Collect AppOmni logs
Supported in:
This document explains how to configure AppOmni to push logs to Google Security Operations using webhooks.
AppOmni is a SaaS security platform that provides continuous posture management, threat detection, and data exposure monitoring across enterprise SaaS applications including Salesforce, Microsoft 365, ServiceNow, Workday, Google Workspace, Box, and Zoom. AppOmni normalizes hundreds of event types from monitored SaaS applications and can stream alerts, events, and posture findings to external SIEM destinations using its Event Streaming feature.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- An AppOmni account with administrator permissions
- Access to Google Cloud Console (for API key creation)
- AppOmni Threat Detection module enabled in your instance
- At least one monitored SaaS application connected and ingesting events in AppOmni
Create a webhook feed in Google SecOps
Create the feed
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
AppOmni Events). - Select Webhook as the Source type.
- Select AppOmni as the Log type.
- Click Next.
- Specify values for the following input parameters:
- Split delimiter: Enter
\n(newline delimiter for NDJSON payloads) - Asset namespace: The asset namespace
- Ingestion labels: The label to be applied to the events from this feed
- Split delimiter: Enter
- Click Next.
- Review your new feed configuration in the Finalize screen, and then click Submit.
Generate and save a secret key
After creating the feed, you must generate a secret key for authentication:
- On the feed details page, click Generate Secret Key.
- A dialog displays the secret key.
- Copy and save the secret key securely.
Get the feed endpoint URL
- Go to the Details tab of the feed.
- In the Endpoint Information section, copy the Feed endpoint URL.
The URL format is:
https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreateor
https://<REGION>-malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreateSave this URL for the next steps.
Click Done.
Create a Google Cloud API key
Google SecOps requires an API key for authentication. Create a restricted API key in the Google Cloud Console.
Create the API key
- Go to the Google Cloud Console Credentials page.
- Select your project (the project associated with your Google SecOps instance).
- Click Create credentials > API key.
- An API key is created and displayed in a dialog.
- Click Edit API key to restrict the key.
Restrict the API key
- In the API key settings page:
- Name: Enter a descriptive name (for example,
Chronicle Webhook API Key)
- Name: Enter a descriptive name (for example,
- Under API restrictions:
- Select Restrict key.
- In the Select APIs dropdown, search for and select Google SecOps API (or Chronicle API).
- Click Save.
- Copy the API key value from the API key field at the top of the page.
Save the API key securely.
Configure the AppOmni Event Streaming destination
Construct the webhook URL
Combine the Google SecOps endpoint URL, API key, and secret key:
<ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY>Example:
https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...&secret=abcd1234...
Create a Custom Webhook destination in AppOmni
- Sign in to your AppOmni instance at
https://<your-organization>.appomni.com. - Navigate to Threat Detection > Destinations.
- Click Add New Destination.
- Click the Custom Webhook card.
- Provide the following configuration details:
- Name: Enter a descriptive name (for example,
Chronicle SIEM Webhook) - Description (optional): Enter a description (for example,
Stream AppOmni events to SIEM via webhook)
- Name: Enter a descriptive name (for example,
Configure the following delivery settings:
URL: Paste the complete webhook URL with API key and secret key appended as query parameters:
https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY&secret=YOUR_SECRET_KEYSSL Verification: Select this checkbox (recommended)
Hash Original Field (optional): Select this checkbox to replace the original event field from the monitored SaaS application with a SHA256 hash, reducing event size
Max Event Size (optional): Leave at the default setting or set a custom value
Max Payload Size (optional): Leave at the default setting or set a custom value
Select the Data Types you want to stream to Google SecOps:
- Alerts: Threat detection alerts generated by AppOmni rules (recommended)
- Events: Normalized SaaS activity events collected from monitored applications (recommended)
- Policy: Posture management findings for configuration compliance
Click Save.
Verify the destination
- In AppOmni, go to Threat Detection > Destinations.
- Locate the destination you created.
- Verify the destination status shows as active.
- Wait for AppOmni to generate and stream events based on your monitored SaaS applications.
Verify the events in Google SecOps:
- Go to SIEM Settings > Feeds.
- Click on your AppOmni feed.
- Go to the Status tab.
- Verify that events are being received.
AppOmni event types
AppOmni normalizes SaaS events using the AppOmni Common Event Schema (ACES), which is based on the Elastic Common Schema (ECS). The following event categories are commonly streamed:
| Category | Description | Examples |
|---|---|---|
| Authentication | User authentication events | Login, logout, MFA challenges, SSO events |
| Configuration | Application configuration changes | Permission changes, policy updates, role modifications |
| Data access | Data access and sharing events | File downloads, record views, sharing changes |
| Administrative | Administrative actions | User creation, group changes, app installations |
| Threat detection | AppOmni-generated alerts | Anomalous behavior, privilege escalation, data exfiltration indicators |
Authentication methods reference
Google SecOps webhook feeds support multiple authentication methods. Choose the method that your vendor supports.
Method 1: Query parameters (Recommended for AppOmni)
AppOmni Custom Webhook destinations support URL-based authentication. Append credentials to the webhook URL.
URL format:
<ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY>Example:
https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...&secret=abcd1234...
Method 2: Custom headers
If your AppOmni version supports custom HTTP headers for webhook destinations, you can use header-based authentication for improved security.
Headers:
x-goog-chronicle-auth: <API_KEY> x-chronicle-auth: <SECRET_KEY>
Advantages:
- API key and secret not visible in URL
- More secure (headers not logged in web server access logs)
Webhook limits and best practices
Request limits
| Limit | Value |
|---|---|
| Max request size | 4 MB |
| Max QPS (queries per second) | 15,000 |
| Request timeout | 30 seconds |
| Retry behavior | Automatic with exponential backoff |
Best practices
- Select only the data types you need to reduce event volume and ingestion costs.
- Enable SSL Verification to ensure secure data transmission.
- Monitor the destination status in AppOmni regularly for delivery failures.
- Consider enabling the Hash Original Field option if event payloads are large.
- Use the Events data type for comprehensive SaaS audit log coverage in your SIEM.
- Use the Alerts data type for high-priority threat detection events that require immediate triage.
Troubleshooting
Events not appearing in Google SecOps
Cause: Events are being sent but not ingested
Solution:
- Go to SIEM Settings > Feeds in Google SecOps.
- Click on your AppOmni feed.
- Go to the Status tab.
- Check for ingestion errors.
- Verify the log type is set to AppOmni.
- Verify the secret key in the webhook URL matches the one generated during feed creation.
Destination shows error in AppOmni
Cause: Google SecOps endpoint is not reachable or returns non-2xx status
Solution:
- Verify the Google SecOps endpoint URL is correct.
- Verify the API key is valid and has Google SecOps API access.
Test the endpoint manually:
curl -X POST "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY&secret=YOUR_SECRET_KEY" \ -H "Content-Type: application/json" \ -d '{"test": "event"}'If the test succeeds, check the AppOmni destination configuration for typos or incorrect URL formatting.
Payload exceeds maximum size
Cause: AppOmni is sending payloads larger than 4 MB
Solution:
- In AppOmni, go to Threat Detection > Destinations.
- Click on the destination.
- Reduce the Max Payload Size to a value below 4 MB.
- Enable Hash Original Field to reduce individual event sizes.
- Click Save.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
additional_normalstatedata |
additional.fields |
Merged |
additional_normalstatedatacounts |
additional.fields |
Merged |
additional_normalstatedataresults |
additional.fields |
Merged |
additional_normalstatedomaincounts |
additional.fields |
Merged |
additional_normalstatedomainresults |
additional.fields |
Merged |
additional_normalstatenameresults |
additional.fields |
Merged |
additional_rarestatedata |
additional.fields |
Merged |
additional_rarestatedatacounts |
additional.fields |
Merged |
additional_rarestatedataresults |
additional.fields |
Merged |
additional_rarestatedomaincounts |
additional.fields |
Merged |
additional_rarestatedomainresults |
additional.fields |
Merged |
additional_rarestatenameresults |
additional.fields |
Merged |
anomalous_domain |
additional.fields |
Merged |
anomalous_fields_source_as_ip_label |
additional.fields |
Merged |
anomalous_fields_source_as_number_label |
additional.fields |
Merged |
appomni_service_slug_label |
additional.fields |
Merged |
changes_user_indicator_label |
additional.fields |
Merged |
configuration_name_label |
additional.fields |
Merged |
configuration_old_value_label |
additional.fields |
Merged |
configuration_value_label |
additional.fields |
Merged |
destination_as_service_label |
additional.fields |
Merged |
destination_as_type_label |
additional.fields |
Merged |
destination_indicators_label |
additional.fields |
Merged |
destination_user_indicators_label |
additional.fields |
Merged |
enrichments_value_label |
additional.fields |
Merged |
event_duration |
additional.fields |
Merged |
file_directory_label |
additional.fields |
Merged |
has_normal_state_authentication_name_counts |
additional.fields |
Mapped: true → additional_normalstatedatacounts |
has_normal_state_authentication_name_results |
additional.fields |
Mapped: true → additional_normalstatenameresults |
has_normal_state_authentication_raw_method_count |
additional.fields |
Mapped: true → additional_normalstatedata |
has_normal_state_authentication_raw_method_results |
additional.fields |
Mapped: true → additional_normalstatedataresults |
has_normal_state_domain_counts |
additional.fields |
Mapped: true → additional_normalstatedomaincounts |
has_normal_state_domain_results |
additional.fields |
Mapped: true → additional_normalstatedomainresults |
has_rare_state_authentication_name_counts |
additional.fields |
Mapped: true → additional_rarestatedatacounts |
has_rare_state_authentication_name_results |
additional.fields |
Mapped: true → additional_rarestatenameresults |
has_rare_state_authentication_raw_method_count |
additional.fields |
Mapped: true → additional_rarestatedata |
has_rare_state_authentication_raw_method_results |
additional.fields |
Mapped: true → additional_rarestatedataresults |
has_rare_state_domain_counts |
additional.fields |
Mapped: true → additional_rarestatedomaincounts |
has_rare_state_domain_results |
additional.fields |
Mapped: true → additional_rarestatedomainresults |
indicator_list |
additional.fields |
Merged |
labels_some_key_label |
additional.fields |
Merged |
normal_state_source_as_ip_label |
additional.fields |
Merged |
normal_state_source_as_number_label |
additional.fields |
Merged |
policy_category_label |
additional.fields |
Merged |
policy_description_label |
additional.fields |
Merged |
policy_id_label |
additional.fields |
Merged |
policy_name_label |
additional.fields |
Merged |
policy_outcome_label |
additional.fields |
Merged |
rare_state_source_as_ip_label |
additional.fields |
Merged |
rare_state_source_as_number_label |
additional.fields |
Merged |
related_services_id_label |
additional.fields |
Merged |
related_services_id_name_label |
additional.fields |
Merged |
related_services_type_label |
additional.fields |
Merged |
resource_count_label |
additional.fields |
Merged |
resource_owner_indicator_label |
additional.fields |
Merged |
resource_parent_count_label |
additional.fields |
Merged |
resource_parent_owner_domain_label |
additional.fields |
Merged |
resource_parent_owner_email_label |
additional.fields |
Merged |
resource_parent_owner_full_name_label |
additional.fields |
Merged |
resource_parent_owner_hash_label |
additional.fields |
Merged |
resource_parent_owner_id_label |
additional.fields |
Merged |
resource_parent_owner_indicator_label |
additional.fields |
Merged |
resource_parent_owner_name_label |
additional.fields |
Merged |
resource_parent_owner_role_label |
additional.fields |
Merged |
rule_vendor_id_label |
additional.fields |
Merged |
source_as_domain_label |
additional.fields |
Merged |
source_as_service_label |
additional.fields |
Merged |
source_as_type_label |
additional.fields |
Merged |
source_user_indicator_label |
additional.fields |
Merged |
tactic_reference_label |
additional.fields |
Merged |
technique_reference_label |
additional.fields |
Merged |
token_appomni_alert_channel |
additional.fields |
Merged |
token_appomni_event_ingestion_time |
additional.fields |
Merged |
token_appomni_event_parent_id |
additional.fields |
Merged |
token_appomni_event_sortable_event_id |
additional.fields |
Merged |
token_appomni_event_sortable_ingest_id |
additional.fields |
Merged |
token_appomni_organization_id |
additional.fields |
Merged |
token_authentication_raw_method |
additional.fields |
Merged |
token_error_id |
additional.fields |
Merged |
token_error_message |
additional.fields |
Merged |
token_error_type |
additional.fields |
Merged |
token_event_category |
additional.fields |
Merged |
token_event_code |
additional.fields |
Merged |
token_event_created |
additional.fields |
Merged |
token_event_end |
additional.fields |
Merged |
token_event_id |
additional.fields |
Merged |
token_event_kind |
additional.fields |
Merged |
token_event_original |
additional.fields |
Merged |
token_event_provider |
additional.fields |
Merged |
token_event_sequence |
additional.fields |
Merged |
token_event_start |
additional.fields |
Merged |
token_event_type |
additional.fields |
Merged |
token_labels |
additional.fields |
Merged |
token_rel_event |
additional.fields |
Merged |
token_rel_hash |
additional.fields |
Merged |
token_rel_host |
additional.fields |
Merged |
token_rel_idnt |
additional.fields |
Merged |
token_rel_res |
additional.fields |
Merged |
token_rel_user |
additional.fields |
Merged |
token_related_ip |
additional.fields |
Merged |
token_service_id |
additional.fields |
Merged |
token_service_name |
additional.fields |
Merged |
token_service_type |
additional.fields |
Merged |
token_session_kind |
additional.fields |
Merged |
token_source_user_hash |
additional.fields |
Merged |
token_space_category |
additional.fields |
Merged |
token_space_id |
additional.fields |
Merged |
token_space_name |
additional.fields |
Merged |
token_tag |
additional.fields |
Merged |
token_user_agent_os_kernel |
additional.fields |
Merged |
token_user_agent_os_platform |
additional.fields |
Merged |
token_user_identity_admin |
additional.fields |
Merged |
token_user_identity_elevated |
additional.fields |
Merged |
token_version |
additional.fields |
Merged |
user_effective_indicator_label |
additional.fields |
Merged |
user_indicator_label |
additional.fields |
Merged |
user_target_indicator_label |
additional.fields |
Merged |
authentication.provider |
extensions.auth.auth_details |
Directly mapped |
auth_mechanism |
extensions.auth.mechanism |
Merged |
message |
metadata.description |
Directly mapped |
appomni.event.collected_time |
metadata.event_timestamp |
Parsed as RFC3339 |
file.created |
metadata.event_timestamp |
Parsed as RFC3339 |
raw_event.ingested |
metadata.event_timestamp |
Parsed as RFC3339 |
raw_timestamp |
metadata.event_timestamp |
Parsed as RFC3339 |
principal_machineid_present |
metadata.event_type |
Mapped: true → NETWORK_CONNECTION, true → NETWORK_UNCATEGORIZED, true → `STATUS_HE... |
principal_userid_present |
metadata.event_type |
Mapped values (13 total, e.g. true → GROUP_CREATION, true → GROUP_DELETION, true →... |
raw_event.dataset |
metadata.log_type |
Directly mapped |
raw_event.action |
metadata.product_event_type |
Directly mapped |
appomni.event.id |
metadata.product_log_id |
Directly mapped |
raw_event.reference |
metadata.url_back_to_product |
Directly mapped |
session.id |
network.session_id |
Directly mapped |
source.user.domain |
principal.administrative_domain |
Directly mapped |
raw_event.module |
principal.application |
Directly mapped |
source.host.id |
principal.asset.asset_id |
Directly mapped |
source.host.hostname |
principal.asset.hostname |
Directly mapped |
source.host.name |
principal.asset.hostname |
Directly mapped |
src_host_mac |
principal.asset.mac |
Merged |
usr_agt_os_type |
principal.asset.platform_software.platform |
Mapped: mac → MAC, linux → LINUX, windows → WINDOWS, chrome → CHROME_OS |
appomni.source.id |
principal.asset.product_object_id |
Directly mapped |
asset_soft |
principal.asset.software |
Merged |
source_host_type |
principal.asset.type |
Mapped: "workstation" , "desktop" → WORKSTATION, server → SERVER, laptop → `LAPTOP... |
source.as.domain |
principal.domain.name |
Directly mapped |
user.group.name |
principal.group.group_display_name |
Directly mapped |
user.group.id |
principal.group.product_object_id |
Directly mapped |
source.address |
principal.ip |
Merged |
source.ip |
principal.ip |
Merged |
token_appomni_service_type |
principal.labels |
Merged |
token_own_role |
principal.labels |
Merged |
token_service_id |
principal.labels |
Merged |
token_service_name |
principal.labels |
Merged |
token_source_geo_continent_code |
principal.labels |
Merged |
token_source_geo_continent_name |
principal.labels |
Merged |
token_source_geo_country_iso_code |
principal.labels |
Merged |
token_source_geo_postal_code |
principal.labels |
Merged |
token_source_geo_region_iso_code |
principal.labels |
Merged |
token_source_geo_timezone |
principal.labels |
Merged |
token_user_identity_full_name |
principal.labels |
Merged |
token_user_identity_id |
principal.labels |
Merged |
source.geo.city_name |
principal.location.city |
Directly mapped |
source.as.country |
principal.location.country_or_region |
Directly mapped |
source.geo.country_name |
principal.location.country_or_region |
Directly mapped |
source.geo.name |
principal.location.name |
Directly mapped |
source.geo.location.lat |
principal.location.region_coordinates.latitude |
Renamed/mapped |
source.geo.location.lon |
principal.location.region_coordinates.longitude |
Renamed/mapped |
source.geo.region_name |
principal.location.state |
Directly mapped |
src_mac |
principal.mac |
Merged |
source.as.number |
principal.network.asn |
Directly mapped |
source.domain |
principal.network.dns_domain |
Directly mapped |
user_agent.original |
principal.network.http.user_agent |
Directly mapped |
raw_event.ueba.anomalous_fields.source.as.organization.name |
principal.network.organization_name |
Directly mapped |
source.as.organization.name |
principal.network.organization_name |
Directly mapped |
user_agent_os_name |
principal.platform |
Mapped values (6 total, e.g. macos → MAC, linux → LINUX, windows → WINDOWS) |
source.port |
principal.port |
Renamed/mapped |
service_name |
principal.resource.name |
Directly mapped |
service_id |
principal.resource.product_object_id |
Directly mapped |
service_type |
principal.resource.resource_subtype |
Directly mapped |
pri_res_ans |
principal.resource_ancestors |
Merged |
princ_res_ans |
principal.resource_ancestors |
Merged |
token_source_user_identity_admin |
principal.user.attribute.labels |
Merged |
token_source_user_identity_elevated |
principal.user.attribute.labels |
Merged |
token_source_user_identity_email |
principal.user.attribute.labels |
Merged |
token_source_user_identity_full_name |
principal.user.attribute.labels |
Merged |
token_source_user_identity_id |
principal.user.attribute.labels |
Merged |
token_user_domain |
principal.user.attribute.labels |
Merged |
token_user_hash |
principal.user.attribute.labels |
Merged |
token_role |
principal.user.attribute.roles |
Merged |
src_user_mail |
principal.user.email_addresses |
Merged |
user_mail |
principal.user.email_addresses |
Merged |
source.user.id |
principal.user.product_object_id |
Directly mapped |
user.id |
principal.user.product_object_id |
Directly mapped |
source.user.full_name |
principal.user.user_display_name |
Directly mapped |
user.full_name |
principal.user.user_display_name |
Directly mapped |
source.user.name |
principal.user.userid |
Directly mapped |
user.name |
principal.user.userid |
Directly mapped |
appomni.event.dataset |
security_result.action_details |
Directly mapped |
tactics |
security_result.attack_details.tactics |
Merged |
technique |
security_result.attack_details.techniques |
Merged |
rule.threat.framework |
security_result.attack_details.version |
Directly mapped |
appomni.source.id |
src.user.product_object_id |
Directly mapped |
destination.as.domain |
target.administrative_domain |
Directly mapped |
destination.host.id |
target.asset.asset_id |
Directly mapped |
token_destination_host_name |
target.asset.attribute.labels |
Merged |
token_destination_host_type |
target.asset.attribute.labels |
Merged |
dst_mac |
target.asset.mac |
Merged |
destination.domain |
target.domain.name |
Directly mapped |
file_extension |
target.file.file_type |
Mapped: "EPUB", "FB2", "MOBI" → FILE_TYPE_EBOOK |
file.path |
target.file.full_path |
Directly mapped |
file.hash |
target.file.md5 |
Directly mapped |
file.name |
target.file.names |
Merged |
file.size |
target.file.size |
Renamed/mapped |
destination.host.hostname |
target.hostname |
Directly mapped |
destination.ip |
target.ip |
Merged |
token_destination_geo_continent_code |
target.labels |
Merged |
token_destination_geo_continent_name |
target.labels |
Merged |
token_destination_geo_country_iso_code |
target.labels |
Merged |
token_destination_geo_postal_code |
target.labels |
Merged |
token_destination_geo_region_iso_code |
target.labels |
Merged |
token_destination_geo_timezone |
target.labels |
Merged |
token_file_id |
target.labels |
Merged |
destination.geo.city_name |
target.location.city |
Directly mapped |
destination.as.country |
target.location.country_or_region |
Directly mapped |
destination.geo.country_name |
target.location.country_or_region |
Directly mapped |
destination.geo.region_name |
target.location.country_or_region |
Directly mapped |
destination.geo.name |
target.location.name |
Directly mapped |
destination.geo.location.lat |
target.location.region_coordinates.latitude |
Renamed/mapped |
destination.geo.location.lon |
target.location.region_coordinates.longitude |
Renamed/mapped |
dst_mac |
target.mac |
Merged |
destination.as.number |
target.network.asn |
Directly mapped |
destination.as.organization.name |
target.network.organization_name |
Directly mapped |
destination.port |
target.port |
Renamed/mapped |
token_resource_owner_domain |
target.resource.attribute.labels |
Merged |
token_resource_owner_email |
target.resource.attribute.labels |
Merged |
token_resource_owner_full_name |
target.resource.attribute.labels |
Merged |
token_resource_owner_hash |
target.resource.attribute.labels |
Merged |
token_resource_owner_id |
target.resource.attribute.labels |
Merged |
token_resource_owner_identity_admin |
target.resource.attribute.labels |
Merged |
token_resource_owner_identity_elevated |
target.resource.attribute.labels |
Merged |
token_resource_owner_identity_email |
target.resource.attribute.labels |
Merged |
token_resource_owner_identity_full_name |
target.resource.attribute.labels |
Merged |
token_resource_owner_identity_id |
target.resource.attribute.labels |
Merged |
token_resource_owner_name |
target.resource.attribute.labels |
Merged |
resource.name |
target.resource.name |
Directly mapped |
resource.id |
target.resource.product_object_id |
Directly mapped |
resource.type |
target.resource.resource_subtype |
Directly mapped |
tar_res_ans |
target.resource_ancestors |
Merged |
raw_event.url |
target.url |
Directly mapped |
token_destination_user_domain |
target.user.attribute.labels |
Merged |
token_destination_user_hash |
target.user.attribute.labels |
Merged |
token_destination_user_identity_admin |
target.user.attribute.labels |
Merged |
token_destination_user_identity_elevated |
target.user.attribute.labels |
Merged |
token_destination_user_identity_email |
target.user.attribute.labels |
Merged |
token_destination_user_identity_full_name |
target.user.attribute.labels |
Merged |
token_destination_user_identity_id |
target.user.attribute.labels |
Merged |
token_user_target_domain |
target.user.attribute.labels |
Merged |
token_user_target_hash |
target.user.attribute.labels |
Merged |
token_user_target_identity_admin |
target.user.attribute.labels |
Merged |
token_user_target_identity_elevated |
target.user.attribute.labels |
Merged |
token_user_target_identity_email |
target.user.attribute.labels |
Merged |
token_user_target_identity_full_name |
target.user.attribute.labels |
Merged |
token_user_target_identity_id |
target.user.attribute.labels |
Merged |
token_role |
target.user.attribute.roles |
Merged |
dst_user_mail |
target.user.email_addresses |
Merged |
user_tar_mail |
target.user.email_addresses |
Merged |
user.target.id |
target.user.product_object_id |
Directly mapped |
destination.user.full_name |
target.user.user_display_name |
Directly mapped |
user.target.full_name |
target.user.user_display_name |
Directly mapped |
destination.user.id |
target.user.userid |
Directly mapped |
destination.user.name |
target.user.userid |
Directly mapped |
user.target.name |
target.user.userid |
Directly mapped |
| N/A | metadata.event_type |
Constant: GENERIC_EVENT |
| N/A | metadata.product_name |
Constant: APPOMNI |
| N/A | metadata.vendor_name |
Constant: APPOMNI |
| N/A | principal.asset.platform_software.platform |
Constant: MAC |
| N/A | principal.asset.type |
Constant: WORKSTATION |
| N/A | principal.platform |
Constant: MAC |
| N/A | principal.resource.resource_type |
Constant: BACKEND_SERVICE |
| N/A | target.asset.type |
Constant: WORKSTATION |
| N/A | target.file.file_type |
Constant: FILE_TYPE_EBOOK |
| N/A | target.resource.resource_type |
Constant: CLOUD_PROJECT |
Need more help? Get answers from Community members and Google SecOps professionals.