.key  
   -out  
   salesforce_jwt.csr 
   

3. Generate a self-signed certificate (valid for 1 year):

    openssl  
   x509  
   -req  
   -days  
    365 
     
   -in  
   salesforce_jwt.csr  
   -signkey  
   salesforce_jwt_private.key  
   -out  
   salesforce_jwt.crt 
   

4. Save the private key securely. You will need it for the Google SecOps feed configuration.

Create a Salesforce Connected App with JWT Bearer Flow

1. Sign in to Salesforceas a System Administrator.
2. Go to Setup > Apps > App Manager.
3. Click New Connected App.
4. Provide the following configuration details:
   • Connected App Name: Enter a name (for example, Google Security Operations Integration ).
   • API Name: Auto-populated based on the Connected App Name.
   • Contact Email: Enter your email address.
5. In the API (Enable OAuth Settings)section:
   • Select Enable OAuth Settings.
   • Callback URL: Enter https://login.salesforce.com/services/oauth2/callback (this is not used for JWT flow but is required).
   • Select Use digital signatures.
   • Click Choose Fileand upload the X.509 certificate ( salesforce_jwt.crt ) you generated earlier.
   • Selected OAuth Scopes: Add the following scopes:
     • Access and manage your data (api)
     • Perform requests on your behalf at any time (refresh_token, offline_access)
   • Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows: Clear this option.
6. Click Save.
7. Click Continueon the warning message.
8. On the Connected App detail page, note the Consumer Key. This will be used as the JWT Claims Issuerin Google SecOps.
9. Click Manage > Edit Policies.
10. In the OAuth Policiessection:
    • Permitted Users: Select Admin approved users are pre-authorized.
    • IP Relaxation: Select Relax IP restrictions.
11. Click Save.

Create and configure an Integration User in Salesforce

1. Go to Setup > Users > Users.
2. Click New User.
3. Provide the following configuration details:
   • First Name: Enter Google .
   • Last Name: Enter Google SecOps Integration .
   • Email: Enter an email address.
   • Username: Enter a unique username.
   • User License: Select Salesforce.
   • Profile: Select System Administratoror create a custom profile with API access.
4. Click Save.
5. Note the Usernameexactly as entered. This will be used as the JWT Claims Subjectin Google SecOps.

Assign the Integration User to the Connected App

1. Go to Setup > Apps > Connected Apps > Manage Connected Apps.
2. Click the Google Security Operations IntegrationConnected App you created.
3. Click Manage > Manage Profilesor Manage Permission Sets.
4. Select the profile or permission set assigned to your integration user (for example, System Administrator).
5. Click Save.

Grant API and Event Monitoring Permissions to the Integration User

1. Go to Setup > Users > Permission Sets.
2. Click New.
3. Provide the following configuration details:
   • Label: Enter Event Monitoring API Access .
   • API Name: Auto-populated.
4. Click Save.
5. On the Permission Set detail page:
   • Click System Permissions.
   • Click Edit.
   • Check the following permissions:
     • API Enabled
     • View Event Log Files
     • View All Data(optional, but recommended for comprehensive access)
   • Click Save.
6. Click Manage Assignments > Add Assignments.
7. Select the integration user you created earlier.
8. Click Assign > Done.

Configure a feed in Google SecOps to ingest Salesforce logs via API

1. Go to SIEM Settings > Feeds.
2. Click + Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed namefield, enter a name for the feed (for example, Salesforce logs ).
5. Select Third party APIas the Source type.
6. Select Salesforceas the Log type.
7. Click Next.
8. Select OAuth JWT grantfrom the drop-down.
9. Specify values for the following input parameters:
   • OAuth JWT Endpoint: Enter the Salesforce OAuth token endpoint:
     • Production: https://login.salesforce.com/services/oauth2/token
     • Sandbox: https://test.salesforce.com/services/oauth2/token
     • Custom Domain: https://yourdomain.my.salesforce.com/services/oauth2/token
   • JWT Claims Issuer: Enter the Consumer Keyfrom the Connected App.
   • JWT Claims Subject: Enter the Usernameof the integration user.
   • JWT Claims Audience: Enter the Salesforce login base URL:
     • Production: https://login.salesforce.com
     • Sandbox: https://test.salesforce.com
   • RSA Private Key: Paste the entire contents of your RSA private key ( salesforce_jwt_private.key ), including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines.
10. Specify additional parameters:
    • Asset namespace: The asset namespace .
    • Ingestion labels: The label to be applied to the events from this feed.
11. Click Next.
12. Review your new feed configuration in the Finalizescreen, and then click Submit.

Option 2: Configure Salesforce Logs export using Amazon AppFlow and S3

This method uses Amazon AppFlow to extract data from Salesforce and store it in Amazon S3, which Google SecOps then ingests.

Configure AWS S3 bucket and IAM for Google SecOps

1. Create Amazon S3 bucketfollowing this user guide: Creating a bucket
2. Save bucket Nameand Regionfor future reference (for example, salesforce-secops-logs ).
3. Create a Userfollowing this user guide: Creating an IAM user .
4. Select the created User.
5. Select Security credentialstab.
6. Click Create Access Keyin section Access Keys.
7. Select Third-party serviceas Use case.
8. Click Next.
9. Optional: Add a description tag.
10. Click Create access key.
11. Click Download CSV fileto save the Access Keyand Secret Access Keyfor future reference.
12. Click Done.
13. Select Permissionstab.
14. Click Add permissionsin section Permissions policies.
15. Select Add permissions.
16. Select Attach policies directly.
17. Search for AmazonS3FullAccesspolicy.
18. Select the policy.
19. Click Next.
20. Click Add permissions.

Configure Amazon AppFlow

1. Open the Amazon AppFlow console.
2. Click Create flow.
3. Provide the following configuration details:
   • Flow name: Enter a name (for example, Salesforce-to-S3-SecOps ).
   • Flow description: Optional description.
4. Click Next.
5. For Source details:
   • Source name: Select Salesforce.
   • Choose Salesforce connection: Click Create new connection.
   • A Salesforce sign-in window appears. Sign in with your Salesforce credentials.
   • Grant access when prompted.
   • Salesforce object: Select the object you want to transfer (for example, EventLogFileif you have Event Monitoring, or other audit objects).
6. Click Next.
7. For Destination details:
   • Destination name: Select Amazon S3.
   • Bucket details: Select the S3 bucket you created earlier.
   • S3 bucket prefix: Optional prefix (for example, salesforce-logs/ ).
8. Click Next.
9. For Flow trigger:
   • Select Run on schedule.
   • Starting at: Set your preferred start time.
   • Repeats: Select Hourlyor Dailybased on your requirements.
10. Click Next.
11. For Map data fields:
    • Select Map all fields directlyor you can specify which fields to map.
    • If mapping manually, select the fields you want to transfer.
12. Click Next.
13. For Add filters(optional):
    • Add any filters to limit the data transferred.
14. Click Next.
15. Review your configuration and click Create flow.
16. Click Activate flowto start the scheduled transfers.

Configure a feed in Google SecOps to ingest Salesforce logs

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed namefield, enter a name for the feed; for example, Salesforce Logs.
5. Select Amazon S3 V2as the Source type.
6. Select Salesforceas the Log type.
7. Click Next.

8. Specify values for the following input parameters:

   • S3 URI: The bucket URI. s3://BUCKET_NAME Replace the following:
     • BUCKET_NAME: The name of the bucket.

   • Source deletion options: Select the deletion option according to your preference.

   • Maximum File Age: Includes files modified in the last number of days. Default is 180 days.

   • Access Key ID: The User access key with access to the s3 bucket.

   • Secret Access Key: The User secret key with access to the s3 bucket.

9. Click Next.

10. Review your new feed configuration in the Finalizescreen, and then click Submit.

UDM Mapping Table

Log Field	UDM Mapping	Logic
Account.Name	target.resource.name	The value of Account.Name from the raw log.
AccountId	target.resource.id	The value of AccountId from the raw log.
Action	security_result.description	The value of Action from the raw log.
AdditionalInfo	-	Not mapped to the IDM object.
ApiType	target.application	The value of ApiType from the raw log.
ApiVersion	-	Not mapped to the IDM object.
Application	principal.application	The value of Application from the raw log, or "Browser" for LoginAsEvent, or "Integration JWT Token" for LoginEvent, or "SfdcSiqActivityPlatform" for LoginHistory with objecttype LoginHistory, or "N/A" for ApiEvent, or "Browser" for LoginAsEventStream.
attributes.url	target.url	The value of attributes.url from the raw log, or specific URLs for various event types from the raw log.
attributes.type	metadata.product_event_type	The value of attributes.type from the raw log.
AuthSessionId	network.session_id	The value of AuthSessionId from the raw log.
Browser	principal.resource.name	The value of Browser from the raw log, or "Unknown" if Browser is not available in raw log and Application is "Insights", or "Java (Salesforce.com)" for LoginHistory with ApiType as "SOAP Partner", or "Unknown" for LoginHistory with Application as "SfdcSiqActivityPlatform", or from data.properties.Browser.str for LoginAsEventStream.
Case.Subject	target.resource.name	The value of Case.Subject from the raw log.
CaseId	target.resource.id	The value of CaseId from the raw log.
cat	metadata.product_event_type	The value of cat from the raw log.
City	principal.location.city	The value of City from the raw log, or from LoginGeo.City for LoginHistory.
Client	principal.labels	The value of Client from the raw log, formatted as a label.
CLIENT_IP	principal.ip , principal.asset.ip	The value of CLIENT_IP from the raw log.
ClientVersion	-	Not mapped to the IDM object.
CipherSuite	network.tls.cipher	The value of CipherSuite from the raw log.
ColumnHeaders	principal.labels	The value of ColumnHeaders from the raw log, formatted as a label.
ConnectedAppId	principal.labels	The value of ConnectedAppId from the raw log, formatted as a label.
Contact.Name	target.resource.name	The value of Contact.Name from the raw log.
ContactId	target.resource.id	The value of ContactId from the raw log.
Country	principal.location.country_or_region	The value of Country from the raw log, or LoginGeo.Country for LoginHistory.
CreatedByContext	principal.user.userid	The value of CreatedByContext from the raw log.
CreatedById	principal.resource.attribute.labels	The value of CreatedById from the raw log, formatted as a label.
CreatedDate	metadata.collected_timestamp	The value of CreatedDate from the raw log, or the current timestamp if not available.
CPU_TIME	target.resource.attribute.labels	The value of CPU_TIME from the raw log, formatted as a label.
data	-	Contains various fields that are extracted and mapped individually.
DATASET_IDS	target.resource.name	The value of DATASET_IDS from the raw log.
DelegatedOrganizationId	target.administrative_domain	The value of DelegatedOrganizationId from the raw log.
DelegatedUsername	observer.user.userid	The value of DelegatedUsername from the raw log.
Description	metadata.description	The value of Description from the raw log.
DevicePlatform	principal.resource.type	The value of DevicePlatform from the raw log, parsed to extract the resource type.
Display	metadata.description	The value of Display from the raw log.
DOWNLOAD_FORMAT	target.resource.attribute.labels	The value of DOWNLOAD_FORMAT from the raw log, formatted as a label.
Duration	target.resource.attribute.labels	The value of Duration from the raw log, formatted as a label.
ENTITY_NAME	target.resource.attribute.labels	The value of ENTITY_NAME from the raw log, formatted as a label.
ErrorCode	security_result.action	The value of ErrorCode from the raw log, transformed to ALLOW or BLOCK.
EventDate	timestamp	The value of EventDate from the raw log, or data.properties.TIMESTAMP_DERIVED.str if available, or data.properties.TIMESTAMP_DERIVED_FIRST.str if available, or @timestamp if available, or created_date if available, or timestamp if available, or LoginTime for LoginHistory.
EventIdentifier	metadata.product_log_id	The value of EventIdentifier from the raw log.
EventType	metadata.product_event_type	The value of EventType from the raw log.
Id	principal.user.userid	The value of Id from the raw log, or metadata.product_log_id for SetupAuditTrail and other events.
IdentityUsed	principal.user.email_addresses	The value of IdentityUsed from the raw log.
Lead.Name	target.resource.name	The value of Lead.Name from the raw log.
LeadId	target.resource.id	The value of LeadId from the raw log.
LoginAsCategory	-	Not mapped to the IDM object.
LoginGeo.Country	principal.location.country_or_region	The value of LoginGeo.Country from the raw log.
LoginHistoryId	-	Not mapped to the IDM object.
LoginKey	principal.user.userid , network.session_id	The value of LoginKey from the raw log, or CreatedByContext for SetupAuditTrail.
LoginTime	timestamp	The value of LoginTime from the raw log.
LoginType	security_result.description	The value of LoginType from the raw log, or "Other Apex API" for LoginHistory with ApiType as "SOAP Partner", or "Remote Access 2.0" for LoginHistory with Application as "SfdcSiqActivityPlatform".
LoginUrl	target.url , principal.url	The value of LoginUrl from the raw log.
LogFile	principal.resource.attribute.labels	The value of LogFile from the raw log, formatted as a label.
LogFileContentType	principal.resource.attribute.labels	The value of LogFileContentType from the raw log, formatted as a label.
LogFileLength	principal.resource.attribute.labels	The value of LogFileLength from the raw log, formatted as a label.
Message	-	Not mapped to the IDM object.
METHOD	network.http.method	The value of METHOD from the raw log.
Name	target.application	The value of Name from the raw log.
NewValue	-	Used in conjunction with OldValue to generate security_result.summary .
NUMBER_FIELDS	target.resource.attribute.labels	The value of NUMBER_FIELDS from the raw log, formatted as a label.
OldValue	-	Used in conjunction with NewValue to generate security_result.summary .
Operation	security_result.description , target.resource.attribute.labels	The value of Operation from the raw log, or Display for SetupAuditTrail.
OperationStatus	security_result.action	The value of OperationStatus from the raw log, transformed to ALLOW or BLOCK.
ORGANIZATION_ID	target.administrative_domain	The value of ORGANIZATION_ID from the raw log.
OsName	principal.platform	The value of OsName from the raw log.
OsVersion	principal.platform_version	The value of OsVersion from the raw log.
Platform	principal.platform	The value of Platform from the raw log, or from data.properties.OsName.str for LightningUriEventStream, or from data.properties.OsName.str for LoginEventStream.
QueriedEntities	target.resource.name , principal.labels	The value of QueriedEntities from the raw log, or component_name for UriEvent and ApiEvent.
Query	target.process.command_line , principal.labels	The value of Query from the raw log.
RecordId	target.resource.id	The value of RecordId from the raw log.
Records	principal.labels	The value of Records from the raw log, formatted as a label.
REQUEST_ID	metadata.product_log_id , target.resource.product_object_id	The value of REQUEST_ID from the raw log.
REQUEST_SIZE	network.sent_bytes	The value of REQUEST_SIZE from the raw log.
REQUEST_STATUS	security_result.summary	The value of REQUEST_STATUS from the raw log.
RESPONSE_SIZE	network.received_bytes	The value of RESPONSE_SIZE from the raw log.
RowsProcessed	target.resource.attribute.labels	The value of RowsProcessed from the raw log, formatted as a label.
RUN_TIME	target.resource.attribute.labels	The value of RUN_TIME from the raw log, formatted as a label.
SamlEntityUrl	-	Not mapped to the IDM object.
SdkAppType	-	Not mapped to the IDM object.
SdkAppVersion	-	Not mapped to the IDM object.
SdkVersion	-	Not mapped to the IDM object.
Section	security_result.summary	The value of Section from the raw log.
SessionKey	network.session_id	The value of SessionKey from the raw log.
SessionLevel	target.resource.attribute.labels	The value of SessionLevel from the raw log, formatted as a label.
SourceIp	principal.ip , principal.asset.ip	The value of SourceIp from the raw log.
src	principal.ip , principal.asset.ip	The value of src from the raw log.
SsoType	target.resource.attribute.labels	The value of SsoType from the raw log, formatted as a label.
STATUS_CODE	network.http.response_code	The value of STATUS_CODE from the raw log.
Status	security_result.action , security_result.action_details	The value of Status from the raw log, transformed to ALLOW or BLOCK, or used as action details for LoginEventStream.
Subject	target.resource.name	The value of Subject from the raw log.
TargetUrl	-	Not mapped to the IDM object.
TIMESTAMP	metadata.collected_timestamp	The value of TIMESTAMP from the raw log.
TIMESTAMP_DERIVED	timestamp	The value of TIMESTAMP_DERIVED from the raw log.
TlsProtocol	network.tls.version_protocol	The value of TlsProtocol from the raw log.
URI	target.url	The value of URI from the raw log.
USER_AGENT	network.http.user_agent	The value of USER_AGENT from the raw log.
USER_ID	principal.user.userid	The value of USER_ID from the raw log.
USER_ID_DERIVED	principal.user.product_object_id , target.resource.attribute.labels	The value of USER_ID_DERIVED from the raw log.
UserId	principal.user.userid	The value of UserId from the raw log.
USER_TYPE	target.resource.attribute.labels	The value of USER_TYPE from the raw log, formatted as a label.
Username	principal.user.userid , principal.user.email_addresses , target.user.email_addresses	The value of Username from the raw log, or src_email for various events, or IdentityUsed for IdentityProviderEventStore, or data.properties.Email.str for Search and SearchAlert, or data.properties.Username.str for LoginAsEventStream and LoginEventStream.
UserType	target.resource.attribute.labels	The value of UserType from the raw log, formatted as a label.
usrName	principal.user.userid , principal.user.email_addresses , target.user.email_addresses	The value of usrName from the raw log.
VerificationMethod	target.resource.attribute.labels	The value of VerificationMethod from the raw log, formatted as a label.
Parser Logic	metadata.event_type	Derived based on the event_id and operation fields, or set to "USER_LOGIN" for LoginEventStream, "USER_LOGOUT" for Logout and LogoutEvent, "USER_RESOURCE_UPDATE_CONTENT" for various events, "USER_RESOURCE_UPDATE_PERMISSIONS" for PlatformEncryption, "RESOURCE_READ" for QueuedExecution, ApexExecution, LightningInteraction, LightningPerformance, LightningPageView, URI, RestApi, API, AuraRequest, ApexCallout, OneCommerceUsage, Sites, MetadataApiOperation, OneCommerceUsage, VisualforceRequest, Dashboard, Search, ListViewEvent, "RESOURCE_CREATION" for UriEvent and TimeBasedWorkflow with Operation as "Create" or "INSERT", "RESOURCE_WRITTEN" for UriEvent and LightningUriEvent with Operation as "Update", "RESOURCE_DELETION" for UriEvent with Operation as "Delete" or "ROLLBACK", "USER_UNCATEGORIZED" for SetupAuditTrail and AuditTrail, "USER_CHANGE_PASSWORD" for SetupAuditTrail with operation as "namedCredentialEncryptedFieldChange", "GENERIC_EVENT" for ApiEventStream and LightningUriEventStream, or based on network and principal presence.
Parser Logic	metadata.ingestion_labels	Labels indicating the source of the event, either "Event Log File" or "Real-Time Event Monitoring" or "SetupAuditTrail".
Parser Logic	metadata.log_type	Always set to "SALESFORCE".
Parser Logic	metadata.product_name	Always set to "SALESFORCE".
Parser Logic	metadata.vendor_name	Always set to "SALESFORCE".
Parser Logic	metadata.url_back_to_product	Constructed from various fields like LoginUrl , attributes.url , data.properties.PageUrl.str , data.properties.LoginUrl.str .
Parser Logic	network.application_protocol	Set to "HTTPS" if the uri field starts with "http".
Parser Logic	network.http.referral_url	Extracted from the user_agent field if it contains "Referer=".
Parser Logic	network.http.response_code	Derived from request_status for various events.
Parser Logic	network.http.user_agent	The value of user_agent from the raw log, or from data.properties.UserAgent.str for ApiEventStream and LoginEventStream, or from Sites events, or "User-Agent" from Sites events.
Parser Logic	network.session_id	The value of session_key or SESSION_KEY from the raw log, or constructed from other fields like LoginKey or AuthSessionId .
Parser Logic	network.tls.version	The value of tls_protocol from the raw log, or from data.properties.TlsProtocol.str for LoginEventStream.
Parser Logic	principal.application	The value of application from the raw log, or "Salesforce for Outlook" for Login: Success events, or "Insights" for Login: Success events with no Application, or extracted from device_platform for Lightning events.
Parser Logic	principal.asset.hostname	The value of client_ip if it is a hostname.
Parser Logic	principal.asset.ip	The value of client_ip or src_ip or SourceIp or CLIENT_IP if it is an IP address.
Parser Logic	principal.hostname	The value of client_ip if it is a hostname.
Parser Logic	principal.ip	The value of client_ip or src_ip or SourceIp or CLIENT_IP if it is an IP address.
Parser Logic	principal.labels	Labels constructed from various fields like FederationIdentifier , ApiType , OrgId , channel .
Parser Logic	principal.location.city	The value of geoip_src.city_name or City or LoginGeo.City from the raw log.
Parser Logic	principal.location.country_or_region	The value of geoip_src.country_name or Country or LoginGeo.Country or client_geo from the raw log.
Parser Logic	principal.location.region_latitude	The value of data.properties.LoginLatitude.number from the raw log.
Parser Logic	principal.location.region_longitude	The value of data.properties.LoginLongitude.number from the raw log.
Parser Logic	principal.location.state	The value of geoip_src.region_name from the raw log.
Parser Logic	principal.platform	The value of Platform or OsName or os_name from the raw log, or "WINDOWS" for LoginEventStream with Platform containing "Windows".
Parser Logic	principal.platform_version	The value of OsVersion or os_version from the raw log, or extracted from Platform for LoginEventStream with Platform containing "Windows".
Parser Logic	principal.resource.attribute.labels	Labels constructed from various fields like CreatedById , ApiVersion , LogFile , LogFileContentType , LogFileLength .
Parser Logic	principal.resource.name	The value of Browser or browser_name from the raw log, or "Java (Salesforce.com)" for LoginHistory with ApiType as "SOAP Partner".
Parser Logic	principal.resource.type	Extracted from device_platform for Lightning events, or "Browser" for LoginAsEvent and LoginAsEventStream.
Parser Logic	principal.url	The value of LoginUrl from the raw log.
Parser Logic	principal.user.email_addresses	The value of usrName or Username or src_email or IdentityUsed or data.properties.Username.str or data.properties.Email.str from the raw log.
Parser Logic	principal.user.product_object_id	The value of attrs.USER_ID_DERIVED or data.properties.USER_ID_DERIVED.str from the raw log.
Parser Logic	principal.user.userid	The value of usrName or Username or user_id or UserId or USER_ID or Id or LoginKey or CreatedByContext or data.properties.Username.str or data.properties.USER_ID.str or data.properties.LoginKey.str from the raw log.
Parser Logic	security_result.action	Derived from Status or OperationStatus or ErrorCode or action or operation_status from the raw log, transformed to ALLOW or BLOCK.
Parser Logic	security_result.action_details	The value of Status from the raw log for LoginEventStream.
Parser Logic	security_result.description	The value of LoginType or logintype or Operation or Action or Display from the raw log.
Parser Logic	security_result.rule_name	The value of Policy or rule_name from the raw log.
Parser Logic	security_result.summary	Constructed from NewValue and OldValue or REQUEST_STATUS or Section or forecastcategory from the raw log.
Parser Logic	target.administrative_domain	The value of ORGANIZATION_ID or DelegatedOrganizationId or organization_id or data.properties.OrgName.str from the raw log.
Parser Logic	target.application	The value of Application or app_name or ApiType or Name or data.properties.Application.str from the raw log.
Parser Logic	target.asset.hostname	The value of target_hostname extracted from the uri field.
Parser Logic	target.asset.ip	The value of data.properties.CLIENT_IP.str from the raw log.
Parser Logic	target.asset_id	Constructed from device_id or REQUEST_ID .
Parser Logic	target.file.mime_type	The value of file_type from the raw log.
Parser Logic	target.file.size	The value of size_bytes from the raw log.
Parser Logic	target.hostname	The value of target_hostname extracted from the uri field.
Parser Logic	target.process.command_line	The value of query_exec or Query or data.properties.Query.str from the raw log.
Parser Logic	target.process.pid	The value of job_id from the raw log.
Parser Logic	target.resource.attribute.labels	Labels constructed from various fields like CPU_TIME , RUN_TIME , USER_TYPE , DB_TOTAL_TIME , MEDIA_TYPE , ROWS_PROCESSED , NUMBER_FIELDS , DB_BLOCKS , DB_CPU_TIME , ENTITY_NAME , EXCEPTION_MESSAGE , USER_ID_DERIVED , DOWNLOAD_FORMAT , USER_TYPE , CPU_TIME , RUN_TIME , WAVE_SESSION_ID , SessionLevel , verification_method , cpu_time , run_time , db_total_time , db_cpu_time , exec_time , callout_time , number_soql_queries , duration , user_type , entry_point , operation , session_level , rows_processed , sso_type , dashboard_type , Operation , SessionLevel .
Parser Logic	target.resource.id	The value of REQUEST_ID or RecordId or caseid or leadid or contactid or opportunityid or accountid from the raw log.
Parser Logic	target.resource.name	The value of QueriedEntities or resource_name or component_name or DATASET_IDS or field or StageName or Subject from the raw log.
Parser Logic	target.resource.product_object_id	The value of REQUEST_ID from the raw log.
Parser Logic	target.resource.resource_type	Set to "ACCESS_POLICY" for ApexCallout and PlatformEncryption, or "DATABASE" for ApexTrigger, or "FILE" for ContentTransfer, or "TABLE" for ApiEvent.
Parser Logic	target.resource.type	Set to "BATCH" for QueuedExecution and ApexExecution, or "FILE" for ContentTransfer, or "DATABASE_TRIGGER" for ApexTrigger, or "Case", "Lead", "Contact", "Opportunity", "Account" based on the presence of corresponding ID fields.
Parser Logic	target.url	The value of LoginUrl or URI or attributes.url or login_url or uri from the raw log.
Parser Logic	target.user.email_addresses	The value of Username or attrs.usrName or email_address from the raw log.
Parser Logic	target.user.user_display_name	The value of target_user_display_name or user_name or username from the raw log.
Parser Logic	target.user.userid	The value of target_user_name or data.properties.UserId.str or data.properties.CreatedById.str from the raw log.
Parser Logic	extensions.auth.auth_details	Set to "ACTIVE" if Status is not "Success", otherwise set to "UNKNOWN_AUTHENTICATION_STATUS".
Parser Logic	extensions.auth.mechanism	Set to "REMOTE" for Login: Success and Login events with logintype containing "Remote", or "USERNAME_PASSWORD" for LoginEventStream, or "MECHANISM_OTHER" for events with login_url present, or "AUTHTYPE_UNSPECIFIED" for Login: Success and Logout events.
Parser Logic	extensions.auth.type	Set to "SSO" for Login, Logout, LogoutEvent, LoginAs, IdentityProviderEventStore, LoginHistory, LoginAsEvent with LoginType as "SAML Sfdc Initiated SSO", or "AUTHTYPE_UNSPECIFIED" for Login: Success, Logout, LoginAsEvent with LoginType as "Application".

Need more help? Get answers from Community members and Google SecOps professionals.