Esta página foi traduzida pela API Cloud Translation.

Recolha dados do Chrome Enterprise

Suportado em:

Google secops SIEM

Este documento descreve como recolher registos do Google Chrome no Google SecOps através do conetor de relatórios empresariais. Detalha o processo de carregamento de dados para implementações do Google Chrome Enterprise Core e do Chrome Enterprise Premium, ao mesmo tempo que observa que alguns dados de registo avançados requerem uma licença do Chrome Enterprise Premium.

Implementação típica

Uma implementação típica consiste numa combinação dos seguintes componentes:

Chrome: o navegador Chrome e os eventos de gestão do ChromeOS que quer recolher.
ChromeOS: pode configurar dispositivos geridos com ChromeOS para enviar registos para o Google SecOps. Os dispositivos com ChromeOS são opcionais.
Conetor de relatórios do Chrome Enterprise: o conetor de relatórios do Chrome Enterprise encaminha os registos do Chrome para o Google SecOps.
Google SecOps: retém e analisa os registos do Chrome.

Antes de começar

Uma conta de administrador do Google Workspace.
Google Chrome 137 ou posterior. As versões anteriores não fornecem dados completos do URL de referência.
Licenças do Chrome Enterprise Premium para funcionalidades avançadas.
Opcional: um token de carregamento do Google SecOps. Se usar esta opção, também precisa do seu Customer ID do Google Workspace a partir da consola do administrador do Google Workspace.
Opcional: uma chave da API de carregamento do Chronicle fornecida pelo seu representante do Google SecOps.

Configure o Chrome Browser Cloud Management

Inscreva os dispositivos de destino para ativar a gestão na nuvem dos navegadores Chrome. Para ver detalhes, consulte o artigo Inscreva navegadores Chrome geridos na nuvem.
Opcional: configure o cofre de provas para a investigação de ficheiros suspeitos. (Apenas no Chrome Enterprise Premium)
Opcional: se usar o Identity-Aware Proxy, execute os passos em Recolha dados sensíveis ao contexto do Chrome Enterprise Premium para integrar estes dados no Google SecOps.

Associe os dados do Chrome à sua instância do Google SecOps

Configure o analisador do Chrome Management e o conetor para relatórios do Chrome Enterprise.

Configure o analisador do Chrome Management

Pode ter de atualizar para uma nova versão do analisador do Chrome Management para suportar registos recentes do Chrome.

Na sua instância do Google SecOps, aceda a Menu > Definições > Analizadores.
Encontre a entrada pré-criada da gestão do Chrome e verifique se está a usar uma data da versão 2025-08-14 ou mais recente aplicando as atualizações pendentes.

Configure o Chrome Enterprise Premium

Esta secção descreve como configurar o registo para o Chrome Enterprise Premium.

Pode configurar o encaminhamento de registos para o Chrome Enterprise Premium que inclui contexto da Navegação Segura. O conetor para relatórios do Chrome Enterprise para o Chrome Enterprise Premium pode configurar e, opcionalmente, encaminhar os seguintes tipos de registos:

Falhas do navegador
Transferências de conteúdo
Controlos de acesso a dados
Instalações de extensões
Telemetria de extensões
Atividade de início de sessão no Google
Transferência de software malicioso
Violação da palavra-passe
Palavra-passe alterada
Reutilização da palavra-passe
Transferência de dados confidenciais
URL suspeito
Visitas a sites não seguros
Evento intercalar de filtragem de URLs
Navegações para URL

Configure os dados do Chrome Enterprise Premium para exportação

Para configurar o conetor de relatórios do Chrome Enterprise para o registo do Chrome Enterprise Premium através das definições de segurança recomendadas:

Na consola do administrador Google, aceda a Menu > Navegador Chrome > Conectores.
Na faixa Apresentamos o Google SecOps para dados do Chrome Enterprise, clique em Ver detalhes e ativar.
Na página Ativar Google SecOps para Chrome Enterprise Premium, introduza um Nome da configuração.
Selecione uma opção de encaminhamento, conforme descrito em Configure o conetor para a criação de relatórios do Chrome Enterprise.

Configure o conetor para relatórios do Chrome Enterprise

O conetor de relatórios do Chrome Enterprise envia dados de registo para o Google SecOps para o Chrome Enterprise Premium e o Chrome Enterprise Core.

Configure o conetor de relatórios do Chrome Enterprise para enviar dados do Chrome para o Google SecOps através de uma das seguintes opções:

Se configurou anteriormente os registos de auditoria do Google Cloud para encaminhamento para o Google SecOps, pode ter uma opção para enviar registos do Chrome Enterprise Premium. Para mais detalhes, consulte o artigo
Configure o encaminhamento do Chrome para uma instância do Google SecOps na mesma organização.
Pode usar um código de token temporário gerado a partir do Google SecOps para configurar o encaminhamento para uma instância do Chrome Enterprise Premium. Para obter detalhes, consulte o artigo
Configure o encaminhamento do Chrome para o Google SecOps através de um token de integração.
Em alternativa, pode usar uma chave da API Chronicle Ingestion. Para ver detalhes, consulte o artigo
Configure o encaminhamento do Chrome para o Google SecOps através da API Chronicle Ingestion.

Configure o encaminhamento do Chrome para uma instância do Google SecOps na mesma organização

Pode ter a opção de selecionar uma instância existente do Google SecOps na configuração do conector se todos os seguintes pré-requisitos forem cumpridos:

A instância do Google SecOps está ligada a um projeto Google Cloud .
O Google Cloud projeto está na mesma organização que o Google Workspace que gere o Chrome Enterprise Premium.
Configurou anteriormente uma integração dos registos de auditoria na nuvem dessa organização com o Google SecOps.

Se estes pré-requisitos forem cumpridos, a instância do Google SecOps deve aparecer na lista de seleção em Usar instância na conta da GCP associada.

Para configurar o encaminhamento do Chrome para uma instância do Google SecOps na mesma organização, faça o seguinte:

Escreva um nome para a configuração.
Na opção Usar instância na conta da GCP associada, selecione a instância do Google SecOps.
Selecione os tipos de registos a encaminhar nas Definições de exportação de registos.
Clique em Testar ligação.
Clique em Ativar depois de testar a associação com êxito.
Clique em Concluído quando a configuração estiver concluída.

Configure o encaminhamento do Chrome para o Google SecOps através de um token de integração

Se a instância do Google SecOps de destino não aparecer na lista de seleção ou precisar de encaminhar registos do Chrome para uma instância do Google SecOps num domínio diferente Google Cloud, faça o seguinte:

Faculte o seu ID de cliente do Google Workspace ao administrador do Google SecOps da instância de destino e peça-lhe que obtenha o ID da instância e o token do Google SecOps. Este token é válido durante 24 horas.
Escreva um nome para a configuração.
Selecione Usar instância fora da sua organização.
Introduza o código de token fornecido pelo administrador do Google SecOps.
Selecione os tipos de registos a encaminhar nas Definições de exportação de registos.
Clique em Testar ligação.
Clique em Ativar depois de testar a associação com êxito.
Clique em Concluído quando a configuração estiver concluída.

Configure o encaminhamento do Chrome para o Google SecOps através da API Chronicle Ingestion

Pode configurar o conetor de relatórios do Google Chrome através de uma chave da API de carregamento do Chronicle. Só deve usar este método se não estiver disponível nenhum outro método de integração.

Na consola do administrador, aceda a Menu > Dispositivos > Chrome > Conetores.
Clique em + Configuração de novo fornecedor.
No painel lateral, encontre a configuração do Google SecOps e clique em Configurar.
Introduza o ID de configuração, a chave da API e o nome do anfitrião:
- ID de configuração: o ID é apresentado na página Definições do utilizador e do navegador e na página Conetores.
- Chave da API: a chave da API a especificar quando chama a API de carregamento do Chronicle para identificar o cliente.
- Nome do anfitrião: o ponto final da API Ingestion. Para clientes nos EUA, tem de ser malachiteingestion-pa.googleapis.com. Para outras regiões, consulte a documentação de pontos finais regionais.
Clique em Adicionar configuração para adicionar a nova configuração do fornecedor.

Associe unidades organizacionais (UOs) ao conector

Depois de configurar o conetor para a criação de relatórios do Chrome Enterprise através de uma das opções descritas na secção Configure o conetor para a criação de relatórios do Chrome Enterprise, tem de ativar o conetor para as Unidades organizacionais (UOs) específicas a partir das quais quer recolher registos.

Na consola do administrador Google, aceda a Menu > Dispositivos > Chrome > Definições. O separador Utilizadores e navegadores está selecionado por predefinição.
No painel Unidades organizacionais, selecione a UO a partir da qual quer recolher registos.
Na lista de definições principal, aceda à definição Conetor para a criação de relatórios do Chrome Enterprise.
Defina o estado como Ativado e selecione a configuração que criou nos passos anteriores.
Clique em Guardar. Repita estes passos para todas as outras UOs que exijam o carregamento de registos.

Recolha dados sensíveis ao acesso contextual do Chrome Enterprise Premium

Configure feeds para carregar conteúdo do Chrome Enterprise Premium específico do Identity-Aware Proxy (IAP) e dados de acesso sensíveis ao contexto.

Quem deve ativar a API Identity-Aware Proxy?

Os clientes do Chrome Enterprise Premium que usam dados do Identity-Aware Proxy (IAP) devem ativá-lo.
Para os clientes do Chrome Enterprise Premium que não usam dados do Identity-Aware Proxy, a ativação da API Identity-Aware Proxy é opcional (mas recomendada). Deste modo, adiciona campos de dados de acesso com reconhecimento do contexto aos seus dados de registo.

Para ativar a API Identity-Aware Proxy, siga os passos em Recolha dados sensíveis ao contexto do Chrome Enterprise Premium.

Valide o fluxo de dados

Para validar o fluxo de dados:

Abra a instância do Google SecOps.
Aceda a Menu > Pesquisar.
Execute a seguinte consulta de pesquisa para procurar eventos não processados: metadata.log_type = "CHROME_MANAGEMENT"

Tipos de registos suportados

As seguintes secções aplicam-se ao analisador CHROME_MANAGEMENT.

Eventos de registo suportados

Categoria de segurança	Tipo de evento
`Audit Activity`	`CONTENT_TRANSFER` `CONTENT_UNSCANNED` `EXTENSION_REQUEST` `LOGIN_EVENT` `MALWARE_TRANSFER` `PASSWORD_BREACH` `SENSITIVE_DATA_TRANSFER` `UNSAFE_SITE_VISIT` `browserExtensionInstallEvent` `browserCrashEvent` `extensionTelemetryEvent` `loginEvent` `passwordChangedEvent`
`ChromeOS`	Falha no início de sessão no ChromeOS `(CHROME_OS_LOGIN_FAILURE_EVENT)` Início de sessão no ChromeOS bem-sucedido `(CHROME_OS_LOGIN_EVENT)` Fim de sessão no ChromeOS `(CHROME_OS_LOGOUT_EVENT)` Utilizador adicionado ao ChromeOS `(CHROME_OS_ADD_USER)` Utilizador removido do ChromeOS `(CHROME_OS_REMOVE_USER)` ChromeOS bloqueado com êxito `(CHROMEOS_AFFILIATED_LOCK_SUCCESS)` ChromeOS desbloqueado com êxito `(CHROMEOS_AFFILIATED_UNLOCK_SUCCESS)` Falha ao desbloquear o ChromeOS `(CHROMEOS_AFFILIATED_UNLOCK_FAILURE)` Alteração do estado de arranque do dispositivo com ChromeOS `(CHROMEOS_DEVICE_BOOT_STATE_CHANGE)` Dispositivo USB adicionado ao ChromeOS `(CHROMEOS_PERIPHERAL_ADDED)` Dispositivo USB removido do ChromeOS `(CHROMEOS_PERIPHERAL_REMOVED)` Alteração do estado do USB do ChromeOS `(CHROMEOS_PERIPHERAL_STATUS_UPDATED)` Anfitrião do CRD do ChromeOS iniciado `(CHROME_OS_CRD_HOST_STARTED)` Cliente do CRD do ChromeOS ligado `(CHROME_OS_CRD_CLIENT_CONNECTED)` Cliente do CRD do ChromeOS desligado `(CHROME_OS_CRD_CLIENT_DISCONNECTED)` Anfitrião do CRD do ChromeOS parado `(CHROME_OS_CRD_HOST_ENDED)`
`Credential Security`	`passwordReuseEvent` `passwordBreachEvent`
`Data Protection`	`dataAccessControlEvent` `sensitiveDataEvent` `sensitiveDataTransferEvent`
`File Transfer`	`contentTransferEvent` `dangerousDownloadEvent` `unscannedFileEvent`
`Malicious Activity`	`badNavigationEvent` `dangerousDownloadEvent` `malwareTransferEvent`
`Navigation`	`interstitialEvent` `urlFilteringInterstitialEvent` `urlNavigationEvent` `SafeBrowsingInterstitialEvent` `suspiciousUrlEvent`

Formatos de registo do Chrome suportados

O analisador CHROME_MANAGEMENT suporta registos no formato JSON.

Registo de exemplo do Chrome suportado

Exemplo de um registo não processado para carregamento pelo analisador Chrome Management, no formato JSON:

JSON:

{
  "event": "badNavigationEvent",
  "time": "1622093983.104",
  "reason": "SOCIAL_ENGINEERING",
  "result": "EVENT_RESULT_WARNED",
  "device_name": "",
  "device_user": "",
  "profile_user": "sample@domain.io",
  "url": "https://test.domain.com/s/phishing.html",
  "device_id": "e9806c71-0f4e-4dfa-8c52-93c05420bb8f",
  "os_platform": "",
  "os_version": "",
  "browser_version": "109.0.5414.120",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
  "client_type": "CHROME_BROWSER_PROFILE"
}

Referência de mapeamento de campos

As seguintes tabelas de mapeamento de campos são relevantes para o CHROME_MANAGEMENTanalisador (tipo de registo).

Esta secção explica como o analisador do Google SecOps mapeia os campos de registo do Chrome para os campos do modelo de dados unificado (UDM) do Google SecOps para os conjuntos de dados.

Referência de mapeamento de campos: identificador do evento para tipo de evento

A tabela seguinte apresenta os CHROME_MANAGEMENT tipos de registos e os respetivos tipos de eventos da UDM.

Event Identifier	Event Type	Security Category
`badNavigationEvent - SOCIAL_ENGINEERING`	`USER_RESOURCE_ACCESS`	`SOCIAL_ENGINEERING`
`badNavigationEvent - SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`badNavigationEvent - MALWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`badNavigationEvent - UNWANTED_SOFTWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_PUA`
`badNavigationEvent - THREAT_TYPE_UNSPECIFIED`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`browserCrashEvent`	`STATUS_UPDATE`
`browserExtensionInstallEvent`	`USER_RESOURCE_UPDATE_CONTENT`
`Extension install - BROWSER_EXTENSION_INSTALL`	`USER_RESOURCE_UPDATE_CONTENT`
`EXTENSION_REQUEST`	`USER_UNCATEGORIZED`
`CHROME_OS_ADD_USER - CHROMEOS_AFFILIATED_USER_ADDED`	`USER_CREATION`
`CHROME_OS_ADD_USER - CHROMEOS_UNAFFILIATED_USER_ADDED`	`USER_CREATION`
`ChromeOS user added - CHROMEOS_UNAFFILIATED_USER_ADDED`	`USER_CREATION`
`ChromeOS user removed - CHROMEOS_UNAFFILIATED_USER_REMOVED`	`USER_DELETION`
`CHROME_OS_REMOVE_USER - CHROMEOS_AFFILIATED_USER_REMOVED`	`USER_DELETION`
`CHROME_OS_REMOVE_USER - CHROMEOS_UNAFFILIATED_USER_REMOVED`	`USER_DELETION`
`Login events`	`USER_LOGIN`
`LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`loginEvent`	`USER_LOGIN`
`ChromeOS login success`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_KIOSK_SESSION_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_GUEST_SESSION_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGIN`	`USER_LOGIN`
`ChromeOS login failure - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_FAILURE_EVENT - CHROMEOS_UNAFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGIN_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_AFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_MANAGED_GUEST_SESSION_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_UNAFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_KIOSK_SESSION_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_LOGOUT_EVENT - CHROMEOS_GUEST_SESSION_LOGOUT`	`USER_LOGOUT`
`ChromeOS logout - CHROMEOS_AFFILIATED_LOGOUT`	`USER_LOGOUT`
`CHROME_OS_REPORTING_DATA_LOST`	`STATUS_UPDATE`
`ChromeOS CRD client connected - CHROMEOS_CRD_CLIENT_CONNECTED`	`USER_LOGIN`
`ChromeOS CRD client disconnected`	`USER_LOGOUT`
`CHROME_OS_CRD_HOST_STARTED - CHROMEOS_CRD_HOST_STARTED`	`STATUS_STARTUP`
`ChromeOS CRD host started - CHROMEOS_CRD_HOST_STARTED`	`STATUS_STARTUP`
`ChromeOS CRD host stopped - CHROMEOS_CRD_HOST_ENDED`	`STATUS_STARTUP`
`ChromeOS device boot state change - CHROME_OS_VERIFIED_MODE`	`SETTING_MODIFICATION`
`ChromeOS device boot state change - CHROME_OS_DEV_MODE`	`SETTING_MODIFICATION`
`DEVICE_BOOT_STATE_CHANGE - CHROME_OS_VERIFIED_MODE`	`SETTING_MODIFICATION`
`ChromeOS lock success - CHROMEOS_AFFILIATED_LOCK_SUCCESS`	`USER_LOGOUT`
`ChromeOS unlock success - CHROMEOS_AFFILIATED_UNLOCK_SUCCESS`	`USER_LOGIN`
`ChromeOS unlock failure - CHROMEOS_AFFILIATED_LOGIN`	`USER_LOGIN`
`ChromeOS USB device added - CHROMEOS_PERIPHERAL_ADDED`	`USER_RESOURCE_ACCESS`
`ChromeOS USB device removed - CHROMEOS_PERIPHERAL_REMOVED`	`USER_RESOURCE_DELETION`
`ChromeOS USB status change - CHROMEOS_PERIPHERAL_STATUS_UPDATED`	`USER_RESOURCE_UPDATE_CONTENT`
`CHROMEOS_PERIPHERAL_STATUS_UPDATED - CHROMEOS_PERIPHERAL_STATUS_UPDATED`	`USER_RESOURCE_UPDATE_CONTENT`
`Client Side Detection`	`USER_UNCATEGORIZED`
`Content transfer`	`SCAN_FILE`
`CONTENT_TRANSFER`	`SCAN_FILE`
`contentTransferEvent`	`SCAN_FILE`
`Content unscanned`	`SCAN_UNCATEGORIZED`
`CONTENT_UNSCANNED`	`SCAN_UNCATEGORIZED`
`dataAccessControlEvent`	`USER_RESOURCE_ACCESS`
`dangerousDownloadEvent - Dangerous`	`SCAN_FILE`	`SOFTWARE_PUA`
`dangerousDownloadEvent - DANGEROUS_HOST`	`SCAN_HOST`
`dangerousDownloadEvent - UNCOMMON`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - POTENTIALLY_UNWANTED`	`SCAN_UNCATEGORIZED`	`SOFTWARE_PUA`
`dangerousDownloadEvent - UNKNOWN`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - DANGEROUS_URL`	`SCAN_UNCATEGORIZED`
`dangerousDownloadEvent - UNWANTED_SOFTWARE`	`SCAN_FILE`	`SOFTWARE_PUA`
`dangerousDownloadEvent - DANGEROUS_FILE_TYPE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`Desktop DLP Warnings`	`USER_UNCATEGORIZED`
`DLP_EVENT`	`USER_UNCATEGORIZED`
`interstitialEvent - Malware`	`NETWORK_HTTP`	`NETWORK_SUSPICIOUS`
`IOS/OSX Warnings`	`SCAN_UNCATEGORIZED`
`Malware transfer - MALWARE_TRANSFER_DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNCOMMON`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNWANTED_SOFTWARE`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_UNKNOWN`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`MALWARE_TRANSFER - MALWARE_TRANSFER_DANGEROUS_HOST`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`malwareTransferEvent - DANGEROUS`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`malwareTransferEvent - UNSPECIFIED`	`SCAN_FILE`	`SOFTWARE_MALICIOUS`
`Password breach`	`USER_RESOURCE_ACCESS`
`PASSWORD_BREACH`	`USER_RESOURCE_ACCESS`
`passwordBreachEvent - PASSWORD_ENTRY`	`USER_RESOURCE_ACCESS`
`Password changed`	`USER_CHANGE_PASSWORD`
`PASSWORD_CHANGED`	`USER_CHANGE_PASSWORD`
`passwordChangedEvent`	`USER_CHANGE_PASSWORD`
`Password reuse - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`Password reuse - PASSWORD_REUSED_PHISHING_URL`	`USER_UNCATEGORIZED`	`PHISHING`
`PASSWORD_REUSE - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`passwordReuseEvent - Unauthorized site`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`passwordReuseEvent - PASSWORD_REUSED_PHISHING_URL`	`USER_UNCATEGORIZED`	`PHISHING`
`passwordReuseEvent - PASSWORD_REUSED_UNAUTHORIZED_SITE`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION, AUTH_VIOLATION`
`Permissions Blacklisting`	`RESOURCE_PERMISSIONS_CHANGE`
`Sensitive data transfer`	`SCAN_FILE`	`DATA_EXFILTRATION`
`SENSITIVE_DATA_TRANSFER`	`SCAN_FILE`	`DATA_EXFILTRATION`
`sensitiveDataEvent - [test_user_5] warn`	`SCAN_FILE`	`DATA_EXFILTRATION`
`sensitiveDataTransferEvent`	`SCAN_FILE`	`DATA_EXFILTRATION`
`Unsafe site visit - UNSAFE_SITE_VISIT_SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_MALWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_MALICIOUS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_UNWANTED_SOFTWARE`	`USER_RESOURCE_ACCESS`	`SOFTWARE_SUSPICIOUS`
`UNSAFE_SITE_VISIT - EVENT_REASON_UNSPECIFIED`	`USER_RESOURCE_ACCESS`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SOCIAL_ENGINEERING`	`USER_RESOURCE_ACCESS`	`SOCIAL_ENGINEERING`
`UNSAFE_SITE_VISIT - UNSAFE_SITE_VISIT_SSL_ERROR`	`USER_RESOURCE_ACCESS`	`NETWORK_SUSPICIOUS`
`unscannedFileEvent - FILE_PASSWORD_PROTECTED`	`SCAN_FILE`
`unscannedFileEvent - FILE_TOO_LARGE`	`SCAN_FILE`
`urlFilteringInterstitialEvent`	`USER_RESOURCE_ACCESS`	`POLICY_VIOLATION`
`extensionTelemetryEvent`	If the `telemetry_event_signals.signal_name` log field value is equal to the `COOKIES_GET_ALL_INFO, COOKIES_GET_INFO, TABS_API_INFO`, then the `event_type` set to `USER_RESOURCE_ACCESS`. Else, if the `telemetry_event_signals.signal_name` log field value is equal to `REMOTE_HOST_CONTACTED_INFO`, then if the `telemetry_event_signals.connection_protocol` log field value is equal to `HTTP_HTTPS`, then the `event_type` is set to `NETWORK_HTTP`. Else, the `event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.	If the `telemetry_event_signals.signal_name` log field value is equal to `REMOTE_HOST_CONTACTED_INFO`, then the `security category` is set to `NETWORK_SUSPICIOUS`. Else, if the `telemetry_event_signals.signal_name` log field value contain one of the following values, then the `security category` UDM field is set to `SOFTWARE_SUSPICIOUS`. `COOKIES_GET_INFO` `COOKIES_GET_ALL_INFO`

Referência de mapeamento de campos: CHROME_MANAGEMENT

A tabela seguinte apresenta os campos de registo do CHROME_MANAGEMENT tipo de registo e os respetivos campos UDM.

Log field	UDM mapping	Logic
`id.customerId`	`about.resource.product_object_id`
`event_detail`	`metadata.description`
`time`	`metadata.event_timestamp`
`events.parameters.name [TIMESTAMP]`	`metadata.event_timestamp`
`event`	`metadata.product_event_type`
`events.name`	`metadata.product_event_type`
`id.uniqueQualifier`	`metadata.product_log_id`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Chrome Management`.
`id.applicationName`
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `GOOGLE`.
`user_agent`	`network.http.user_agent`
`userAgent`	`network.http.user_agent`
`events.parameters.name [USER_AGENT]`	`network.http.user_agent`
`events.parameters.name [SESSION_ID]`	`network.session_id`
`client_type`	`principal.application`
`clientType`	`principal.application`
`events.parameters.name [CLIENT_TYPE]`	`principal.application`
`device_id`	`principal.asset.product_object_id`
`deviceId`	`principal.asset.product_object_id`
`events.parameters.name [DEVICE_ID]`	`principal.asset.product_object_id`
`device_name`	`principal.hostname`
`deviceName`	`principal.hostname`
`events.parameters.name [DEVICE_NAME]`	`principal.hostname`
`os_platform`	`principal.platform`	The `principal.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`. Else, if the `os_platform` log field value is not empty and `osVersion` log field value is not empty, then the `os_platform osVersion` log field is mapped to the `principal.platform_version` UDM field.
`os_platform`	`principal.asset.platform_software.platform`	The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`.
`os_platform`	`principal.asset.platform_software.platform`	The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`.
`osPlatform`	`principal.platform`	The `principal.platform` UDM field is set to one of the following values: `LINUX` if the `osPlatform` log field value is matched with regular expression pattern `linux`. `MAC` if the `osPlatform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `osPlatform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `osPlatform` log field value is matched with regular expression pattern `chromeos`. Else, if the `osPlatform` log field value is not empty and `osVersion` log field value is not empty, then the `osPlatform osVersion` log field is mapped to the `principal.platform_version` UDM field.
`osPlatform`	`principal.asset.platform_software.platform`	The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `osPlatform` log field value is matched with regular expression pattern `linux`. `MAC` if the `osPlatform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `osPlatform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `osPlatform` log field value is matched with regular expression pattern `chromeos`.
`events.parameters.name [DEVICE_PLATFORM]`	`principal.platform`	The `os_platform` and `os_version` is extracted from the `events.parameters.name [DEVICE_PLATFORM]` log field using Grok pattern. The `principal.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`. Else, if the `os_platform` log field value is not empty and `osVersion` log field value is not empty, then the `os_platform osVersion` log field is mapped to the `principal.platform_version` UDM field.
`events.parameters.name [DEVICE_PLATFORM]`	`principal.asset.platform_software.platform`	The `os_platform` is extracted from the `events.parameters.name [DEVICE_PLATFORM]` log field using Grok pattern. The `principal.asset.platform_software.platform` UDM field is set to one of the following values: `LINUX` if the `os_platform` log field value is matched with regular expression pattern `linux`. `MAC` if the `os_platform` log field value is matched with regular expression pattern `mac`. `WINDOWS` if the `os_platform` log field value is matched with regular expression pattern `windows`. `CHROME_OS` if the `os_platform` log field value is matched with regular expression pattern `chromeos`.
`os_version`	`principal.platform_version`
`osVersion`	`principal.platform_version`
`events.parameters.name [DEVICE_PLATFORM]`	`principal.platform_version`	The `Version` is extracted from the `events.parameters.name [DEVICE_PLATFORM]` log field using Grok pattern.
`device_id`	`principal.resource.id`
`deviceId`	`principal.resource.id`
`events.parameters.name [DEVICE_ID]`	`principal.resource.id`
`directory_device_id`	`principal.resource.product_object_id`
`events.parameters.name [DIRECTORY_DEVICE_ID]`	`principal.resource.product_object_id`
	`principal.resource.resource_subtype`	If the `event` log field value is equal to `CHROMEOS_PERIPHERAL_STATUS_UPDATED`, then the `principal.resource.resource_subtype` UDM field is set to `USB`. Else, if the `events.name` log field value is equal to `CHROMEOS_PERIPHERAL_STATUS_UPDATED`, then the `principal.resource.resource_subtype` UDM field is set to `USB`.
	`principal.resource.resource_type`	If the `device_id` log field value is not empty, then the `principal.resource.resource_type` UDM field is set to `DEVICE`.
`actor.email`	`principal.user.email_addresses`
`actor.profileId`	`principal.user.userid`
`result`	`security_result.action_details`
`events.parameters.name [EVENT_RESULT]`	`security_result.action_details`
`event_result`	`security_result.action_details`
	`security_result.action`	The `security_result.action` UDM field is set to one of the following values: `ALLOW` if the `result` or `events.parameters.name [EVENT_RESULT]` log field value is matched with regular expression pattern `ALLOWED` or `EVENT_RESULT_ALLOWED`. `BLOCK` if the `result` or `events.parameters.name [EVENT_RESULT]` log field value is matched with regular expression pattern `BLOCKED` or `EVENT_RESULT_BLOCKED`.
`reason`	`security_result.category_details`
`events.parameters.name [EVENT_REASON]`	`security_result.category_details`
`events.parameters.name [EVENT_REASON]`	`security_result.summary`
`events.parameters.name [LOGIN_FAILURE_REASON]`	`security_result.description`
`events.parameters.name [REMOVE_USER_REASON]`	`security_result.description`	If the `events.name` log field value is equal to `CHROME_OS_REMOVE_USER`, then the `events.parameters.name` `REMOVE_USER_REASON` log field value is mapped to the `security_result.description` UDM field.
`triggered_rules`	`security_result.rule_name`
`events.type`	`security_result.category_details`
`events.parameters.name [PRODUCT_NAME]`	`target.application`	If the `events.name` log field value contains one of the following values, then the `events.parameters.name [PRODUCT_NAME]` log field is mapped to the `target.resource.name` UDM field: `ChromeOS USB device added` `ChromeOS USB device removed` `ChromeOS USB status change` `CHROMEOS_PERIPHERAL_STATUS_UPDATED`
`content_name`	`target.file.full_path`
`contentName`	`target.file.full_path`
`events.parameters.name [CONTENT_NAME]`	`target.file.full_path`
`content_type`	`target.file.mime_type`
`contentType`	`target.file.mime_type`
`events.parameters.name [CONTENT_TYPE]`	`target.file.mime_type`
`content_hash`	`target.file.sha256`
`events.parameters.name [CONTENT_HASH]`	`target.file.sha256`
`content_size`	`target.file.size`
`contentSize`	`target.file.size`
`events.parameters.name [CONTENT_SIZE]`	`target.file.size`
	`target.file.file_type`	The `fileType` is extracted from the `content_name` log field using Grok pattern, Then `target.file.file_type` UDM field is set to one of the following values: `FILE_TYPE_ZIP` if the `fileType` value is equal to `zip`. `FILE_TYPE_DOS_EXE` if the `fileType` value is equal to `exe`. `FILE_TYPE_PDF` if the `fileType` value is equal to `pdf`. `FILE_TYPE_XLSX` if the `fileType` value is equal to `xlsx`.
`extension_id`	`target.resource.product_object_id`
`events.parameters.name [APP_ID]`	`target.resource.product_object_id`
`extension_name`	`target.resource.name`	If the `event` log field value is equal to `badNavigationEvent` or the `events.name` log field value is equal to `badNavigationEvent`, then the `extension_name` log field is mapped to the `target.resource.name` UDM field.
`telemetry_event_signals.signal_name`	`target.resource.name`	If the `event` log field value is equal to `extensionTelemetryEvent`, then the `telemetry_event_signals.signal_name` log field is mapped to the `target.resource.name` UDM field.
`events.parameters.name [APP_NAME]`	`target.resource.name`
`url`	`target.url`
`events.parameters.name [URL]`	`target.url`
`telemetry_event_signals.url`	`target.url`	If the `telemetry_event_signals.url` log field value matches the regular expression pattern the `[http:\/\/ or https:\/\/].*`, then the `telemetry_event_signals.url` log field is mapped to the `target.url` UDM field.
`device_user`	`target.user.userid`
`deviceUser`	`principal.user.userid`	If the `event` log field value is equal to `passwordChangedEvent`, then the `deviceUser` log field is mapped to the `principal.user.userid` UDM field. Else, the `deviceUser` log field is mapped to the `principal.user.user_display_name` UDM field.
`events.parameters.name [DEVICE_USER]`	If the `event` log field value is equal to `passwordChangedEvent`, then the `events.parameters.name [DEVICE_USER]` log field is mapped to the `principal.user.userid` UDM field. Else, the `events.parameters.name [DEVICE_USER]` log field is mapped to the `principal.user.user_display_name` UDM field.
`scan_id`	`about.labels [scan_id]`
`events.parameters.name [CONNECTION_TYPE]`	`about.labels [connection_type]`
`etag`	`about.labels [etag]`
`kind`	`about.labels [kind]`
`actor.key`	`principal.user.attribute.labels [actor_key]`
`actor.callerType`	`principal.user.attribute.labels [actor_callerType]`
`events.parameters.name [EVIDENCE_LOCKER_FILEPATH]`	`security_result.about.labels [evidence_locker_filepath]`
`federated_origin`	`security_result.about.labels [federated_origin]`
`is_federated`	`security_result.about.labels [is_federated]`
`destination`	`security_result.about.labels [trigger_destination]`
`events.parameters.name [TRIGGER_DESTINATION]`	`security_result.about.labels [trigger_destination]`
`source`	`security_result.about.labels [trigger_source]`
`events.parameters.name [TRIGGER_SOURCE]`	`security_result.about.labels [trigger_source]`
`trigger_type`	`security_result.about.labels [trigger_type]`
`trigger_type`	`additional.fields [trigger_type]`
`triggerType`	`security_result.about.labels [trigger_type]`
`triggerType`	`additional.fields [trigger_type]`
`events.parameters.name [TRIGGER_TYPE]`	`security_result.about.labels [trigger_type]`
`trigger_user`	`security_result.about.labels [trigger_user]`
`events.parameters.name [TRIGGER_USER]`	`security_result.about.labels [trigger_user]`
`events.parameters.name [MALWARE_CATEGORY]`	`security_result.threat_name`
`events.parameters.name [MALWARE_FAMILY]`	`security_result.detection_fields [malware_family]`
`events.parameters.name [VENDOR_ID]`	`src.labels [vendor_id]`
`events.parameters.name [VENDOR_NAME]`	`src.labels [vendor_name]`
`events.parameters.name [VIRTUAL_DEVICE_ID]`	`src.labels [virtual_device_id]`
`events.parameters.name [VIRTUAL_DEVICE_ID]`	`additional.fields [virtual_device_id]`
`events.parameters.name [NEW_BOOT_MODE]`	`target.asset.attribute.labels [new_boot_mode]`
`events.parameters.name [PREVIOUS_BOOT_MODE]`	`target.asset.attribute.labels [previous_boot_mode]`
`id.time`	`target.asset.attribute.labels [timestamp]`
`events.parameters.name [PRODUCT_ID]`	`target.labels [product_id]`	If the `events.name` log field value contains one of the following values, then the `events.parameters.name [PRODUCT_ID]` log field is mapped to the `target.resource.product_object_id` UDM field: `CHROMEOS_PERIPHERAL_ADDED` `CHROMEOS_PERIPHERAL_REMOVED` `CHROMEOS_PERIPHERAL_STATUS_UPDATED` Else, the `events.parameters.name [PRODUCT_ID]` log field is mapped to the `target.labels` UDM field.
	`extensions.auth.mechanism`	If the `events.name` log field value contains one of the following values, then the `extensions.auth.mechanism` UDM field is set to `USERNAME_PASSWORD`: `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS`
`events.parameters.name [UNLOCK_TYPE]`	`target.labels [unlock_type]`
`extension_description`	`target.resource.attribute.labels [extension_description]`
`extension_action`	`target.resource.attribute.labels [extension_action]`
`extension_version`	`target.resource.attribute.labels [extension_version]`	If the `event` log field value is not equal to `extensionTelemetryEvent`, then the `extension_version` log field is mapped to the `target.resource.attribute.labels[extension_version]` UDM field.
`extension_source`	`target.resource.attribute.labels[extension_source]`	If the `event` log field value is not equal to `extensionTelemetryEvent`, then the `extension_source` log field is mapped to the `target.resource.attribute.labels[extension_source]` UDM field.
`browser_version`	`target.resource.attributes.labels [browser_version]`
`browserVersion`	`target.resource.attributes.labels [browser_version]`
`events.parameters.name [BROWSER_VERSION]`	`target.resource.attributes.labels [browser_version]`
`profile_user`	`target.user.email_addresses`	If the `event` log field value contain one of the following values and the `profile_user` log field value matches the regular expression pattern `^.+@.+$`, then the `profile_user` log field is mapped to the `target.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`profile_user`	`principal.user.email_addresses`	If the `event` log field value does not contain one of the following values and the `profile_user` log field value matches the regular expression pattern `^.+@.+$` and the `actor.email` log field value is not equal to the `profile_user`, then the `profile_user` log field is mapped to the `principal.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`profile_user`	`target.user.attribute.labels[profile_user_name]`	If the `event` log field value contain one of the following values and the `profile_user` log field value does not match the regular expression pattern `^.+@.+$`, then the `profile_user` log field is mapped to the `target.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`profile_user`	`principal.user.attribute.labels[profile_user_name]`	If the `event` log field value does not contain one of the following values and the `profile_user` log field value does not match the regular expression pattern `^.+@.+$` or the `actor.email` log field value is equal to the `profile_user`, then the `profile_user` log field is mapped to the `principal.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`target.user.email_addresses`	If the `event` log field value contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value matches the regular expression pattern `^.+@.+$`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `target.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`principal.user.email_addresses`	If the `event` log field value does not contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value matches the regular expression pattern `^.+@.+$` and the `actor.email` log field value is not equal to the `events.parameters.name [PROFILE_USER_NAME]`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `principal.user.email_addresses` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`target.user.attribute.labels[profile_user_name]`	If the `event` log field value contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value does not match the regular expression pattern `^.+@.+$`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `target.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
`events.parameters.name [PROFILE_USER_NAME]`	`principal.user.attribute.labels[profile_user_name]`	If the `event` log field value does not contain one of the following values and the `events.parameters.name [PROFILE_USER_NAME]` log field value does not match the regular expression pattern `^.+@.+$` or the `actor.email` log field value is equal to the `events.parameters.name [PROFILE_USER_NAME]`, then the `events.parameters.name [PROFILE_USER_NAME]` log field is mapped to the `principal.user.attribute.labels.profile_user_name` UDM field. `CHROME_OS_LOGIN_EVENT` `loginEvent` `CHROME_OS_LOGIN_FAILURE_EVENT` `CHROMEOS_AFFILIATED_UNLOCK_SUCCESS` `CHROME_OS_CRD_CLIENT_CONNECTED` `CHROME_OS_LOGOUT_EVENT` `CHROMEOS_AFFILIATED_LOCK_SUCCESS` .
	`target.resource.resource_type`	If the `events.name` log field value is equal to `DEVICE_BOOT_STATE_CHANGE`, then the `target.resource.resource_type` UDM field is set to `SETTING`.
`url_category`	`target.labels [url_category]`
`browser_channel`	`target.resource.attribute.labels [browser_channel]`
`report_id`	`target.labels [report_id]`
`clickedThrough`	`target.labels [clickedThrough]`
`threat_type`	`security_result.detection_fields [threatType]`
`triggered_rule_info.action`	`security_result.action`	If the `triggered_rule_info.action` log field value contains one of the following values, then the `triggered_rule_info.action` log field is mapped to the `security_result.action` UDM field: `ALLOW` `ALLOW_WITH_MODIFICATION` `BLOCK` `CHALLENGE` `FAIL` `QUARANTINE` `UNKNOWN_ACTION` Else, the `triggered_rule_info.action` log field is mapped to the `security_result.rule_labels [triggeredRuleInfo_action]` UDM field.
`triggered_rule_info.rule_id`	`security_result.rule_id`
`triggered_rule_info.rule_name`	`security_result.rule_name`
`triggered_rule_info.url_category`	`security_result.category_details`
`transfer_method`	`additional.fields [transfer_method]`
`extension_name`	`target.resource_ancestors.name`	If the `event` log field value is `equal` to `extensionTelemetryEvent`, then the `extension_name` log field is mapped to the `target.resource_ancestors.name` UDM field.
`extension_id`	`target.resource_ancestors.product_object_id`	If the `event` log field value is `equal` to `extensionTelemetryEvent`, then the `extension_id` log field is mapped to the `target.resource_ancestors.product_object_id` UDM field.
`extension_version`	`target.resource_ancestors.attribute.labels[extension_version]`	If the `event` log field value is equal to `extensionTelemetryEvent`, then the `extension_version` log field is mapped to the `target.resource_ancestors.attribute.labels[extension_version]` UDM field.
`extension_source`	`target.resource_ancestors.attribute.labels[extension_source]`	If the `event` log field value is equal to `extensionTelemetryEvent`, then the `extension_source` log field is mapped to the `target.resource_ancestors.attribute.labels[extension_source]` UDM field.
`profile_identifier`	`additional.fields[profile_identifier]`
`extension_files_info.file_name`	`target.resource_ancestors.file.names`
`extension_files_info.file_hash.hash`	`target.resource_ancestors.attribute.labels[file_hash]`
`telemetry_event_signals.count`	`target.resource.attribute.labels[count]`
`telemetry_event_signals.tabs_api_method`	`target.resource.attribute.labels[tabs_api_method]`
	`target.hostname`	If the `telemetry_event_signals.url` log field value does not match the regular expression pattern the `[http:\/\/ or https:\/\/].*`, then the `telemetry_event_signals.url` log field is mapped to the `target.hostname` UDM field.
`telemetry_event_signals.destination`	`target.resource.attribute.labels[destination]`
`telemetry_event_signals.source`	`target.resource.attribute.labels[source]`
`telemetry_event_signals.domain`	`target.domain.name`
`telemetry_event_signals.cookie_name`	`target.resource.attribute.labels[cookie_name]`
`telemetry_event_signals.cookie_path`	`target.resource.attribute.labels[cookie_path]`
`telemetry_event_signals.cookie_is_secure`	`target.resource.attribute.labels[cookie_is_secure]`
`telemetry_event_signals.cookie_store_id`	`target.resource.attribute.labels[cookie_store_id]`
`telemetry_event_signals.cookie_is_session`	`target.resource.attribute.labels[cookie_is_session]`
`telemetry_event_signals.connection_protocol`	`network.application_protocol`	If the `telemetry_event_signals.connection_protocol` log field value is equal to `HTTP_HTTPS`, then the `network.application_protocol` UDM field is set to `HTTP` Else, If the `telemetry_event_signals.connection_protocol` log field value is equal to `UNSPECIFIED`, then the `network.application_protocol` UDM field is set to `UNKNOWN_APPLICATION_PROTOCOL` Else, the `telemetry_event_signals.connection_protocol` log field is mapped to the `target.resource.attribute.labels` UDM field.
`telemetry_event_signals.contacted_by`	`target.resource.attribute.labels[contacted_by]`
`local_ips`	`principal.ip`	If the event log field value is equal to `extensionTelemetryEvent`, then the `local_ips` log field is mapped to the `principal.ip` UDM field.
`remote_ip`	`target.ip`	If the event log field value is equal to `extensionTelemetryEvent`, then the `remote_ip` log field is mapped to the `target.ip` UDM field.
`device_fqdn`	`principal.asset.attribute.labels`	If the event log field value is equal to `extensionTelemetryEvent`, then the `device_fqdn` log field is mapped to the `principal.asset.attribute.labels` UDM field.
`network_name`	`principal.network.carrier_name`	If the event log field value is equal to `extensionTelemetryEvent`, then the `network_name` log field is mapped to the `principal.network.carrier_name` UDM field.
`web_app_signed_in_account`	`target.user.email_addresses`	If the `event` log field value contains one of the following values, then the `web_app_signed_in_account` log field is mapped to the `target.user.email_addresses` UDM field: `contentTransferEvent` `sensitiveDataEvent` `urlFilteringInterstitialEvent`

Referência de mapeamento de campos (versão de pré-visualização)

Todos os campos são aplicáveis a clientes do Chrome Enterprise Core e Chrome Enterprise Premium. Os campos que só se aplicam a clientes do Chrome Enterprise Premium estão etiquetados como "[CEP Only]".

Referência de mapeamento de campos: CHROME_MANAGEMENT (versão de pré-visualização)

A tabela seguinte apresenta os campos de registo do CHROME_MANAGEMENT tipo de registo e os respetivos campos UDM.

Log field	UDM mapping	Logic
`pehash_sha256`	`about.file.sha256`	[CEP Only] The SHA256 file hash (`pehash_sha256`) reported from a `dangerousDownloadEvent` or `contentTransferEvent`.
`device_fqdn`	`principal.asset.attribute.labels`	[CEP Only] The device's fully qualified domain name reported in a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`. Not reported for unmanaged devices with managed user profiles.
`network_name`	`principal.network.carrier_name`	[CEP Only] The network name (SSID) the device is connected to reported in a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`content_risk.threat_type`	`security_result.threat_name`	[CEP Only] The threat type of the content reported in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk_level, content_risk.risk_level`	`security_result.severity`	[CEP Only] The content risk level reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk.risk_reasons`	`security_result.rule_label`	[CEP Only] The content risk reason reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk.risk_indicators`	`security_result.detection_fields[content_risk_indicators]`	[CEP Only] The list of indicators from the Safe Browsing risk level in a `dangerousDownloadEvent` or `contentTransferEvent`.
`content_risk.risk_source`	`security_result.detection_fields[content_risk_source]`	[CEP Only] The risk source of the content reported by Safe Browsing in a `dangerousDownloadEvent` or `contentTransferEvent`.
`is_encrypted`	`additional.fields[is_encrypted]`	[CEP Only] Set to `true` if the content is encrypted in `dangerousDownloadEvent` or `contentTransferEvent`.
`server_scan_status`	`additional.fields[server_scan_status]`	[CEP Only] The status of whether the content in `dangerousDownloadEvent` or `contentTransferEvent` was successfully scanned by Safe Browsing.
`url_info.url`	`principal.url`	[CEP Only] The URL of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.ip`	`principal.ip`	[CEP Only] The IP address of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.type`	`principal.security_result.detection_fields[url_info_type]`	[CEP Only] The URL type (download, tab, or redirect) of `dangerousDownloadEvent`, `contentTransferEvent`, `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.risk_level`	`principal.security_result.severity`	[CEP Only] The risk level of the URL reported by Safe Browsing.
`url_info.risk_infos.risk_level`	`principal.security_result.severity`	[CEP Only] Additional risk information reported by Safe Browsing.
`url_info.navigation_initiator.initiator_type`	`principal.security_result.detection_fields[url_info_initiator_type]`	[CEP Only] This maps the `url_info_initiator_type` in a `dangerousDownloadEvent` or `contentTransferEvent`. In a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent` this maps the `url_navigation_initiator`.
`url_info.navigation_initiator.entity`	`principal.security_result.detection_fields[url_info_entity]`	[CEP Only] This maps the `url_info_entity` in a `dangerousDownloadEvent` or `contentTransferEvent`. In a `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent` this maps the `url_infos_navigation_entity`.
`url_info.request_http_method`	`principal.security_result.detection_fields[url_info_request_http_method]`	[CEP Only] The HTTP method used to contact the URL.
`url_info.url_categories`	`principal.url_metadata.categories`	[CEP Only] The URL category reported by Safe Browsing of `urlNavigationEvent` or `suspiciousUrlEvent`.
`url_info.risk_infos.risk_indicators`	`principal.security_result.detection_fields[url_info_risk_infos_risk_indicators_key]`	[CEP Only] The URL risk indicators reported by Safe Browsing of `urlNavigationEvent` or `suspiciousUrlEvent`.
`url_info.risk_infos.risk_reasons`	`principal.security_result.rule_label[risk_reason]`	[CEP Only] The Safe Browsing reason for the URL risk classification of `urlNavigationEvent` or `suspiciousUrlEvent`.
`url_info.risk_infos.risk_source`	`principal.security_result.detection_fields[content_risk_source]`	[CEP Only] The risk source determination reported by Safe Browsing. This includes URL and file reputation and content scanning results for `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`url_info.risk_infos.threat_type`	`security_result.threat_name`	[CEP Only] The threat type reported by Safe Browsing of the URL for `urlNavigationEvent`, `suspiciousUrlEvent`, or `urlFilteringInterstitialEvent`.
`tab_url_info.url, tab_url, referrers.url`	`about.url`	[CEP Only] Maps the `tab_url_info.url` of `dangerousDownloadEvent` or `contentTransferEvent`. Maps the `referrers.url` of a `urlNavigationEvent`, or `suspiciousUrlEvent`.
`tab_url_info.ip, referrers.ip`	`about.ip`	[CEP Only] Maps the `tab_url_info_ip` IP address associated with `dangerousDownloadEvent` or `contentTransferEvent`. Maps the IP address of `referrers.ip` in `urlNavigationEvent` or `suspiciousUrlEvent`.
`remote_ip`	`target.ip`	[CEP Only] If the `event` log field value contains one of the following values, then the `remote_ip` log field is mapped to the `target.ip` UDM field: `dangerousDownloadEvent` `contentTransferEvent` `urlNavigationEvent` `suspiciousUrlEvent` `urlFilteringInterstitialEvent`
`tab_url_info.type`	`about.security_result.detection_fields[tab_url_info_type]`	[CEP Only] The URL tab type for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.risk_level`	`about.security_result.severity`	[CEP Only] The Safe Browsing risk level associated with the URL from a tab event for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.navigation_initiator.initiator_type`	`about.security_result.detection_fields[tab_url_info_initiator_type]`	[CEP Only] The initiator type of the tab event for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.navigation_initiator.entity`	`about.security_result.detection_fields[tab_url_info_entity]`	[CEP Only] The `tab_url_info_entity` for `dangerousDownloadEvent` or `contentTransferEvent`.
`tab_url_info.request_http_method`	`about.security_result.detection_fields[tab_url_info_request_http_method]`	[CEP Only] The HTTP method a tab used to contact the URL of `dangerousDownloadEvent` or `contentTransferEvent`.
`referrers.navigation_initiator.entity`	`about.security_result.detection_fields[referrers_navigation_initiator_entity]`	[CEP Only] The referrer entity name that initiated the navigation event for `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.navigation_initiator.initiator_type`	`about.security_result.detection_fields[referrers_navigation_initiator_initiator_type]`	[CEP Only] The referrer type that initiated `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.request_http_method`	`about.security_result.detection_fields[referrers_request_http_method]`	[CEP Only] The HTTP method of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.risk_categories`	`about.security_result.detection_fields[referrers_risk_infos_risk_categories]`	[CEP Only] The URL category of the referrer, as provided by the Safe Browsing service, associated with `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.risk_level, referrers.risk_level`	`about.security_result.severity`	[CEP Only] Maps the risk level provided by Safe Browsing `referrers.risk_level` for a `urlNavigationEvent` or `suspiciousUrlEvent` or `referrers.risk_infos.risk_level` for `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.type`	`about.security_result.detection_fields[referrers_type]`	[CEP Only] The URL type provided by Safe Browsing of the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.risk_source`	`about.security_result.detection_fields[referrers_risk_source]`	[CEP Only] The risk source provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.risk_infos.threat_type`	`about.security_result.threat_name`	[CEP Only] The threat type provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.
`referrers.url_categories`	`about.url_metadata.categories`	[CEP Only] The URL category provided by Safe Browsing for the referrer URL of `urlNavigationEvent` or `suspiciousUrlEvent`.

Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais da Google SecOps.